SIEM as a Service
Not all SaaS solutions are equal
Traditionally an organization needing a SIEM deployment has had two options. Either build, maintain and use the SIEM on-premises or pay an external service provider for an MSS-type model, where that service provider takes on most of the SIEM responsibilities.
A few more options have opened up recently. Since a few years, there are SIEM solutions that are either partially or fully residing in some type of cloud environment. Some organisations were quick to label them as a SIEM as a Service (SaaS) solution, likely anything new and linked to the term “Cloud” increased interest in their product. Although this could be a valid term for some products, most are simply traditional, but now cloud-based, customer-owned or MSS SIEM solutions. There are some unique characteristics that would justify a product carrying the SaaS label and that have contributed to the rising interest in SaaS over the last few years.
When an organization decides to locate a SIEM inside an Infrastructure or Platform as a Service, the same installation, configuration and maintenance efforts still apply as when they are to locate the same SIEM in an on-premises, owned datacentre. That is except the underlying platform and infrastructure. For an actual SIEM as a Service model, this platform and the infrastructure are entirely outsourced to the Service Provider. The Customer is only responsible for the content development within the SIEM application and the actual use of the (security) data. This is a huge shift of responsibilities towards the service provider, which might be beneficial to the customer.
Not only the responsibilities are moved from the Customer to the Service Provider in a SaaS setup. Many of the initial costs of a SIEM setup, such as licencing, installation and usually Professional Services consultancy are also moved towards the Service Provider. This is beneficial for an organization that wants predictable expenses at regular intervals or where there simply is not enough capital (yet), to justify the significant costs of setting up a SIEM environment. Although this is mostly an accountancy issue, it is easy to see that small and relatively new or fast-growing companies would prefer this option.
Another point to consider when looking at a SaaS solution is the required expertise and time commitment for an organization deciding to build their own SIEM platform. The development and installation of a large SIEM platform from vendors such as Splunk, HP or McAfee requires a totally different skillset than what is required to operate it. During the development stage, there might be a need for a SIEM architect for 12 months, but once the SIEM has been taken into production, there will be a need for multiple Security Analysts instead. This can be costly and hard to manage for any organization. With a SaaS solution, this is not an issue. The customer can solely focus on the required skillsets covering content developers and security analysis within the SIEM. It is then up to the Service Provider to maintain a team of developers, architects, and systems administrators to keep the platform operational and to make the required changes.
Data and bandwidth considerations
Any organization looking at the option to use a SIEM as a Service solution or to deploy their own SIEM within a cloud platform should consider the bandwidth and storage requirements. A SIEM solution is only as powerful as the information that is fed into it. That information can easily contain billions of events per week. That is a huge amount of traffic, uploaded from the organization to the Cloud Service provider, which can be costly. The other important requirement is actually to store all that data within the cloud. Depending on (local) compliance regulations, that data might need to be stored for years to come. This brings both technical and financial challenges that should not be underestimated.
As mentioned, more and more Security and Cloud providers are claiming to offer a SIEM as a Service solution. Some that at least almost qualify as a SaaS from an independent perspective, are Kustodian SIEMonster SaaS, FireEye Threat Analytic Platform and Proficio’s ProSOC.
Kustodian SIEMonster offers a virtual image called Hydra that needs to be installed inside the customer datacentre. Hydra then collects security logs and uploads them to the cloud AWS SIEM platform. Kustodian takes care of the rest of the configuration before handing over access to the SIEM to the customer.
FireEye TAP takes their SIEM as a Service product a step further by offering a full Security Operations Centre functionality on top of it, which is integrated with their FireEye product line as well.
Finally, there is Proficio’s ProSOC which offers a SOC function as well, based on HP ArcSight.
There are other providers inside this still grey SaaS category, but some further research is needed into what actual services they classify as SIEM as a Service or Security as a Service.
The SIEM as a Service product is still developing, even though some early, sometimes very interesting and comprehensive offerings have become available. If the cost model matches the organizations requirements and the required skillset is not readily available to develop a SIEM platform internally, it can be a very good solution. The SaaS product can be seen as the step between a fully outsourced SOC and a completely managed internal security architecture. Of course, when it comes to making a decision, subjects such as compliance requirements need to be taken into account as well. When all options are weighed up against each other, the SaaS solution might come out on top.