As everything is moving to the cloud, Rapid7 explain why modern SIEM is in the cloud and what benefits you can expect from a cloud SIEM.
Modern cloud SIEM solutions enable three new use cases
In the past, SIEM has been most valuable around:
- Correlation: Give me context, and help me investigate alarms triggered by my stack
- Compliance: Help me prove that all access is logged, events are being tracked, and file integrity monitoring is in place
These use cases are foundationally valuable. However, getting to a successful deployment with traditional SIEMs requires a huge amount of up-front configuration, tuning, and ongoing maintenance. Historically, security teams had to spend more time tuning detection rules and filtering through the noise. Instead they could have been acting on the outputs and progressing their security posture.
Cloud SIEM tools, like Rapid7 InsightIDR, are quickly gaining market share today. Security teams can now shed infrastructure and data management hats to focus on three key use cases:
Use case No. 1: Unify data (all of it!) with your cloud SIEM
Our networks now have important log and event sources sprawled across hundreds of log sources, endpoints, cloud services and hosting platforms. As a supporting visual, here’s Rapid7’s data architecture diagram:
Combined with alerts from your monitoring tools and prevention systems, all of this information should be able to flow into your SIEM for reporting and data visualisation. This is where many on-premises SIEM deployments led to challenges. That’s because hardware management, data parsing, and scaling requires continuous grooming and feeding to perform effectively.
Therefore, if you’re considering cloud SIEM, ensure that it has support for your critical data sources such as cloud hosting. Plus check it will actually relieve you from management and maintenance burdens as your business scales. You should be able to start sending data for analytics within minutes of starting a trial or POC. You shouldn’t be waiting for an appliance shipment or professional services.
Be wary of cloud SIEMs that still require on-premises tuning and maintenance.
More native ingestion support for cloud hosting providers (e.g., Azure, AWS, and Google Cloud). Greater support for telemetry gathering from the endpoint. This enables more nuanced detections, investigations, and threat hunting. Endpoint data such as parent/child processes is essential to our MDR SOCs. These data collection and hunt capabilities will become more accessible to security teams of all sizes.
Use case No. 2: Proactive threat detection with your cloud SIEM solutions
Year after year, the Verizon Data Breach Investigations Report shows that the same attack vectors — phishing, malware, and stolen credentials — are being used successfully. Let’s say you need to detect malware. To identify modern threats, you need visibility into endpoint telemetry, such as PowerShell logs, which you may be able to access from your SIEM.
However, to investigate root cause and identify lateral movement, that information alone isn’t enough. Authentication tracking and user behaviour data is also needed to catch account takeover and the use of stolen credentials.
Modern cloud-based SIEMs should not only give you access to this information. They should also apply security analytics to this data to proactively flag compromise. Accurate threat detection is a bold promise. However, as SIEM is the only technology with access to this disparate data, ensure the product has the analytics to expose the behaviours you want to see.
MITRE ATT&CK has gained massive traction as a quantitative framework to map out detection capabilities. A suggested approach is to identify gaps in your detection, then understand the data sources that would reveal malicious activity. Thereafter ensure your cloud SIEM either has appropriate out-of-the-box detections or the ability to build custom content.
While many SIEM providers claim user behaviour analytics to detect anomalous behaviour, few have out-of-the-box content for known-bad attacker behaviours. Put them to the test by performing attack simulation or POCing around penetration tests.
Use case No. 3: Automate and respond with your cloud SIEM solutions
SIEM exists to give you the information and context you need in order to respond to and contain threats. This may involve booting an asset off the network, killing a process, or disabling a user account. User behaviour analytics (UBA) can reveal the relationships between IP address → asset → user accounts. Consequently, this allows you to make stronger decisions without hours of laborious investigation.
Cloud SIEM allows you to take investigation findings, such as machine-readable threat intelligence, and with security orchestration, automation and response (SOAR), apply that to your prevention and detection defences. By automating mundane and repetitive tasks, you can focus on high-value work such as threat hunting and attack simulation. As a result, you can make proactive changes to strengthen your network based on investigation findings.
Automated workflows will become commonplace. Teams with high alert volumes today are using SOAR for phishing triage, alert enrichment, and to automate communications (e.g., to ticketing systems and ChatOps). This will allow threats that target users, such as phishing or Office 365 brute forcing, to be better defeated at scale.
Rapid7’s approach to SIEM has been cloud-native since its inception as a user behaviour analytics tool in 2013. Part of the Rapid7 Insight Cloud, InsightIDR Cloud SIEM can help you unify, detect, and respond to threats across your environment within hours, not months.
For more, check out here, or contact us to start your full-featured 30-day trial today.
01628 362 784