Threat Advisory: Ongoing HermeticWiper Situation. Read More ➞

Looking to Add a Cloud Provider SIEM to Your Existing SIEM Strategy? Consider These 5 Factors to Maximize Cost Savings and Detection Capabilities

As organizations look to embrace the cloud for more of their daily workloads, they’re faced with the challenge of how best to maintain visibility across their rapidly evolving environment and keep a handle on their cloud security posture. Many cloud providers now provide their own SIEM offerings and entice you to make the switch from your ‘best of breed SIEM’ to their security tooling as it provides ‘free logging’ for some of the log sources that are within their cloud. For some organizations this concept can look appealing due to the implied cost savings. This leaves many at a crossroads deciding which way to go. Migrate to the cloud providers’ SIEM or, continue with my current functioning deployment and ignore the potential savings.

Many organizations ask the same questions:

  • With much of my operations now being cloud based, should I look to utilize the cloud vendors’ SIEM?
  • Can I run an on-premises solution and a cloud solution?
  • Can the same resources be expected to learn and maintain multiple SIEMs?
  • If detection is increasingly behavior based, how can I detect across both cloud and on-prem instances?
  • Can I reduce risk across my environment by leveraging this emerging idea of Open XDR, the notion of a unified control plane across my security tooling for visibility, detection and response?

Unfortunately, the decision isn’t as black and white as you would hope and there are a few things to consider when looking to transition:

1. Log Source support – The cloud providers SIEM will no doubt have good coverage of the log source types within its cloud offering but does it provide coverage and integration of the log source types that are outside of its cloud that you need to monitor?

2. Log feed ingestion cost – For log sources that are outside of the cloud providers’ SIEM, what costs are associated with the collection and ingestion of their log data into the cloud providers’ SIEM?

3. SIEM Licensing cost – What is the licensing cost for the SIEM for the chargeable log sources, be it GB/Day or Events Per Second (EPS)?

4. Detection capabilities – What support does the cloud providers’ SIEM deliver for detection of malicious / anomalous activity across your log source types?

5. Orchestration and Automation – What level of orchestration and automation across your enterprise does the cloud providers’ SIEM offer?

The above are a few simple questions to consider when looking to select any future SIEM technology and enhance the security posture for your organization. With cloud-provided SIEMs, it’s crucial to ensure that you’re not generating savings in licensing in one area that subsequently means you expend more in collection of other log source types, engineering, or manpower.

As an example, there are a few things that you can bring into Microsoft Azure Sentinel, assuming you have an appropriate license, for no additional charge. These include logs from the newly re-branded Microsoft 365 Defender family of endpoint and cloud log source types (Azure Activity Logs, Office 365 Audit Logs and alerts from Microsoft Threat Protection products, Azure Security Centre, Office 365 ATP, Azure ATP, Microsoft Defender ATP, Microsoft Cloud App Security, Azure Information Protection).  Likewise, you’ll want to evaluate the level of detection capability that’s afforded within the solution as you don’t want to exert the effort to transition your non-Microsoft log source types necessitating the need to create new workflows or detection content.

What if there was an alternative approach that took advantage of the benefits provided by the cloud providers’ SIEM to keep cloud logs in the cloud and map them into your existing SIEM implementation? A solution that would present the best of both worlds without the headache of piecing together disparate data feeds?

ReliaQuest GreyMatter supports multiple SIEM deployments concurrently, bringing cross-SIEM visibility into a central location and enabling the deployment of curated, business-aligned content into both cloud-provided and standard SIEM solutions. This approach addresses the same pains that Open XDR addresses and embraces the advantages of the cloud-provided SIEM incentives whilst maintaining logging for all other log source types as before, in a scalable best-of-breed SIEM tool. In addition, this unique approach provides centralized threat hunting and automation capabilities across SIEM, EDR, and other security tools to further increase detection and speed response to threats. As cloud provider SIEM offerings mature, then ReliaQuest can support your transition fully to or from a SIEM to align with your business objectives.

More Articles

3 Signs It’s Time to Rethink Your Security Operations Strategy

Today, the security industry is over-saturated with technologies and tools. While many enterprises have established or are setting a foundation for their security operations with Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR), there are countless point solutions arising to extend them, from SOAR to CASB, UEBA and more. Although each […]

GreyMatter’s Partner Ecosystem: Dozens of Integrations = One Unified View

Security teams have been loading up on disparate technologies to better defend their environments for the past several years. The result: with multiple tool sets and data living in numerous locations, it’s difficult to have confidence that you have enough visibility to protect your business against threats. Not to mention, each technology has its own […]

In Security, All Logs Are Not Created Equal

Like a triage nurse, security professionals have to prioritize the data that will help them best identify problems and keep the organization, its data, and devices safe from intruders and cyberattacks. However, logging and monitoring all relevant events from across the IT environment can be challenging. For instance, some common log sources, such as servers, […]