A Consolidated SIEM, UEBA, and Log Management Architecture

Published on February 1, 2021

By Augusto Barros, Vice President of Solutions

 

In my previous life as an industry analyst I would often talk to clients working on an architecture for security monitoring and log management.  They would often try to consolidate log collection and security monitoring on a single platform, but for many reasons, after discussing the options, they would conclude that a combination of tools would be necessary to achieve their objectives.

My explanation usually started with "there's no good option to do all in one these days." Looking at the options, I used to say:

"Vendor X can do both, but it charges by EPS (ugh! Not a good idea when you're looking for a solution to collect ALL your logs!). If you want, they have an option where you can collect for storage only, paying less money, but that data is not available for correlation and online monitoring. On top of all that, the search capabilities are very basic."

"Vendor Z can do SIEM and long-term log storage well, but it becomes very expensive as you also pay by volume of data ingested. And if you want to use their behavior analytics you need to pay extra, AND it will replicate the data in their other solution! Not really smart, right?"

"Vendor Y says they can do it, but they don't have a decent SaaS offering yet and some of their customers have complained about performance."

After discussing the commercial solutions available at the time, we would finally look at other approaches. What if you keep two systems? One for long term log management, running something cheap such as ELK. The other can be a SIEM, for monitoring and analytics. You could try to simplify it by using Kafka as a single, unified collection system to feed both, but there would still be some duplication and a high number of moving parts. What if you wanted to do it in the cloud? Wow, that was even harder and more complex to do!

Fortunately, time has passed, and if I were to have those conversations today my answer would bring another (better!) option: Securonix.

Securonix has built its solution with technology that fits very well for all the security use cases for logs: online monitoring (or the "SIEM use case"), long term log management, and behavior analytics. The Kafka bus is there too, what is quickly becoming a de facto standard for log collection. Securonix provides the consolidated, cloud-based data repository that organizations have been looking for. All data is available for analytics, using a smart storage architecture to keep cost under control.

Why is this solution so much better than the other existing solutions? I could point to the many strong points of our product, but in the context of this post there are 3 key factors:

  • A SaaS solution brings to the table the advantage of scalability and elasticity, together with a low operations cost. A native cloud implementation ensures it is not a solution adapted to the cloud, inheriting the limitations and bottlenecks from traditional on-premises architectures. We use AWS-provided solutions such as EMR and Athena, with strong advantages on cost, performance, and reliability.
  • As the solution was entirely developed by Securonix, without bolt-on pieces and inherited code from acquisitions, the solution was also designed as single platform. You don't need to add different pieces to leverage the full set of capabilities we offer: a data lake, SIEM, UEBA, and SOAR. You don't need to collect the same data twice, nor replicate it along the way. We use multiple storage layers and technologies to keep cost under control, but the data is still within the same platform and without unnecessary duplication.
  • Finally, it is a solution built with open, big data technologies such as Kafka, Spark, and Solr. Why is this important? Because your data will not be locked in a proprietary black box. You can scale our solution meet your needs, and you can build your own analytics using Spark or even access the data in our backend directly. We are aware that not all organizations want to do this, so we keep things simple for those who need simplicity. But if you have advanced and complex use cases, we can address them. Use our platform and store your data in your AWS environment? Sure, you can do it!

If you need to replace a piece of your existing security infrastructure handling logs, or even solutions analyzing other types of data, such as NDR, don't forget to perform a review of your architecture. This could be an opportunity to take your first step into adopting a real unified and consolidated security operations platform.