Questions to Answer Before Adopting Cloud SIEM Solutions

Questions to Answer Before Adopting Cloud SIEM Solutions

ARCHIVEDPublished 27 July 2020 – ID G00722245 – 13 min readBy Kelly Kavanagh, Gorka Sadowski, and 1 more


Cloud-based options for SIEM are becoming more commonplace. Security and risk management leaders should use this research to help determine if cloud SIEM is an appropriate solution to meet their SIEM requirements and use cases.

Overview

Key Findings

  • Security information and event management (SIEM) technology delivered as a service can simplify and reduce the time to implement, administer, maintain and scale SIEM solutions, compared with on-premises versions.
  • Perceptions of cloud SIEM that dissuade buyers from considering it as an option include concerns about the security of providers’ environments (whether cloud or data center), the impact on internet bandwidth, service availability, regulatory compliance and vendor lock-in.
  • Especially for midsize enterprise and smaller organizations, the benefits of offloading platform and software management to the SIEM vendors, and getting access to features like advanced analytics and more frequent content update, increasingly offset the perceived challenges in using a SaaS version.
  • Traditional SIEM products are incorporating features that leverage cloud infrastructure, such as advanced analytics.

Recommendations

Security and risk management leaders responsible for security operations should:

  • Use cloud SIEM to mitigate resource constraints to deploy and manage SIEM on-premises or to enable redeployment of resources from SIEM platform management to security investigation and response activities.
  • Prioritize vendors offering cloud SIEM delivered in the primary public cloud service used by their organization.
  • Plan for a cloud SIEM implementation as if deploying on-premises SIEM. Activities such as establishing use cases, identifying log sources and understanding how to get data to the vendor’s SIEM (for example, appliance to aggregate logs, host agents) are still mandatory for success.

Strategic Planning Assumption

By 2023, 90% of SIEM solutions will have capabilities that are only delivered via the cloud (for example, log storage, analytics, incident management), up from 20% currently.

Analysis

Cloud SIEM, specifically cloud-native and cloud-hosted, is an increasingly appropriate option for organizations evaluating SIEM technologies for security monitoring and operations (see Figure 1). Interest in cloud SIEM is increasing among Gartner clients, but adoption remains lower relative to on-premises SIEM (15% to 20% of all new SIEM deployments, based on feedback from Gartner clients and SIEM technology vendors). Barriers to cloud SIEM adoption include lack of experience with cloud SIEM, lack of response from vendors regarding buyer concerns about cloud SIEM, buyer misconceptions about risks of cloud SIEM, concerns about the costs of moving data to and from the cloud, and restrictive implementations by vendors that can offset SaaS benefits. This research poses a series of questions that SIEM buyers should ask vendors regarding their cloud SIEM offerings.Figure 1. Types of Cloud SIEM Offerings

Different models of cloud SIEM: cloud-native, cloud-hosted, and customer-deployed

Cloud SIEM will be the future of how many organizations consume SIEM technology. There is already a variety of vendors with offerings. The benefits of a cloud SIEM model can outweigh the risks for many organizations. For example, approximately 55% of Gartner Peer Insights respondents since March 2017 reported that it took up to three months to deploy their SIEM solution. That means that about 45% of SIEM solution deployments take more than three months to complete, with 20% taking six months or longer. Cloud SIEM deployment can be substantially faster than on-premises deployments.Customers can realize benefits from cloud SIEM in deployment, maintenance, ongoing operations and scalability. Cloud SIEM deployment greatly reduces the need for shipping, receiving, installing and configuring SIEM appliances (whether physical or virtual) before the first log sources can even be consumed by the SIEM solution. Buyers can realize faster time to value as a result. Maintenance activities are similarly reduced. The vendor handles platform maintenance for availability, performance, bug fixes and feature/function updates.Customers can redeploy engineering resources that would otherwise handle those tasks to higher-value work. The SIEM vendor typically also provides content updates for rules, analytic models, dashboards and reports. The elasticity to expand (and contract) the capacity of the SIEM solution as required may be extremely beneficial for short-term bursts of compute-intensive analytics, for accommodating seasonal changes in requirements, or when business activities like a merger or divestiture occur. A process to expand capacity may take minutes to hours to implement for a customer, compared to the typical one-way elasticity for on-premises SIEM solutions. For example, where physical appliances are involved, it could take weeks to months to implement additional capacity — for example, procuring the equipment, the planning and approvals, and then the physical installation and configuration.However, buyer perceptions of using cloud SIEM can still present an impediment to buying. Feedback from Gartner clients as to why they will not, or cannot, use a cloud SIEM approach include:

  • Organizational policies that do not support the use of SaaS, which is rare these days outside of specific verticals. For example, there may be organizational policies that dictate that all data, or even a subset that may include sensitive personally identifiable information or customer/partner identifiable information, cannot leave the organization’s premises.
  • Misunderstandings about the shared responsibility relationship between customer and vendor, including concerns about the security controls of the delivery environment used by the vendor (whether their own premises, private cloud services or public cloud services; see the Strategic Planning Assumptions in “Clouds Are Secure: Are You Using Them Securely?”).
  • Corporate policy requiring the SIEM technology to be purchased as a capital expense (capex), which does not fit the operational expense (opex) model employed by most SaaS vendors. This concern is increasingly expressed for on-premises deployments as more vendors adopt subscription pricing models.
  • Worry about the impact on the internet network links, leading to increased traffic and additional costs.
  • Concerns about the availability of the services because control of the technology is out of the customers’ hands (for example, the portal or management interface is unavailable due to a distributed denial of service [DDoS] attack or technical issue).
  • Cloud SIEM customers being locked into the solution, with recovery of their data difficult or impossible if the agreement with the vendor is terminated or expires.

Some of these concerns are entirely legitimate. For example, Gartner clients that are government agencies and bureaus, nongovernmental organizations (NGOs), and companies that are part of government supply chains all report having policies that stipulate that data cannot leave their premises. However, concerns about the vendor’s hosting environment and the impact on network bandwidth are concerns appropriate to any SaaS consumption, but have not stopped organizations from embracing SaaS. Global growth in 2018 was 20.7% (see “Market Share: Enterprise Application Software as a Service, Worldwide, 2019”).The following list of questions and related commentary are not meant to be exhaustive. They represent the most common questions to be addressed by the buyer and/or the SIEM solution vendors being considered to make a determination whether cloud SIEM is appropriate. The questions are also designed to address the sources of most concern by customers considering cloud SIEM. Prospective buyers should heavily weight vendors who can respond affirmatively to these questions. Where vendors respond “no” or with a qualified affirmative, buyers should assess whether other means, such as additional technical controls and contractual requirements, will compensate. These questions can be leveraged to supplement “Toolkit: RFP for Security Information and Event Management.”Can the vendor meet my technical and budget requirements for data transport to/from and storage in the cloud SIEM environment?There are several elements to this question. The first is the use of resources, such as network bandwidth, to move data in the scope of monitoring from the environment where the data is generated into the cloud SIEM. There may be costs associated with the movement of data as well. For example, data generated in an IaaS environment may be subject to costs as it is moved out of the environment. Another element is how the data will be treated to meet your policy or regulatory requirements. Must the data be filtered, obfuscated and/or encrypted for transport? Must data reside in specific geographic regions? Must it be encrypted for long-term storage? Are there costs associated with moving the data when the relationship with the cloud SIEM vendor ends? The cloud SIEM vendor should demonstrate that these requirements can be met and that the life cycle costs for doing so are disclosed.Does the vendor’s license model and provisioning practice allow for granular, on-demand elasticity for data ingestion, compute and storage requirements?Many SIEM solution vendors claim their solutions are SaaS when they may be just a cloud-hosted version. For example, the vendor manually installs an instance of its software in its data center or in IaaS, managed as a stand-alone instance, where upward or downward elasticity is manually handled by the vendor. Also, pricing is similar to its on-premises models, where you have to buy a set amount of capacity, and it can only grow and never contract. A hosting model may be acceptable, but details of how close to SaaS the solution is should be provided by the vendor. Prospective customers should understand the costs and constraints regarding scaling the underlying infrastructure to accommodate growth in event sources or data volume, new use cases, or seasonal business fluctuations. For example, does that happen dynamically or does the SIEM vendor need to manually provision/deprovision capacity? If manually, how long does it take?Can the vendor provide third-party security evaluations of the cloud platform and vendor operations for delivering the SIEM solution?It is important to gain an appropriate level of assurance that your data will be securely accessed and managed in the provider’s platform (for example, protected from inappropriate access or disclosure). Vendors should be able to demonstrate and provide evidence of formal third-party security evaluation, such as ISO/IEC 27001, AICPA SOC 2 Type 2 or FedRAMP (if applicable). If the vendor is based in a public cloud, do not rely entirely on the cloud provider’s evidence. It’s vitally important that you assess how the cloud SIEM vendor is leveraging the cloud provider’s security and configuration capabilities.Does the vendor offer sufficient data collection, transport and storage options to support the volume, velocity of data and variety of event sources needed to support my use cases?The optimal method for data collection and storage may differ based on the type of data, the source, the volume or velocity, the use cases the data supports and the retention requirements. Vendors should be able to support a variety of methods, including on-premises collector appliances, agents, API access, batch ingestion, and on-demand acquisition from on-premises and cloud-based sources. Ensure the vendor supports options for compression to reduce transport and storage costs. Make sure the vendor offers data retention options that allow you to avoid paying for extended retention of data with limited long-term value for detection and response and not subject to regulatory or policy requirements.Is the SIEM solution cloud-native?Cloud SIEM may be cloud-native SaaS or cloud-hosted. For many users, the answer to this may have no effect on their day-to-day experience with the SIEM. However, Gartner expects that SIEM vendors with cloud-native solutions will, over the midterm, be more effective in maintenance and operations activities for their SIEMs, in introducing functional updates and applying corrections for bugs or vulnerabilities, and in accommodating short-term, bursty or seasonal changes in capacity requirements. This outcome may be important to buyers placing a premium on availability, response stability and cost of the SIEM.Can the vendor offer service-level agreements (SLAs) and evidence of process maturity in delivering rapid feature, function and content updates while maintaining product availability and functionality?One of the benefits of a SaaS model is that updates, both functional and performance-related, can be released much faster compared with the traditional approach of maintaining on-premises software deployments that rely on content updates, minor and major release updates, hotfixes, and patches. This can be beneficial for cloud SIEM users since new features and fixes are made available more quickly and frequently. However, this can introduce risks, such as features being pushed out before they are truly ready for production use, product instability, and new vulnerabilities in the solution if the vendor does not have robust DevOps and DevSecOps practices in place. Conversely, this agility also means that performance and security issues can be resolved more rapidly.Does the vendor have mature processes for deployment, management and break-fix for SIEM components such as agents, appliances and network sensors that will reside in my environment?Some SIEM vendors are taking a platform approach to their solutions that offers add-on technologies beyond just the core SIEM tool, such as network traffic analysis, file integrity monitoring (FIM), endpoint detection and response (EDR), and vulnerability assessment. Many of these add-on technologies are deployed within a customer’s environment close to the sources being monitored. Alternatively, they are add-on modules to the core SIEM environment that traditionally would have been installed alongside the SIEM solution or on a separate appliance or server. If planning to use these add-on solutions, it’s important to know if they are: supported by the vendor in its cloud SIEM version and what, if any, impacts this creates either from an architecture or operations perspective.Will the vendor commit for SIEM availability of at least 99.5% (insert your own requirements here) for its cloud SIEM and provide resilience options to address IaaS and connectivity issues?Availability can be affected by outages in the underlying cloud platform, issues with the vendor’s application, connectivity between vendor and customer, and issues with on-premises elements of the SIEM solution. Another consideration is how any outages or losses of connectivity (whether on the buyer’s or vendor’s side) might affect security operations. It is important to understand what plans the vendor has in place to deal with these issues, both planned and unplanned. How will the vendor communicate to you when there are planned or unexpected outages? What happens if there is an extended outage? Are SLAs for availability offered? It also requires buyers to have appropriate contingency plans when outages are experienced. Will you have sufficient capacity to store logs until logs can be forwarded? How will security monitoring and operations continue to function without access to the SIEM?Will the vendor agree to service transition arrangements to enable the transfer of log data and other content as needed at the end of the service period or prior to that?You need to ensure that your data is returned at contract termination and that the vendor will provide sufficient attestation that it has removed/returned your data that was in its possession. You must also ensure you have access to your data for sufficient time to move it off the vendor’s systems if the vendor is unable to continue providing SIEM. Retaining ownership of and guaranteed access to, for example, the log and event data, alerting rules, analytics, reports, playbooks, and threat intelligence that are created and modified when using a cloud SIEM are important considerations when ending use of the solution. This question is not exclusive to cloud SIEM. However, due to the nature of SaaS, there can be challenges with extracting the logs, data and context back on-premises or to a different cloud platform. Having a good understanding and documented agreements for what happens once the use of the cloud SIEM solution expires is critical, especially for those organizations that must hold logs for extended periods of time (for example, 365 days for Payment Card Industry Data Security Standard [PCI DSS])