What To Look For In A Cloud Friendly SIEM

This is part a plea for help to the SIEM industry and part education for those looking for a Cloud Friendly SIEM or log aggregation tool.

TL;DR

  1. Cloud Native authentication using role based access.
  2. Pre-built parsing and field extraction rules for the necessary cloud services.
  3. Quick support for new cloud services.
  4. Give me a real SaaS solution (not hosted) or at the very least a marketplace AMI or image.

Cloud SIEM: Cloud Native Authentication Using Role Based Access

As a security professional this is my #1 pet peeve. I do not (and will not) want to create an IAM access key for you to consume my logs. An access key is permanent, can be copied, stolen, or otherwise compromised. With that key one can do anything assigned to that key, which in this case would be accessing my logs. No thanks.

The best way to do this is by requesting role based access to my environment. This utilizes the “Least Privilege” model in security as well as a level of authentication. The way it works is:

  1. SIEM provider provides account resource principal and random string.
  2. I create a role for you (SIEM provider) in my target account with access to the specified resources with the supplied information.
  3. I update my bucket policies to allow only that role access.
  4. I input the newly created role to the SIEM provider.
  5. SIEM provider calls an “AssumeRole” to access my resources.
  6. FIN

More info here

In this instance the attack surface is reduced to just the SIEM providers account.

Cloud SIEM: Pre-Built Parsing and Field Extraction Rules

One way I know a provider is cloud friendly is whether they have pre-built field extraction rules for the services I am using. This means that I don’t need to re-invent the wheel each time a new log source comes online or when my Cloud provider decides to update the data they are sending in their logs, which happens often.

Cloud SIEM: Quick Support For New Cloud Services

Cloud providers are CONSTANTLY releasing new services, it’s hard to keep up. However most of the time they will allow vendors access to preview versions of their products. This same access can be used to satisfy my previous point as well. Basically, I should not have to wait 6 months for support of a new service to be enabled in my SIEM.

Cloud SIEM: Be In The Cloud, Natively

So think about it, if I have all my infrastructure in the cloud, I am not looking for an ISO to download or worse an appliance. Do give me a pure SaaS solution (NOT hosted – BIG difference) or at the very least give me an AMI to run. Make sure the AMI is maintained and supports my cloud provider’s native libraries and API calls. This would go a long way.

Conclusion

This article was born out of years of frustrations waiting for traditional SIEM providers to catch up to the cloud. If you are a SIEM vendor this is for you. If you are looking for a SIEM vendor, these are tips to help you make a good and informed decision to last for your organization.

Trying to figure out the right SIEM for YOUR environment? Let’s Chat! You can reach me at ayman@cloudsecuritylabs.io.

This article first appeared on LinkedIN on February 13, 2019.

About the Author Ayman Elsawah

Cloud Security | Author | Educator | Coffee Nerd

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: