How next-gen cloud SIEM tools can give critical visibility to companies for effective threat hunting

Virtual workforces face escalated threats due to their remote access from various networks. Learn how security information and event management tools can help in the battle.

Cloud security concept

Image: iStock/Undefined Undefined

As a system administrator, I had quite a tech support ordeal the other day in which I found myself unable to access my company portal via the VPN connection from my home office. It took some time to get sorted out, during which the analyst I worked with apologized profusely, explaining they had had to implement some extremely rigorous security mechanisms to protect the company as nearly all of our employees work remotely.

SEE: Identity theft protection policy (TechRepublic Premium)

That's a common theme now as the pandemic continues to rage on, and entire disciplines are being implemented to address these security concerns yet also allow workers to remain productive.

I spoke to Augusto Barros, VP of solutions for Securonix, a security analytics and operations provider, to find out more about the available solutions to this worldwide challenge.

Scott Matteson: What are the challenges in dealing with prevalent threats to virtual workforces?

Augusto Barros: Security teams are no strangers to an ever-changing threat landscape. However, like the rest of the world, they were unprepared for the overwhelming onslaught of new challenges that resulted from the COVID-19 pandemic.

The SOC triad, i.e., the combination of network detection response (NDR), security information and event management (SIEM), and endpoint detection and response (EDR), traditionally enabled security teams to gain insight into threats against their on-prem environments. 

However, at the beginning of the COVID-19 pandemic, companies rushed to rapidly deploy solutions to enable remote work, significantly compromising SOC teams' visibility and access to telemetry across data sources. Not only did this render teams blind to many new and emerging threats that have resulted from this scenario, but it also hindered their ability to determine a baseline for normal user behavior.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

This new reality has also challenged traditional on-premises SIEM tools, which are struggling to collect the logs from all the newly deployed solutions. This immense amount of data requires many collection changes and updated content to address an emerging and unique group of threats.

Scott Matteson: What makes tackling virtual threats different from physical on-site operations?

Augusto Barros: Security teams traditionally opted for a combination of tools known from the SOC triad, which leverages data from logs, networks and endpoints to provide a holistic view of an organization's on-prem environment. The thinking is the capabilities of each tool balances the limitations of another. In layman's terms, they account for each other's blind spots.

However, when the move to the cloud was dramatically exacerbated by companies rapidly shifting to remote work, these tools fell short of supplying clear visibility into multiple environments and technology layers.

For example, on-prem, NDR tools traditionally detect anomalies in network behavior by monitoring traffic from an office workstation to the internet. However, with all network traffic moving to the remote workforce, using these tools to monitor workforces operating off of personal devices and networks proved futile.

While EDR tools would typically compensate for this shortfall by providing visibility into managed devices, they cannot deploy agents on a personal device if an organization grants it access to corporate resources.

Additionally, the need to quickly adapt and scale to the new reality provided the perfect opportunity to accelerate the push to cloud, but outdated traditional security information and event management (SIEM) tools are not able to efficiently collect and process the high volume of telemetry generated by the multiple cloud services adopted as part of this push.

Newly adopted cloud services, such as software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS), offer organizations capabilities typically provided by a traditional data center, such as virtual private network (VPN) termination and web content filtering, straight from the cloud. Although convenient, this has become the Achilles' heel of the traditional on-premises SIEM, which cannot collect all the logs and effectively monitor new and emerging threats.

Scott Matteson: What are the remedies involved?

Augusto Barros: Organizations must adopt a new cloud-centric mentality, supported by a combination of new security solutions ready to handle the high volume and velocity of data flowing across cloud environments. Organizations must focus on tools such as Next-Gen SIEM, cloud-focused tools such as cloud access security broker (CASB) and cloud security posture management (CSPM), and modern consolidated network and security services such as secure access service edge (SASE), which all enable modern security architecture approaches.

SEE: 5 programming languages cloud engineers should learn (free PDF) (TechRepublic)

These scalable tools include license models not based on the volume of data ingested but other variables, such as number of users monitored. CSPM and CASB can help users adopt new policy enforcement practices, helping organizations to navigate complex security settings and services from public cloud providers and cover any gaps in visibility from the multiple IaaS, PaaS and SaaS services adopted.

Additionally, where users are operating off of personal devices and accessing cooperate resources, SASE offerings help transition controls such as secure web gateways to a cloud-based model from anywhere in the world.

Companies no longer need to debate losing visibility for a better price or improved network resiliency.

Scott Matteson: How do next-gen cloud SIEM tools play a role?

Augusto Barros: Legacy, appliance-based SIEM solutions are limited by their fixed architecture, meaning they cannot support the security team's effort to reduce mean time to detect (MTTD) and mean time to respond (MTTR) if the SIEM reaches a scaling limit.

Contrarily, cloud-native SIEMs are built on scalable architecture. Unlike their predecessors, they are equipped with purpose-built threat detection content, to not only handle the load of new cloud services but also monitor and detect new threat vectors related to the cloud. These cloud-based solutions offer better performance, more accurate analytics, and improved threat detection because they can dynamically scale up or down based on SOC team needs.

MSS and MSR providers are also adopting this approach to manage their new reality. Many of those who rely on EDR are expanding their portfolio of technology to account for blind spots by adding next-gen cloud SIEM tools to their backends, where they can aggregate data from existing EDR tools with data from other sources.

Modern SIEM platforms can offer user and entity behavior analytics (UEBA) and advanced analytics, as well as improve the triage of alerts and response to incidents by leveraging native security orchestration, automation and response (SOAR) functionality.

SEE: 5 programming languages application solutions developers should learn (free PDF) (TechRepublic)

Modern SIEMs allow SOC teams to quickly search through security events, whether data is historical or in real time. Overall, these solutions achieve the ultimate SOC team goal: Quicker correlation, clear visibility, more accurate analytics, and greater threat context.

Scott Matteson: Do these tools work for both virtual and physical operations?

Augusto Barros: A next-generation SIEM can be deployed in the cloud or on common hardware platforms and allows for improvements to that platform to be safely incorporated.

However, rather than push a hardware-based, on-premises solution on the customer, next-generation SIEM deployments should match the organization's overall IT strategy. Prior to the COVID-19 pandemic, enterprises were already realizing the benefits, flexibility, agility, and cost savings offered by hybrid and cloud IT strategies; now more than ever, that epiphany rings true. Companies today own little to no hardware, further demonstrating why next-generation SIEM solutions must allow for virtual and cloud-based deployment options. Having on-premises data sources is also not an obstacle for leveraging a SaaS SIEM.

Scott Matteson: What's coming in 2021?

Augusto Barros: As organizations continue to pressure security groups to move tools to the cloud, we will see data gravity force solutions that require the collection of massive data volumes from infrastructure and applications move closer to the data sources.

SOC teams will need to evolve their offerings and integrate other technologies to support newly adopted cloud services and expand their endpoint profile to Internet of Things (IoT) and mobile devices. More and more MDR (managed detection and response) providers will begin to adopt SIEM, UEBA, and SOAR solutions in their backends as they realize the need for security services that work even when they cannot deploy an agent.

Scott Matteson: Do you have any recommendations for technologists and end users?

Augusto Barros: The overwhelming number of employees operating off of personal devices will offer little to no visibility for traditional EDR tools. Give preference to next-gen SIEM solutions that can be consumed as a service to minimize overhead and management. This approach enables organizations to expand monitoring to entities beyond endpoints, with strong focus on user identities, and digest enough cloud data to effectively and more accurately carry out threat hunting.

Organizations must understand that this challenge is no different than any other in history. Trying to make antiquated practices work in a new age is inefficient. Going through this transition is not optional. Both security teams and organizations must get on board with adopting modern tools to support the new cloud-based era of digital business.

Also see