Knowing where to situate your Security Incident and Event Management (SIEM) solution is no easy task. The nuances of the business and the data it holds, overheads and storage, support and scalability, are all contributing factors which means it is no longer a cut and dried decision of simply migrating to the cloud. There are pros and cons to using an on premise, SaaS or a hybrid approach, and the business will need to weigh these up to make the right choice.
A SIEM is a vital part of the security arsenal. It serves as a central hub for security event data within the business and collects, correlates, analyses and visualises data from various sources, empowering to detect, investigate and resolve security incidents quicky. Next generation SIEMs also incorporate threat detection, enriching log data with information from threat intelligence sources, while the converged SIEM supplements log management, threat detection and response, monitoring, alert generation and reporting with Security Orchestration Automation and Response (SOAR), User Entity and Behaviour Analytics (UEBA), and endpoint detection.
When buying a SIEM, the dilemma remains whether to deploy on prem, to take a SaaS offering or even a combination of the two.
On prem vs cloud
Traditionally, the SIEM was physically housed on prem due to the sensitivity of the data it accessed and many organisations in highly regulated industries continue to do so because of compliance regulations or a reluctance to share personal identifiable information via the cloud. For the majority of businesses, data privacy regulations have made the migration to the cloud more complex.
On prem can confer advantages in that the solution is owned and maintained internally which means that approximately nine percent of the total cost of ownership is spent on license fees. This gives the business complete control over all aspects, from architectural design to the installation and configuration of the hardware, and where the data is stored. But, as a result, a far higher proportion of spend is dedicated to infrastructure and operations and the associated costs.
In contrast, the total cost of ownership of a SaaS service sees approximately 68 percent of spend devoted to licence fees. However, providing licensing on a per user basis and not on data volume, gives a SaaS offering far more advantages. There is no capex associated with acquiring hardware, backups, cooling or power, while the service can be expanded to accommodate more devices, receive more data or perform more analytics, all without the need to increase budget.
Unlike in the on prem model, management of a cloud-based SIEM is not the sole responsibility of the business. While an inhouse team will still need to perform log collection, implement customer-specific configurations, deliver data to the solution and monitor and respond to alerts, the overall maintenance and ongoing management of the SIEM falls on the provider. From an operational perspective, the provider must ensure platform availability, optimal performance, and that the system is regularly updated.
A SaaS deployment will also see the business begin to reap the benefits straight away, without the need to procure, install and configure the solution, and continuous product improvements ensure new threats are identified.
Straddling the divide
Irrespective of whether the SIEM is on prem or in the cloud, a good SIEM provider will also monitor for and produce content on emerging threats, making these available in the form of playbooks for detection and response via SOAR. Over SaaS these can be made instantly available and it is also easier to fine tune content updates for rules, analytics models, dashboards and reports by using detection logic situated in the cloud.
Of course, some businesses opt for a mix of the two, allowing them to combine event data from systems and entities held on prem with those in the cloud. It is an approach that works well for those who use multiple data centres, for example, but hybrid is also a mainstay for many medium to large businesses that were not ‘cloud born’.
As these organisations have workflows being run in both environments, it makes sense for them to process logs locally before they are sent to the cloud, and in some cases customers want to maintain a copy of those logs on prem. As mentioned previously, this also applies to sensitive data without the right data processing agreements in place, preventing the business from simply moving that data to the cloud, which means that as the workflows are local, so the data must be held locally too.
The type of SIEM service the business selects will therefore depend on numerous variables from governance and compliance through to how much resource it can dedicate to the management of the platform and whether it will need to scale this over the coming years. It is not simply a matter of ‘cloud is best’ but of weighing up the relative merits of each approach within the context of the business.
What we do know is that the business is now more cost conscious than ever, making licensing terms paramount. Data driven licensing can see costs rocket, for instance. Human resource is also limited, with a significant cumulative skills shortage in the cybersecurity sector, which means businesses will want to minimise dependency. And there is real demand for convergence, as security teams look to consolidate the time and resource dedicated to maintaining disparate systems. This is likely to mean that next generation SIEMs that play more than one tune by incorporating SOAR and UEBA for threat detection and response, for example, will be favoured, because of their ability to be deployed in any of the three forms and to conserve costs.
Nils Krumrey is an Information Governance expert, Senior Presales Engineer and Architect at Logpoint. Based in the UK but a German native, Nils has 20 years of industry experience and has worked across Europe with some of the largest financial institutions on monitoring and improving their information governance. At Logpoint, he is a technical specialist involved in the architecture, sizing and use case definition for new Logpoint customers in the UK, Ireland and Benelux, with a keen interest in modern SaaS architectures. He holds a BSc in Computer Vision from the University of Koblenz and is a Certified Ethical Hacker (CEH).