Looking to Add a Cloud Provider SIEM to Your Existing SIEM Strategy? Consider These 5 Factors to Maximize Cost Savings and Detection Capabilities

As organizations look to embrace the cloud for more of their daily workloads, they’re faced with the challenge of how best to maintain visibility across their rapidly evolving environment and keep a handle on their cloud security posture. Many cloud providers now provide their own SIEM offerings and entice you to make the switch from your ‘best of breed SIEM’ to their security tooling as it provides ‘free logging’ for some of the log sources that are within their cloud. For some organizations this concept can look appealing due to the implied cost savings. This leaves many at a crossroads deciding which way to go. Migrate to the cloud providers’ SIEM or, continue with my current functioning deployment and ignore the potential savings.

Many organizations ask the same questions:

  • With much of my operations now being cloud based, should I look to utilize the cloud vendors’ SIEM?
  • Can I run an on-premises solution and a cloud solution?
  • Can the same resources be expected to learn and maintain multiple SIEMs?
  • If detection is increasingly behavior based, how can I detect across both cloud and on-prem instances?
  • Can I reduce risk across my environment by leveraging this emerging idea of Open XDR, the notion of a unified control plane across my security tooling for visibility, detection and response?

Unfortunately, the decision isn’t as black and white as you would hope and there are a few things to consider when looking to transition:

1. Log Source support – The cloud providers SIEM will no doubt have good coverage of the log source types within its cloud offering but does it provide coverage and integration of the log source types that are outside of its cloud that you need to monitor?

2. Log feed ingestion cost – For log sources that are outside of the cloud providers’ SIEM, what costs are associated with the collection and ingestion of their log data into the cloud providers’ SIEM?

3. SIEM Licensing cost – What is the licensing cost for the SIEM for the chargeable log sources, be it GB/Day or Events Per Second (EPS)?

4. Detection capabilities – What support does the cloud providers’ SIEM deliver for detection of malicious / anomalous activity across your log source types?

5. Orchestration and Automation – What level of orchestration and automation across your enterprise does the cloud providers’ SIEM offer?

The above are a few simple questions to consider when looking to select any future SIEM technology and enhance the security posture for your organization. With cloud-provided SIEMs, it’s crucial to ensure that you’re not generating savings in licensing in one area that subsequently means you expend more in collection of other log source types, engineering, or manpower.

As an example, there are a few things that you can bring into Microsoft Azure Sentinel, assuming you have an appropriate license, for no additional charge. These include logs from the newly re-branded Microsoft 365 Defender family of endpoint and cloud log source types (Azure Activity Logs, Office 365 Audit Logs and alerts from Microsoft Threat Protection products, Azure Security Centre, Office 365 ATP, Azure ATP, Microsoft Defender ATP, Microsoft Cloud App Security, Azure Information Protection).  Likewise, you’ll want to evaluate the level of detection capability that’s afforded within the solution as you don’t want to exert the effort to transition your non-Microsoft log source types necessitating the need to create new workflows or detection content.

What if there was an alternative approach that took advantage of the benefits provided by the cloud providers’ SIEM to keep cloud logs in the cloud and map them into your existing SIEM implementation? A solution that would present the best of both worlds without the headache of piecing together disparate data feeds?

ReliaQuest GreyMatter supports multiple SIEM deployments concurrently, bringing cross-SIEM visibility into a central location and enabling the deployment of curated, business-aligned content into both cloud-provided and standard SIEM solutions. This approach addresses the same pains that Open XDR addresses and embraces the advantages of the cloud-provided SIEM incentives whilst maintaining logging for all other log source types as before, in a scalable best-of-breed SIEM tool. In addition, this unique approach provides centralized threat hunting and automation capabilities across SIEM, EDR, and other security tools to further increase detection and speed response to threats. As cloud provider SIEM offerings mature, then ReliaQuest can support your transition fully to or from a SIEM to align with your business objectives.