Legacy SIEM and Cloud Native SIEM
Sentinel. Sentry, a defender always on the guard who aims to protect and withstand threats, anticipate any attack, and assume that it will arrive, and adjust the behavior accordingly. Be present to protect the assets and the area.
This blog post compares legacy SIEM and modern SIEM with some basic comparison-based Azure Sentinel and experience from the field. The following blog post will focus on the advanced comparison with a bunch of features. This post focus on Legacy SIEM and Cloud-Native SIEM.
More about SIEM and cloud aspect at the Azure Sentinel from the Field – The Cloud Aspect.
There has been a significant shift within the SIEM landscape in recent years regarding monitoring the on-premise environment. That shift comes from the cloud transitioning to allow monitoring the cloud environment.
This shift has created a need for SIEM solutions to be either on-premise and in the cloud or entirely in the cloud with Cloud-Native SIEM solutions. In this article, I want to shine a light on the differences between on-premise and Cloud-native SIEM’s and specifically have a closer look at the most forthcoming cloud-native SIEM solution, the Azure Sentinel.
Many organizations rely on SIEM solutions to protect against cyber threats ranging from insider threats to advanced threats. But not all SIEM solutions are created equal, which is essential to know since the adoption of SIEM solutions is only growing.
The key features of the SIEM solution are:
Rich, large-scale data collection from any cloud provider and all data sources in the streaming platform scales to billions of events handling per second with context.
Analyzes logs & data and incorporates threat intelligence feeds for correlation and enrichment.
It enhanced data analytics beyond rules with real-time alerts for “threats-that-matter” and automated response.
I simplified for comprehensive threat detection Scalable architecture with support for multi-tenancy & data segregation.
A new approach for changes is rapidly changing every week because attackers, security aspects, cloud providers, and saas apps are quickly changing. Therefore, we must be aligned to these changes and provide ways to handle and give the correct answers and solutions.
Do a Modern SIEM
Finding a mechanism to collect, store and analyze security-only data is relatively simple. There is no shortage of options for storing data. However, managing all security-relevant data and turning all that data into actionable intelligence is a whole other matter.
A legacy SIEM solution can’t keep pace with the rate at which security events need to be investigated.
The continued adoption of cloud services expands the threat vectors, and enterprises need to monitor user activity, behavior, application access across cloud and SaaS services, as well as on-premise services, to determine the full scope of potential threats and attacks.
Some of the known and fundamental issues with legacy SIEM solutions include:
- Lack of scalability
- Limited analytics capabilities
- Limited data ingestion capabilities
- Complex deployment and maintenance
- Inflexible search, correlation, and visualization capabilities
A modern SIEM solution needs to have at least the following qualities:
- Supports data correlation
- Simple deployment and development
- Ticketing/case management workflow
- Support for statistical analysis on raw data
- Support for the Multi-hybrid-cloud environment
- It does not require proprietary hardware devices
- Not no need for a separate relational DB for reporting
- It does not require data normalization at collection time
- Create a rule and correlation search directly from forensic investigation
- Re-analyze old data with new information, whether its cold case use case
- Big data solution (can handle the volume, variety, variability, and velocity)
- Provides out-of-the-box content with reports, correlation searches, dashboards
Legacy SIEM and Cloud-Native SIEM Comparison
A high-level comparison between legacy SIEM and Cloud-Native SIEM and with specific comparison to Azure Sentinel.
Note: The information for legacy SIEM took from the SIEM provider
Note: Legacy SIEM means not a pure SaaS-based SIEM
| Features | Legacy SIEM | Modern SIEM (Azure Sentinel) |
| Infrastructure | It could be On-Premises or IaaS, but not a true cloud | Based SaaS with pure Cloud Components |
| Scale | Requires planning and infrastructure construction | Based on the Cloud scale, and can be done by simple actions |
| Architecture | Complexity with many components that cannot integrate be default between one and the other | Because it is cloud-based, the architecture is a simple architecture for most of the scenarios. |
| Tools (Automation, Ticket Management, etc.) | Many tools and most of them without native integration | Based on a cybersecurity platform with native integration |
| Native Connectors | Not available | Built-in |
| Custom Connectors | Available and need a development | Available with easy development |
| Deployment and support simplicity | Because of the many tools, you must be with solid skills to deploy and maintain | Because it is cloud-based, the deployment is so easy |
| Parsing support for integrated log source | Very POOR and not parsing the data with simple solutions. The “No Parsing “method isn’t working. | Done by default for native connectors and can be parsed via many options (Logic Apps, KQL) |
| Cloud coverage | Not available and need development but always will be with gaps to the cloud. | The cloud coverage can be available by default with the connectors—no gaps for the cloud environment. |
| Eco-system | Available, but in most cases, you need to develop | Available with many third-party systems (built-in and development is available) |
| CI\CD Option | Need to build and complex maintenance | Available via Azure DevOps and easy development |
| Maintainability | Patches are generally behind. Application updates generally mean log collection interruption | handled by the Vendor with minimized collection interruption |
| Performance | when the SIEM was maxed on EPS, using the tool became slower for querying and correlating data. | The logs’ collection should not impact correlation limitations as the technology sits on a larger cloud platform that auto-scales. |
| Interoperability | API is not consistently found for most SIEM vendors, and integration generally depends on popularity and market share. | API architecture causing them to integrate with cloud services and third-party environments easily. |
| Portability | Data Portability from one SIEM to another has always been near impossible due to different formatting and database types. | This will stay the same as databases and formatting vary in the cloud. |
| Usability | This is hard to generalize and depends on the solution. | Simplicity is the trend among cloud solutions. Those cloud-native SIEM solutions tend to be easy to use. |
| Cloud Identification | Many limitations and cannot identify many actions and attacks | Because of the cloud coverage, it can locate most of the attacks and actions |
| Content with Kill Chain Analytics (Mitre Modeling) | Need a development | Available and can be done with few clicks |
| Poor Correlation | It does not do any correlation as it is not designed to do that | Correlation is the key and can provide many aspects and ways to correlate data and find with easy steps each data |
| Customer Visibility | By weekly reports | Complete visibility with SIEM interface |
| Machine Learning | Most of the SIEM providers cannot provide a natural ML | By default, it’s part of the cloud-native solutions |
Highlights
What I’m suggesting is that organizations challenge their legacy SIEM providers to meet the operational needs of 2021 and look for the following years, rather than those of 2000… and, if those legacy players can’t meet today’s needs, perhaps the time to be open to other options has come.
In short, I’m suggesting that organizations give up on their legacy SIEM deployments or rip them out entirely.
Attacks aren’t linear is important because legacy SIEM presents the data they ingest line by line. In other words, linearly – just as it was consumed. Attacks aren’t at all linear. Staring at a list of events isn’t going to help uncover suspicious or malicious activity.
Investigation can make the difference, and If you’ve ever tried investigating an incident using a legacy SIEM, you learned quickly that the whole process isn’t smooth at all. Investigations must use tools designed with flexibility and power to allow intelligent querying across a large volume and data variety.
Too many tools with many security tools that most security organizations have are simply astounding. With so many tools, time has demanded that each tool address multiple different operational requirements. As security operations have matured as a field, the SIEM requirements have grown well beyond the capabilities found in most of the legacy providers.
Cloud coverage and identifications for cloud providers and saas apps are critical, and most legacy SIEM cannot provides this value. Legacy SIEM cannot identify many security issues and incidents on the cloud.
From the field, this is worst because Legacy SIEM doesn’t have the right tools and options to know what occurs on the cloud, and custom development cannot be achieved because cloud and saas apps are changed dynamically.
Correlation is the key because security teams need their tools to connect the dots between related events. At a minimum, security tools need to support rather than fight the analyst in making these connections.
In conclusion
The cloud-native SIEM market is increasing. It has a lot of pros and some cons. You must adopt a new approach with new tools and new behavior for the analyst, and at the bottom line, SIEM architecture cannot be like a complex puzzle that only the one who builds it knows it! It also requires the companies to be more mindful of what type of data will be sent to the SIEM.
