Why Is Cloud Security So Hard? (Hint: It’s Not)
Securing a new environment without knowing the rules of the road can be hard. Take the time to learn the rules and avoid speedbumps.
Whether you are a SIEM vendor or not, looking for a SIEM vendor, these are tips to help you make a good and informed decision.
This is part of a plea for help to the SIEM industry and part-education for those looking for a Cloud Friendly SIEM or log aggregation tool.
As a security professional, this is my #1 pet peeve. I do not (and will not) want to create an IAM access key for you to consume my logs. An access key is permanent, can be copied, stolen, or otherwise compromised. With that key, one can do anything assigned to that key, which, in this case, would be accessing my logs. No thanks.
The best way to do this is by requesting role-based access. This utilizes the “Least Privilege” model in security as well as a level of authentication. The way it works is:
In this instance, the attack surface is reduced to just the SIEM provider’s account.
More info here:
One way I know a provider is cloud-friendly is whether they have pre-built field extraction rules for the services I am using. This means that I don’t need to re-invent the wheel each time a new log source comes online or when my Cloud provider decides to update the data they are sending in their logs, which happens often.
Cloud providers are CONSTANTLY releasing new services. It’s hard to keep up. However, most of the time, they will allow vendors access to preview versions of their products. This can be used to satisfy the previous point as well. Basically, I should not have to wait 6 months for support on a new service to be enabled in my SIEM.
So, think about it: if I have all my infrastructure in the cloud, I am not looking for an ISO to download or, worse, an appliance. Do give me a pure SaaS solution (NOT hosted. BIG difference) or, at the very least, give me an AMI to run. Make sure the AMI is maintained and supports the cloud provider’s native libraries and API calls. This would go a long way.
This article was born out of years of frustrations waiting for traditional SIEM providers to catch up to the cloud. If you are a SIEM vendor, this is for you. If you are looking for a SIEM vendor, these are tips to help you make a good and informed decision to last for your organization.
Trying to figure out the right SIEM for YOUR environment? Let’s chat! You can reach me at email@example.com.
This article first appeared on LinkedIn on February 13, 2019.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service).