The promise of the cloud has allowed business of all sizes to gain features and flexibility that were previously only seen in the largest and most sophisticated environments. These environments were the ones that had the resources to purchase and support these services. In recent years, this has all changed. Even a single user now can purchase features such as full groupware functionality, video conferencing and even big data, stood up and placed into production almost instantly.
The recent full commercialization of information technology with ads for various cloud services running on television during prime time and other media means that decision making for many IT services has changed. These decisions are being made by business people in many cases, leaving it up to the IT staff and leadership to follow the lead of the business decision makers.
This has had the side effect of rapid movement to the cloud without much thought given to all the things we used to think of when moving to a new product line – one of the most important being the ability to secure the data while still providing access to trusted resources.
As subscribing to cloud services in most cases means that there will no longer be one point of controlling access – traditionally the on-premises firewall – the SIEM (Security Information Event Management) market needed to change with the current trends of cloud services. As a traditional SIEM is expensive and requires multiple skilled people to monitor and manage, this important part of a secure environment has been out of the reach of many systems operators until lately.
The enhanced threat landscape of the past two years illustrates the need for SIEMs – even for traditional data centers that are on premise. In most cases, the burden of monitoring security in cloud based tenants is placed squarely upon the organization renting the resources and not the hosting services.. This means that a SIEM is needed – and in most cases a managed SIEM is indicated to provide experienced human eyes on the risky traffic flowing through both cloud and on premise resources.
How SIEMs Strengthen Your Cyber Defenses
A SIEM is a device or service that gathers logs from different services for the purpose of correlating events that seen separately could appear innocent – but event data streams from multiple sources CAN show that a breach or risky data access event is taking place. For example – seeing logons late at night from a known user could be innocent – but if that logon correlates with that user creating multiple admin accounts on a service – that would appear to be a breach.
We here at Datalink Networks have examined many different SIEM devices, weighing their effectiveness at detecting suspect activity, their cost, their ease of management and the data that they require to function. Many services were very good – but far too intrusive (including the need for a network tap and data sent offsite). Some offered awkward licensing models (i.e., not by device but by total amount of transactions). Many of these devices do not interface with well known cloud services such as Microsoft Office 365, Amazon Web Services or Google Cloud services.
The requirements that we were looking for – were found in Vijilan:
- Small footprint for deployment onsite
- Reasonable cost – priced per infrastructure device/service monitored
- OPEX pricing – billed per device per month.
- Human-backed machine intelligence for sorting through logs
- Alerting functions – phone or email when possible breaches are in progress
- Gathers logs only – no tap/mirror – no netflow or sflow – this preserves some form of privacy of the data on site.
- US Based threat response team
Vijilan is a company that can fulfill all SIEM needs for companies of all sizes– supporting a massive array of on-premise devices as well as most major cloud services. Most environments need about 5 nodes monitored (firewall, network core, domain controllers, cloud service) and they are able to do amazing things with the logs they gather. They customize your alerts based on your needs and traffic and provide remediation advice if needed.