What To Look For In A Cloud Friendly SIEM

What To Look For In A Cloud Friendly SIEM

This is part of a plea for help to the SIEM industry and part-education for those looking for a Cloud Friendly SIEM or log aggregation tool.

TL;DR

1. Cloud-Native authentication using role-based access.
2. Pre-built parsing and field extraction rules for the necessary cloud services.
3. Quick support for new cloud services.
4. Please give a real SaaS solution (not hosted) or, at the very least, a marketplace AMI or image.

Cloud SIEM: Cloud-Native Authentication Using Role-Based Access

As a security professional, this is my #1 pet peeve. I do not (and will not) want to create an IAM access key for you to consume my logs. An access key is permanent, can be copied, stolen, or otherwise compromised. With that key, one can do anything assigned to that key, which, in this case, would be accessing my logs. No thanks.

The best way to do this is by requesting role-based access. This utilizes the “Least Privilege” model in security as well as a level of authentication. The way it works is:

1. SIEM provider provides account resource principal and a random string.
2. Create a role for you (SIEM provider) in my target account with access to the specified resources with the supplied information.
3. Update my bucket policies to allow only that role access.
4. Input the newly created role to the SIEM provider.
5. SIEM provider calls an “AssumeRole” to access my resources.
6. FIN

In this instance, the attack surface is reduced to just the SIEM provider’s account.

More info here:

Cloud SIEM: Pre-Built Parsing and Field Extraction Rules

One way I know a provider is cloud-friendly is whether they have pre-built field extraction rules for the services I am using. This means that I don’t need to re-invent the wheel each time a new log source comes online or when my Cloud provider decides to update the data they are sending in their logs, which happens often.

Cloud SIEM: Quick Support For New Cloud Services

Cloud providers are CONSTANTLY releasing new services. It’s hard to keep up. However, most of the time, they will allow vendors access to preview versions of their products. This can be used to satisfy the previous point as well. Basically, I should not have to wait 6 months for support on a new service to be enabled in my SIEM.

Cloud SIEM: Be In The Cloud, Natively

So, think about it: if I have all my infrastructure in the cloud, I am not looking for an ISO to download or, worse, an appliance. Do give me a pure SaaS solution (NOT hosted. BIG difference) or, at the very least, give me an AMI to run. Make sure the AMI is maintained and supports the cloud provider’s native libraries and API calls. This would go a long way.

Conclusion

This article was born out of years of frustrations waiting for traditional SIEM providers to catch up to the cloud. If you are a SIEM vendor, this is for you. If you are looking for a SIEM vendor, these are tips to help you make a good and informed decision to last for your organization.

Trying to figure out the right SIEM for YOUR environment? Let’s chat! You can reach me at ayman@cloudsecuritylabs.io.

This article first appeared on LinkedIn on February 13, 2019.

If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.

Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service).

‍