Poorly-architected cloud-based security information and event management (SIEM) systems may fail to secure an organisation’s infrastructure, a new report warned.
A new report from the Cloud Security Alliance said that if infrastructure is under attack, a poorly architected solution means that the analysts and senior management lose the security provided by the SIEM infrastructure.
"An enterprise under a distributed DOS attack will most likely lose connectivity, response, and remediation data from the SIEM if the SIEM systems share the enterprise network data flows,” said the report’s authors.
“The response to the incident is only as good as the security information it is based upon. Therefore, alternate routes for the security systems should be considered,” they added.
It said that the deperimeterisation of security controls, including the cloud-based SIEM, is what is creating the most confusion in security today. With the integration of public cloud-based services, private cloud services, traditional networks, and the mobile workforce, a well-layered and segmented approach needs to be created in order to support a SIEM system, the authors said. "When the enterprise network is under attack or failing, the SIEM system infrastructure needs to be solid so that the incident response teams can rely on the data to protect and remediate."
The industry body said that by providing flexible, real-time access to SIEM information, organisations using the SIEM as-a-service would be able to identify threats acting against their environment, cloud or otherwise.
The CSA warned that providing security information and event management (SIEM) as a service will require provider to accept log, event and flow information from a diverse set of current and legacy customer devices, conduct information security analysis, correlation, and support incident response activities from a wide variety of sources.
It said the integration of a SIEM, regardless of whether it is a purely as-a-service or a hybrid solution, needs to be integrated into both the network architecture and the operational architecture. “Implementation into the physical architecture without integration into operational and policy architectures can render the SIEM implementation of no use to the organisation.”
Jim Reavis, co-founder and executive director for the CSA said that the purpose of this research is to define what Security as a Service means to organisations and provide guidance on how these new practices should be best implemented.
“This new guidance will go a long way to helping IT security managers, technical architects, and systems manager take a more comprehensive approach to providing SIEM as a service under a Security as a Service model,” he said.
The report prepared by the SecaaS Working Group, lays out best practices for the use of cloud-based SIEM services in support of cloud environments, both public and private, hybrid environments, and traditional non-cloud environments. It looks at the requirements, implementation consideration and concerns, and implementation steps as part of the many considerations for SIEM.
"The best practices in this research will serve as a foundation and critical component to deriving real value from SIEM and protecting today’s organisations against a myriad threats," said Matt Mosley, a senior strategist with CSA member NetIQ.
"As organisations look to implement and take advantage of the potential benefits of SIEM-as-a-Service, the CSAs SIEM guidance report will play a vital role in formalising and extending best practices as well as providing guidance on the key considerations for implementing hybrid or cloud SIEM," he said.
