What’s Cloud SIEM? Security Incident & Event Monitoring in the Cloud

Over the last two decades, Security Information and Event Management (SIEM) solutions have become core components of the cybersecurity practices of enterprises large and small. As the source of truth for logs and events collected from across the enterprise's infrastructure, SIEMs analyze the constant stream of security events to look for anomalies and identify potential security incidents. 

This constant stream of events is relatively predictable in on-premises environments. Naturally, as enterprises adopt cloud services and leverage cloud infrastructure – especially multi-cloud strategies – they still want to be able to benefit from SIEM solutions. However, traditional SIEM deployments were not designed with cloud principals in mind.

Overview of traditional SIEM

As with an on-prem environment, a SIEM can act as the consolidation point for all logs and events that are generated within cloud infrastructure. There are differences in the exact logs that can be collected, but all major categories are still in play, including network and access logs. 

If you are using virtual or bare metal machines from a cloud provider, you’ll have syslogs. In addition, everything that runs in a virtual machine generates data that needs to be consolidated, as is the case with an on-prem environment.

(Read about core SIEM features and capabilities.)

Monitoring cloud services

When cloud services come into play, one of the biggest differences is the sheer number of different types of data sources that can exist – especially if you leverage platform-as-a-service (PaaS) and software-as-a-service (SaaS) offerings. 

Every service creates some kind of event or raw log data that can be consolidated into your SIEM. All services generate logs that can be captured and analyzed by a SIEM, including services such as:

• Managed databases
• A fully managed CRM, like Salesforce.com
• A lower-level hosted Kubernetes service

If an organization has an existing SIEM on premises, there are two options you can consider:

1. Bring all the new log sources into the existing on-premises solution. This adds the complexity of running in the cloud on top of the complexity (and cost) of running a full SIEM solution.
2. Move the SIEM (or a copy of it) into the cloud. This would simplify the required networking, but this kind of “lift-and-shift” approach is the most costly and least effective way to leverage cloud services.   

(See how Splunk monitors the cloud.)

Benefits & disadvantages: Comparing on-prem SIEM with cloud SIEM

This leads us to the basic pros and cons of using an on-premises SIEM vs. using a cloud SIEM.

On-premises SIEM

The pros of using an on-prem SIEM include:

• Total control and customization. The operational team and cybersecurity team have complete control over the deployment, configuration and customization of the SIEM platform. That means they can tailor it exactly to the needs of their organization.
• Data protection. Sensitive data never leaves the organization’s data centers when it’s collected and archived by an on-prem SIEM.

The cons of an on-prem SIEM include:

• Employee skills gap. Training and retaining staff who know how to install, update and maintain a SIEM can get expensive, as it’s a fairly niche skill set and specific to the SIEM that’s being used.
• Cost. The cost of acquiring and deploying the SIEM’s appliances, plus the cost of keeping up with the ever-growing storage capacity needed to retain logs and events over the long term.

Cloud SIEM pros and cons

The pros of a cloud SIEM include:

• Access. Immediate access to the cloud SIEM platform, which is completely managed by the organization that knows it best.
• Reduced cost. Lower costs with no upfront capital expenses (CapEx). There is no need to have a team of specialists to maintain, upgrade and monitor the actual SIEM platform, which enables the cybersecurity and operational teams to focus on analysis and tuning the algorithms that look for anomalies.

The cons of a cloud SIEM include:

• Limited access. Limited or no access to the underpinning infrastructure, which may limit access to raw data and reduce the ability to customize the cloud SIEM to match the organization’s requirements.
• Data lives in the cloud. Sensitive data will live outside of the organization’s private data centers, though it is likely being collected from other cloud services. While this is a concern, it’s somewhat muted. After all, this data concern exists in the cloud regardless of whether you’ve added a cloud SIEM.

(For the latest and greatest, check out these security conferences & events.)

Choosing SIEM for the cloud

Leading cloud SIEM solutions, including Splunk Cloud Platform, offer the same security monitoring capabilities as the self-managed and on-premises deployments that enterprises have grown to trust. Since cloud SIEMs are built with cloud native technologies in mind, they are constantly kept up to date with the latest features, and they can scale on demand to match the usage patterns of any given enterprise. 

In addition, cloud SIEMs shorten implementation times, reduce the complexity of maintaining SIEM deployments and eliminate expensive capital investments that would be required for installing and upgrading an on-premises solution.

What is Splunk?

This article was written by Vince Power. Vince is an Enterprise Architect with a focus on digital transformation built with cloud enabled technologies. He has extensive experience working with Agile development organizations delivering their applications and services using DevOps principles including security controls, identity management and test automation. You can find @vincepower on Twitter.

This article does not necessarily represent Splunk's position, strategies or opinion.