Published on October 23, 2020
As more and more organizations move their infrastructure and IT services to the cloud, it is common to find questions about how to address multi-cloud and other hybrid scenarios when designing a security monitoring solution. Although a real SaaS SIEM can easily ingest data from multiple locations in a simple, centralized architecture, there are many situations that require different approaches.
Most organizations moving their on-premises systems to the cloud go through a long migration process, during which considerable pieces of their infrastructure will reside on each side. Many migrations, in fact, are never complete, leaving a residual presence in the organization's data centers. To make matters even more complex, the multi-cloud scenario is also frequently part of the process: Many will adopt services from more than one provider, such as Amazon AWS and Microsoft Azure. In fact, even those strongly pushing to standardize on AWS are often using Microsoft services such as Office 365 and Azure Active Directory.
Some other factors may force an even more distributed scenario. Data residency requirements often force the use of multiple regions, and other compliance mandates, such as those faced by government entities, may also force organizations to use certain cloud environments for specific applications or services. In summary, there will be, for multiple reasons, scenarios where the typical SIEM data sources are distributed across multiple cloud providers, regions and even between the cloud and physical data centers.
Still, does this distributed scenario really prevent the use of a single, SaaS based SIEM instance to monitor all the systems across all those different locations? Maybe not from a pure technology perspective, but the distributed scenario will often bring regulatory, cost and organizational considerations with it.
Cost is a common reason to not centralize all data on a single SIEM instance. Because of data transfer fees, moving data between cloud providers may be costly, and some of the data being transferred may also end up replicated across multiple storage services, adding even more to the total cost of the solution. Even if cost is not an issue, regulatory requirements may just forbid certain data to be moved. Finally, global organizations will frequently have highly distributed teams, each one with their own priorities, processes, and use cases. Regardless of the reason, it is a fact: According to a Gartner survey, 81% of public cloud users are using more than one provider.
The need to keep data distributed and the ability to deal with multiple silo requirements push SIEM deployments to a distributed model, and this is where a federated SIEM model shows its advantages.
First, what is it?
A federated SIEM model deploys a full SIEM instance for each location, while retaining the benefits of centralization by adding another SIEM layer to consolidate alerts and allow for the correlation of events coming from the individual SIEM instances. This approach provides the following advantages:
- Centralized management console providing a single pane of glass for administrators and analysts
- Distributed storage and analytics modules that sit within the local cloud infrastructure setup
- Local analytics with the ability to aggregate violations centrally
- On-demand search and hunt to query data in local storage
In short, a federated SIEM is a "best of both worlds" approach when considering a fully centralized model or a fully distributed model. It follows the data gravity concept, where data attracts applications and services. The need to move data to a centralized location is reduced to a very small subset of events, usually those generated by the SIEM analytics instead of individual, raw events. These events are still collected by a centralized instance that can apply another level of analytics and correlation. This is important when we consider threat chains, where individual violations can be aggregated to identify and prioritize threats while they move through the stages of their attack chain.
The possibilities provided by federated SIEM to security operations teams are many. It provides many optimization opportunities to centralized SOCs, and organizations with distributed security teams find federated SIEM the perfect technology model to align with their processes. Local teams can work on their own policies and threat chains, for example, while still allowing a global team to retain visibility across the multiple teams and locations.
A federated SIEM deployment can also simplify your cloud security monitoring strategy. Many organizations that had gone through centralizing all the telemetry from their cloud environments on a single SIEM instance found themselves in a scenario with highly complex data collection, transfer, and ingestion, and found it difficult to manage the threat detection content to handle all the sources involved. Some tried to fix it by deploying a mix of technologies, such as CSPM and CASB, to reduce data transfers and to get more specialized threat detection content and analytics for the targeted environments. The result, however, is also complex and brings additional challenges. How to effectively search for data across all those different solutions from a centralized location, for example? The acquisition of those cloud-oriented tools may also involve requirements that go beyond security monitoring, such as data protection and compliance enforcement. This longer path, with more stakeholders involved, may slow down the deployment of threat detection capabilities. It will frequently arrive on a suboptimal solution if those other requirements take precedence over the monitoring needs.
In order to be a viable approach for hybrid cloud scenarios, a federated SIEM must be able to deliver the necessary flexibility and coverage of all cloud providers in play. Strong content with coverage for all the required data sources and the most common cloud-oriented threats is key to success in this approach. And as cost is usually a big design constraint factor for the solution, a solution capable of dealing with cloud age data volumes without punitive license models is also a must.
The Securonix native SaaS security operations platform is perfectly positioned to deliver a federated SIEM solution. It has global cloud deployment pods supporting AWS, Azure, and GCP infrastructure; hybrid cloud monitoring capabilities and other benefits derived from its modern big data architecture.