Who Needs a SIEM with All These Cloud Services Options?
One of the favorite parts of my job is meeting new people. Why? Because they tend to be crazy-smart, and I learn so much. We are living in a time when motivated people tinkering with readily available cloud services can build some truly amazing things.
I’m a prolific note-taker (I use iPad Pro with Google Keep and Notability). When I look back on my notes from meetings with security operators, CISOs, and other security pros in 2019, one common complaint that jumps out over and over goes something like this:
“Our security-related fees continue to rise. We’re paying technology or service provider X/Y/Z (it isn’t just one) to store security-relevant data for monitoring, compliance, searching, hunting, and risk management, but we aren’t using these tools enough or getting enough value from them to justify the expense.” The takeaway? Volume-based pricing sucks. Other takeaways? Storing large amounts of data is interesting.
Getting value out of your stored data that exceeds the cost of storing the data is a win for your organization and will look great on your annual performance review (some places still do those).
But how can you achieve this? Traditional and even new SaaS-based SIEM software tools are expensive and rigid. Would you like to find a scalable and inexpensive way to securely store security data for future searching, hunting, compliance AND easily forward relevant data wherever you need it? So that, no matter what happens, you can tell the boss “yep, we have the logs”?!? Check this out!
Modern cloud services offer some really easy ways to store and search data. DevOps teams have been taking advantage of this for years. They’re using low-cost cloud storage for log data and using scalable services to index, search, and analyze the logs when issues arise. And the price of cloud storage services keeps going down.
Cloud-forward SecOps teams are now using the same tools to build really cool and inexpensive capabilities for security data storage, forwarding, and search. Here is an architecture that was shared with me by a smart security operator at a born-in-the-cloud future unicorn that uses Google Cloud Platform (GCP). This architecture delivers data storage, indexing, forwarding, searching/hunting. You could do something similar with AWS or Azure.
Lower cost cloud SecOps architecture
With this architecture, you can collect and store all your security data in one place, easily forward specific data to other tools or platforms, hunt or research security incidents, and write analytics using all kinds of modern models. And, all these services have free tiers of service. Mic Drop!
What strikes me is how easy it is to use different cloud services to build something quickly and at low cost, that scales and delivers. This is just one way to do it in GCP. There are all kinds of services available across many different cloud providers. I’d love to hear how you’re doing this. Drop me a line at [email protected] to let me know how you are you using cloud data management tools to make an impact on your business.
Are you ready to get started with GCP? Here are some helpful links.
- If you need a network IDS sensor, try Suricata. It’s free, easy to deploy via Security Onion and does an impressive job. https://securityonion.readthedocs.io/en/latest/suricata.html
- Start here with GCP - https://cloud.google.com/
- Build a central logging platform using Stackdriver for free! Free StackDriver
- Want to forward logs out of Stackdriver for analysis in other tools? Cloud Pub/Sub makes it easy. This is a powerful capability that offers tremendous value by making it easy to send data to other systems for analytics, streaming analysis, or anything you can think of in the future. Cloud Pub/Sub
- Long term storage options – Google Cloud Storage
- Search, Data analysis, Dashboards and more - BigQuery