Legacy & Cloud-Native SIEM
Sentinel. Sentry a defender always on the guard who aims to protect and withstand threats, anticipate any attack, assume that it will arrive, and adjust the behavior accordingly. Be present to protect the assets and the area.
This blog post compares legacy and modern SIEM with basic comparison-based Microsoft Sentinel and experience from the field. The following blog post will focus on the advanced comparison with a bunch of features. This post focus on Legacy SIEM and Cloud-Native SIEM.
More about SIEM and cloud aspect at the Microsoft Sentinel from the Field – The Cloud Aspect.
Recently, there has been a significant shift within the SIEM landscape regarding monitoring the on-premise environment. That shift comes from the cloud transitioning to allow monitoring of the cloud environment.
This shift has created a need for SIEM solutions to be either on-premise and in the cloud or entirely in the cloud with Cloud-Native SIEM solutions. In this article, I want to shine a light on the differences between on-premise and Cloud-native SIEMs and specifically have a closer look at the most forthcoming cloud-native SIEM solution, the Microsoft Sentinel.
Many organizations rely on SIEM solutions to protect against cyber threats ranging from insider threats to advanced threats. But not all SIEM solutions are created equal, which is essential since the adoption of SIEM solutions is only growing.
The key features of the SIEM solution are:
Rich, large-scale data collection from any cloud provider and all data sources in the streaming platform scales to billions of events handled per second with context.
Analyzes logs & data and incorporates threat intelligence feeds for correlation and enrichment.
It enhanced data analytics beyond rules with real-time alerts for “threats that matter” and automated responses.
I simplified comprehensive threat detection Scalable architecture with support for multi-tenancy & data segregation.
A new approach to changes is rapidly changing every week because attackers, security aspects, cloud providers, and saas apps are quickly changing. Therefore, we must be aligned with these changes and provide ways to handle and give the correct answers and solutions.
Do a Modern SIEM
Finding a mechanism to collect, store and analyze security-only data is relatively simple. There is no shortage of options for storing data. However, managing all security-relevant data and turning all that data into actionable intelligence is a whole other matter.
A legacy SIEM solution can’t keep pace with the rate at which security events need to be investigated.
The continued adoption of cloud services expands the threat vectors. Enterprises need to monitor user activity, behavior, and application access across cloud and SaaS services and on-premise services to determine the full scope of potential threats and attacks.
Some of the known and fundamental issues with legacy SIEM solutions include:
- Lack of scalability
- Limited analytics capabilities
- Limited data ingestion capabilities
- Complex deployment and maintenance
- Inflexible search, correlation, and visualization capabilities
A modern SIEM solution needs to have at least the following qualities:
- Supports data correlation
- Simple deployment and development
- Ticketing/case management workflow
- Support for statistical analysis of raw data
- Support for the Multi-hybrid-cloud environment
- It does not require proprietary hardware devices
- Not no need for a separate relational DB for reporting
- It does not require data normalization at collection time
- Create a rule and correlation search directly from the forensic investigation
- Re-analyze old data with new information, whether it’s a cold case use case
- Big data solution (can handle the volume, variety, variability, and velocity)
- Provides out-of-the-box content with reports, correlation searches, dashboards
Legacy SIEM and Cloud-Native SIEM Comparison
A high-level comparison between legacy SIEM and Cloud-Native SIEM and a specific comparison to Microsoft Sentinel.
| Features | Legacy SIEM | Modern SIEM (Microsoft Sentinel) |
| Infrastructure | It could be On-Premises or IaaS, but not a true cloud | Based SaaS with pure Cloud Components |
| Scale | Requires planning and infrastructure construction | Based on the Cloud scale, and can be done by simple actions |
| Architecture | Complexity with many components that cannot integrate by default between one and the others | Because it is cloud-based, the architecture is simple architecture for most scenarios. |
| Tools (Automation, Ticket Management, etc.) | Many tools and most of them without native integration | Based on a cybersecurity platform with native integration |
| Native Connectors | Not available | Built-in |
| Custom Connectors | Available and need a development | Available with easy development |
| Deployment and support simplicity | Because of the many tools, you must be with solid skills to deploy and maintain | Because it is cloud-based, the deployment is so easy |
| Parsing support for integrated log source | Very POOR and not parsing the data with simple solutions. The “No Parsing “method isn’t working. | Done by default for native connectors and can be parsed via many options (Logic Apps, KQL) |
| Cloud coverage | Not available and need development but always will be with gaps in the cloud. | The cloud coverage can be available by default with the connectors—no gaps for the cloud environment. |
| Eco-system | Available, but in most cases, you need to develop | Available with many third-party systems (built-in and development are available) |
| CI\CD Option | We need to build complex maintenance | Available via Azure DevOps and easy development |
| Maintainability | Patches are generally behind. Application updates generally mean log collection interruption | handled by the Vendor with minimized collection interruption |
| Performance | when the SIEM was maxed on EPS, using the tool became slower for querying and correlating data. | The logs’ collection should not impact correlation limitations as the technology sits on a larger cloud platform that auto-scales. |
| Interoperability | API is not consistently found for most SIEM vendors, and integration generally depends on popularity and market share. | API architecture causes them to integrate with cloud services and third-party environments easily. |
| Portability | Data Portability from one SIEM to another has always been nearly impossible due to different formatting and database types. | This will stay the same as databases and formatting vary in the cloud. |
| Usability | This is hard to generalize and depends on the solution. | Simplicity is the trend among cloud solutions. Those cloud-native SIEM solutions tend to be easy to use. |
| Cloud Identification | Many limitations and an not identify many actions and attacks | Because of the cloud coverage, it can locate most of the attacks and actions |
| Content with Kill Chain Analytics (Mitre Modeling) | Need a development | Available and can be done with a few clicks |
| Poor Correlation | It does not do any correlation as it isn’t designed to do that | Correlation is the key and can provide many aspects and ways to correlate data and find easy steps for each data |
| Customer Visibility | By weekly reports | Complete visibility with SIEM interface |
| Machine Learning | Most SIEM providers cannot provide a natural ML | By default, it’s part of the cloud-native solutions |
Notes:
- The information for legacy SIEM was taken from the SIEM provider
- Legacy SIEM means not a pure SaaS-based SIEM
Highlights
What I’m suggesting is that organizations challenge their legacy SIEM providers to meet the operational needs of 2021 and look for the following years rather than those of 2000… and if those legacy players can’t meet today’s needs, perhaps the time to be open to other options has come.
In short, I’m suggesting that organizations give up on their legacy SIEM deployments or rip them out entirely.
Attacks aren’t at all linear. Staring at a list of events isn’t help uncover suspicious or malicious activity. Attacks aren’t linear is important because legacy SIEM presents the data they ingest line by line. In other words, linearly – just as it was consumed.
Investigation can make the difference, and If you’ve ever tried investigating an incident using a legacy SIEM, you quickly learn that the whole process isn’t smooth. Investigations must use tools designed with flexibility and power to allow intelligent querying across a large volume and data variety.
Too many tools with many security tools that most security organizations have are simply astounding. With so many tools, time has demanded that each tool address multiple operational requirements. As security operations have matured as a field, the SIEM requirements have grown well beyond the capabilities found in most of the legacy providers.
Cloud coverage and identifications for cloud providers and saas apps are critical, and most legacy SIEM cannot provides this value. Legacy SIEM cannot identify many security issues and incidents on the cloud.
From the field, this is worst because Legacy SIEM doesn’t have the right tools and options to know what occurs on the cloud, and custom development cannot be achieved because cloud and saas apps are changed dynamically.
Correlation is the key because security teams need tools to connect the dots between related events. At a minimum, security tools need to support rather than fight the analyst in making these connections.
In conclusion
The cloud-native SIEM market is increasing. It has a lot of pros and some cons. You must adopt a new approach with new tools and behavior for the analyst, and at the bottom line, SIEM architecture cannot be like a complex puzzle that only the one who builds it knows it! It also requires the companies to be more mindful of what type of data will be sent to the SIEM.
