The non-profit Cloud Security Alliance today released guidelines for the nascent Security as a Service (SecaaS) specialization within the broader realm of cloud computing. The goal, the group says, is to help companies and consumers gain a better handle on how best to evaluate, build and deploy off-premise Security Information and Event Management systems as they grow in popularity.
“Bringing event, threat and risk data seamlessly together is the foundation of SIEM; however, doing it in a services model presents a variety of new challenges,” said Jim Reavis, co-founder and executive director for the CSA, in a prepared statement.
Among those challenges for SIEM providers is being able to accept log, event and flow information from a diverse set of current and legacy customer devices and analyzing and responding in real time to events from a wide variety of sources. Reducing the number of false positives also is important during data collection or event correlation.
“Traditional ‘on-premise’ SIEM implementations often take considerably more effort and time to implement successfully than businesses envision,” the guidance paper said. “SIEM projects, especially in SMBs or larger enterprises with limited IT expertise, often fail to evolve past the planning phase or are only partially successful. This is often because the required tuning and validation of SIEM events requires a speicalized skill set and monitoring during the implementation stages.
“The promise of SIEM provided from a cloud-based service can provide a scalable, fully managed SIEM service that the customer can leverage and integrate with public cloud, private cloud and on-promise systems and infrastructure. It is important to note, however, that many of the same requiresments still exist, and the busines needs to ensure that adequate resources re devoted to the initial set-up and subsequent monitoring and maintenance of rules.”
One advantage of SIEM in the cloud is testing and gradual deployment on a pay-as-you-go schedule rather than full purchase of a solution at the onset. Because of this cost benefit, more companies are eyeing various levels of such cloud-based services.
Practical considerations include the number of devices monitored by a prospective cloud-based SIEM provider, extra charges for unsupported devices, the number of reports generated and any fees for both standard and custom rules. Additionally, IT security teams should pay attention to the number of dashboards in a contract and how logs are generated and stored.
Legal (and perhaps ethical) considerations – regardless of the on- or off-premise SEIM environment – often revolve around employee expectations of privacy and any ramifications if suspicious data is collected but not acted upon.
Because the cloud-based provider also will be aggregating data from other clients, companies may consider sharing information to help reduce the risk of attacks.
“How the data is collected, used and potentially shared by the SecaaS SIEM vendor needs to be considered,” the report said. “The data collected by the SIEM reveals a great deal about the weaknesses and vulnerabilities of an enterprise, it can be used by hackers to help them determine the best method of attacking a network, and it can be used real-time to guide them past enterprise defenses and alert them if they have been detected.”
Many IT security professionals remain wary of cloud-based SIEM solutions for fear they also will suffer losses if the provider comes under attack. Disaster recovery in the event of such an attack also is a concern.
“Security of log data in transit and the security of log data at rest also need to be a major concern for the architects. Encrypted data is useless if the keys are somehow corrupted or lst. The security of logs at the vendor should not be protected by the same keys as those within the enterprise, and all the transactions between the vendor and the enterprise needs to be accomplished using keys regularly.”