Göteborg, 23 Feb, 2012
SIEM - as a service?
Yes SIEM as a service, or “SIEMaaS” for shorthand. Yes it exists, and we’re doing it. And how we’re doing it isn’t like how most people would picture it, and unlike anyone else is doing it, at least that I’ve seen. Nothing like tooting your own horn right?
From my years working at and with SIEM vendors I can say the biggest challenge customers faced wasn’t getting the SIEM, but getting it to do what they wanted it to do after they got it. From lack of resources, to lack of time, SIEMs often go neglected and don’t get the “care and feeding” they requires to preform the tasks they were bought to do. If you’ve seen my previous blog posts you probably already know rolling out a SIEM is hard. Very hard. And not surprisingly a lot of companies that actually do roll out a full SIEM fall short in accomplishing their goals once they get it. Yes, some companies do get it right and get the most out of their SIEM. They are technology companies where IT is part of their core business. They have the expertise and resources to make it work – but what about everyone else? What kinds of solutions are out there for them?
Well as I see it there are two accepted avenues currently available on the market, the “Managed SIEM” path and the new “SIEM in the Cloud” platforms. Lets take a quick look at each of these options.
The managed SIEM is pretty much what it sounds like, you or an outsourcing company choose a SIEM, then they send consultants onsite to maintain it and maybe make it work for you. From what I’ve seen, this is a somewhat of a non-committal way to run a SIEM. You buy the product, but you’re not tied to it forever – if you think it’s not offering value you simply end the management contract, and *poof* the expenses vanish. While that’s often the upside of working with a consulting company, at the same time you’re at their mercy. Do their consultants have the abilities to deliver the results you expect? Do they know how to make reports and correlate events? Will they provide you with 24/7 coverage and some kind of response capability? The bottom line should be: is your problem actually being solved and are you getting the results you want? From my personal experience the answer is still unfortunately no.
So how about all these new “SIEM in the cloud” offerings that are popping up all over the place? I can’t keep track of how many there are now, but VC funds are throwing money at them like it’s the 90’s dot-com boom all over again. They sure sound impressive, but how do these services actually work? To boil it down you basically trade in the large servers where you would store your log data for a large internet connection that sends those logs off to the cloud. And rather then having the actual SIEM software on a server on your network, the software is also off in the cloud, and rather then an actual application you get a web interface. It’s benefits come in the form of ease of deployment, that the storage space is pretty much unlimited, and you don’t have to maintain the software. Those are nice thing to have, but are these solutions actually solving your problem? If you need to show your SOX compliance stance, does having an easy to set up SIEM system actually help you at all? Does having your logs in the cloud make the people looking at them any better at doing analysis on them? Sorry yeah, I’m being a bit sarcastic.
So this brings us to SIEMaaS - what is it? Well lets start by looking at anything else that comes “as a Service”; to make a long story short it’s basically something where you buy the end result, you’re paying for a solution to a problem. You don’t want to manage the under lying software, you want to don’t maintain the back end, and you don’t need to learn anything, except hopefully a simple interface where you get your results. So if you put SIEM into that model, you have a problem you want solved and you want a solution to it. So to stay with the spirit of my previous posts lets focus on PCI; you need a PCI solution when it comes to your log data. You need to collect and store it securely, you need to have 12 months available and at least 3 months online for searching. You need to report on certain things as outlined in the PCI standards, like showing all unauthorized users who access your PCI systems, showing all the times authorized users access your PCI systems and stuff like that. Having those reports shows that your controls are working and you can “report and verify”, and it’s what you need to pass your PCI audit. So what is it you need to solve your PCI problem? First you need to collect your log data from the appropriate systems and applications that fall within the scope of your PCI network. You then need to store it, and finally report on it and look into any exceptions that may show up. So what’s the hard part in this process? I would say it’s the last part: actually applying the “intelligence” to the data, showing the reports, and actually acting on the exceptions.
And this is exactly where our SIEMaaS focuses its efforts.
Here at Secode we have a solution where you can either keep your data local, or put it into our private cloud. From there you simply choose the service that solves your problem. To stay with PCI, we offer a simple package that will fulfill your PCI reporting and storage requirements – the actual problem you're trying to solve. We analyze the data, we generate the reports, and we act on exceptions from our SOC 24/7/365. You work with us to create a specific SLA and action card that outlines what actions we take when we see certain types of exceptions or events. You get a customer portal where you can see your PCI reports, trending data on your PCI stance, your current exceptions and tickets from our SOC. You get a solution to your specific problem, PCI, without having to worry about everything else that goes along with a full SIEM deployment.
I don’t want to sound too much like a sales guys, since I’m not, so there’s obviously a bit more work that goes into this, but it’s only a fraction of the work that would be required if you were to get your own SIEM. And a manager’s favorite part, it’s at a fraction of the price.
Next time we’ll go more in-depth into what our service is, how it works, and who might get the most value out of it.