When organisations move operations into cloud and hybrid environments, improving security visibility can feel overwhelming due to the sheer number of data sources in play.
Cloud SIEM solutions can help to address these challenges, but successful deployment, management and monitoring of cloud SIEM can present its own challenges. In this blog post, we outline key approaches and tips to help maximise the performance of your cloud SIEM platform.
Delivered as a standalone solution or as part of a broader security suite such as managed detection and response (MDR), a cloud SIEM (security information and event management system) can ensure faster deployment and greater flexibility for collecting, monitoring and analysing data for security purposes.
What is cloud SIEM?
To understand cloud SIEM, we need to take a look at its origins. SIEM is a set of integrated log management and monitoring tools that aggregate, normalise and correlate log event information from endpoints, infrastructure and applications to detect potentially malicious activity. SIEM platforms play a vital part in enabling organisations to defend against cyber threats. When anomalous behaviour is identified, an alert is generated for investigation. SIEM can help businesses to detect threats on their networks, identify potential Indicators of Compromise (IOCs) and much more. Cloud SIEM enables organisations to improve their visibility of distributed workloads across cloud and hybrid deployments.
The evolution of cloud SIEM
SIEM technology has progressed from legacy SIEMs mainly focused on the collection and correlation of network security events from sources such as firewalls, and wireless access points to next gen cloud SIEM which processes a greater volume and variety of data (both security events and non-security events), as well as correlating it in a timely way. This is often delivered as part of a managed detection and response solution. While cloud SIEM offers a range of advantages for businesses, such as faster deployment, greater flexibility, enhanced SOC cloud monitoring and easier unification of event data, it also presents some notable challenges.
Getting the best from cloud SIEM
To reap the rewards of cloud SIEM while avoiding the common pitfalls, organisations should consider the following
Developing bespoke SIEM rules for effective threat detection
Creating bespoke SIEM rules is an important part of detecting threat activity in your environment. It is critical to keep in mind that out-of-the-box SIEM rules will not be adversary-orientated, responsive to new threats or specifically tuned to your environment. This is why it is recommended that organisations use an open-source format like Sigma to develop rules.
Leveraging custom use cases to maximise value
While pre-defined cloud SIEM rules provide a good standard for performance, businesses need to develop their own bespoke rules in order to expand threat coverage and visibility across their environments. By doing so, they are less likely to waste money buying and deploying a solution that fails to meet all of their security priorities, particularly around the detection of new and emerging threats. By developing a set of bespoke use cases, businesses can minimise the risk of cyber-attacks going undetected and impacting their finances, reputation and compliance status.
Adopting a stance of continuous improvement
Organisations must stay vigilant to ensure that the rules they create don’t create a burden of false positives. This is why it is essential not to depend on a ‘set it and forget it’ approach. Continuous improvement is key for effective long-term cyber security.
Ensuring SIEM reporting is legally compliant
If your organisation operates across multiple territories, it’s likely that you’ll have a complex web of security compliance requirements to contend with. Ensure that you understand which regulations require custom reporting to be created, and how your chosen cloud SIEM platform can support this.
Contextualisation of alerts
Just like with on-premise SIEM, a cloud SIEM alert alone is often insufficient context to mitigate the threat. Ensure you have the ability to triage and investigate alerts to add additional context to alerts, identify duplication, filter out false positives and escalate genuine threats for remediation.
Auditing and testing capabilities on an ongoing basis
No security operation can be deemed successful without testing. Ensure that a process is in place to regularly review the effectiveness of your cloud SIEM operation.
Cloud SIEM and the MITRE ATT&CK framework
To achieve comprehensive detection capability through your cloud SIEM, look at how to implement coverage of attacker behaviours across the MITRE ATT&CK framework. While many security professionals are aware of the general Enterprise matrix that covers traditional IT environments, they often overlook the specialised matrices for aspects such as cloud, network and containers. Because of this, out of the box use cases frequently fail to address current threat actor tactics and instead focus only on requirements such as retention and compliance.
Cloud SIEM rules can be set up for the following types of use cases:
Malware – Targeted rules ensure that threats from common forms of malware are promptly contained and eliminated.
Lateral movement – Authentication-based use cases support the detection of the lateral movement of attackers through systems and accounts.
Data modification and exfiltration – File monitoring and network egress use cases help to defend against sensitive data being modified, stolen, or erased.
Phishing – Email-based use cases support actions to identify and defend against suspicious activity associated with phishing attacks.
Cloud-focused threats – With the ongoing trend of cyber security threats specifically targeting assets and data in the cloud, rules can be designed to help monitor specific cloud and hybrid environments, and address common issues like misconfigurations, insecure APIs and access management issues
Addressing the challenges of cloud SIEM
Despite significant advances in detecting complex cyber threats, next gen SIEMs can still, if not deployed and maintained properly, generate a vast number of alarms. For organisations lacking IT resources and dedicated security staff, going through these alerts to distinguish genuine network security issues from false positives can be hugely complex and time-consuming.
Even when genuine threats are identified, knowing how to respond to them can be similarly challenging. Many businesses looking to implement next gen SIEMs often do so at pace but, due to a lack of in-house skills and understanding, still struggle to fully realise the power of the technology. Plus, while cloud providers themselves can sometimes provide the tools that organisations need, the right type of support is still required.
As the process of developing SIEM rules is often a complex, costly and time-consuming, it can often be more effective for companies to outsource it. For businesses without the required in-house knowledge or capacity, it can be beneficial to work with an external provider that is capable of either covering or augmenting security capabilities. A managed SIEM service can help organisations to address the resource gap by providing 24/7 expertise, as well as the additional tools and intelligence needed to maximise the value of cloud SIEMs.
How Kroll can help
Kroll Responder, our Managed Detection and Response (MDR) solution, combines next gen SIEM and endpoint technology with dedicated security experts to offer 24/7 monitoring and investigation of your organisation’s network traffic. Kroll’s managed SIEM service combines industry-leading technology, elite security experts and up-to-the minute threat intelligence to enhance threat visibility across on-premises, cloud and hybrid environments.
Our cyber risk retainer solutions can include managed SIEM services as well as a host of testing, preparedness, and response services. Our retainer offers maximum flexibility with transparent pricing, with options to leverage a wide array of our end-to-end cyber risk solutions to strengthen your overall resilience.