Click here to close now.

Welcome!

Microsoft Cloud Authors: Liz McMillan, Elizabeth White, Pat Romanski, Jaynesh Shah, Carmen Gonzalez

Related Topics: CloudExpo® Blog, Microservices Expo, Containers Expo Blog, API Journal, IoT User Interface, Agile Computing, Cloud Security

CloudExpo® Blog: Article

Beyond Intrusion Detection: Eight Best Practices for Cloud SIEM Deployment

Improving visibility across the enterprise

For all the right reasons, your company has been thinking about deploying SIEM…to create an alert system when those with less than good intentions come knocking; to remediate potential network threats; to comply with federal, state or industry regulations; and identify the risks and vulnerabilities throughout the enterprise IT infrastructure and architecture. If you maintain even a modest (SMB -> Fortune 1000) organization that has any online identity, SIEM should be the cornerstone of your asset protection strategy.

First and foremost, SIEM (and to a certain extent log management) is about visibility. Who is doing what and when on your network. It is as much about understanding the holistic landscape of your infrastructure as it is protecting proprietary assets. Without it, it’s akin to coaching the Big Game without any idea who is the opponent; or for that matter if you even have a starting left guard.

But fun metaphors aside, SIEM is a critical enterprise tool. And just like any enterprise solution, it requires forethought, vigilance and most importantly, a good game plan. And when deployed properly it can change your IT department from infrastructure-based, to information-centric. And as such you get to make better decisions, faster.

And with every technology there are best practices and pitfalls. In past articles I have spoken at length regarding the advantages of deploying and managing SIEM in the cloud. Many of these surround the affordability, manageability, control and capability of the solution. For many, security from the cloud is still an emerging concept. But for those who’ve already made the leap, they are reaping the significant benefits. But I want to move beyond the arguments of “going cloud” when deciding on security solutions. Today I want to focus on what happens next. How do you start collecting that ROI once a cloud-based security-as-a-service has been chosen?

The reason most enterprise deployments fail (on premise or cloud) can be typically traced to two causes: (1.) Lack of buy-in from the executive level or employee resistance to change, but more often the culprit is (2.) lack of vision or process. Too many companies jump in and apply a solution because they heard it was important or were sold a Porsche when all they needed was a family SUV. Of course one of the benefits of cloud-based security is the ability to "buy" the SUV and instantly scale up to that Porsche, if and when, the business need requires it (without touching CapEx budgets!)! But with that here are 8 best practices you should implement when moving forward with your cloud-based security initiative:

Best Practice #1: Identify your goals and match your scope to them. There are five questions you need to ask before moving forward with any deployment. 1. WHY do you need SIEM (compliance? user and/or partner expansion? BYOD? Breach detection?) HOW will SIEM be deployed to properly address these issues (what processes, functionality and capabilities are needed; which needs to be outsourced/replaced/improved) WHAT needs to be collected, analyzed and reported? HOW BIG does the deployment need to scale to accurately and cost effectively meet your specific business need? And WHERE is the information situated that should/must be monitored?

Best practice #2: Incremental usage. The quickest route to success is taking baby steps. The idea is to prove the concept and then expand the scope. To some this might be to start with log management and add  SIEM once you understand the requirements, commitment and volume. Now because security-as-a-service is so flexible and can ramp up or down instantly, an easy entry point might be to start with only those elements that fulfill compliance. The project might be overwhelming, but if you take it in bite-sized phases, you will find the victories come easier and the ROI is justified. When dealing with a cloud security deployment, it is easy to turn on the fire hose when only a garden hose is needed. But the beauty of a cloud deployment is the ease and flexibility of scaling. Again, another example of incremental usage would be either to apply SIEM against specific use case scenarios or possibly just migrate a division or a department or a function (as opposed to the entire enterprise).

Best Practice #3: Determine what IS and ISN’T a threat to your network. Returning to the fire hose metaphor, when deploying a SIEM initiative, it is very easy to get lost in a sea of data. It can be like trying to drink from that proverbial fire hose. The trick is to recognize what constitutes a true risk and eliminate false positives. And this requires some internal analysis to create a series of rules that sift out the white noise and differentiate “normal” traffic from suspicious activity. For instance, if there is an attempted access to your partner portal from Russia—is that normal? Do you even have a partner in Minsk? But even a simple filter isn’t quite enough. Risk is three dimensional and it can hide in plain sight. That’s why you continue to filter based on time of day, IP address, server, attempts, network availability and a myriad of other forensic qualifiers before the alert is grave enough to require immediate attention.

Best practice #4: Map response plans. Now that an incident gets your attention, what do you do? Do you launch an account investigation, suspend the user, deactivate a password, apply a  denial-of-service against the IP or a number of remediations based on the severity, vulnerability and identity of the transgressor. This goes back to workflow and process. Who is going to what to whom and how? SIEM is a process-reliant technology. You simply can’t flip a switch and say you’ve put up a magic forcefield around your network. Your response plan is your blueprint to closing the vulnerability gaps and ensuring compliance.

Best practice #5 Correlate data from multiple sources. The practice of situational awareness is what adds the muscle into a SIEM initiative. Like #4, it isn’t enough to plug in a solution and press “go.” Situational awareness takes into account a multitude of different endpoints, servers, data streams, assets and inventories, events and flows, from across the enterprise and puts information into context.  Context is the most important portion of risk assessment.  For example, a shark is a threat. However if that shark is 10 miles away, it is not a direct or immediate threat. Doesn't mean you're not vulnerable if that shark gets hungry. Having an engine that not only creates accurate perspective, but analyzes, understands and acts upon behaviors is key. And to do that a centralized SIEM engine needs the data from more than just a single source or single server.

Best Practice #6: Requires Real time monitoring 7/24/365. For many companies this is a challenge, but hackers don’t sleep. And although a great deal of SIEM and Log Management is automated, it still requires the vigilance of 24 hour monitoring. Trees might be falling in the forest, but if there is no one to see them, breaches occur, networks are compromised. I’ve witnessed plenty of IT departments that don’t have the resources. Again, this is a considerable advantage that security-as-s-service provides and allows you to sleep just a little better at night. Knowing that this one crucial element of your security is professionally addressed without additional staff or budget makes the cloud that much more valuable.

Best Practice #7 Remain calm! One thing we’ve noticed is that soon after the deployment of a SIEM/Log Management it seems there are alerts and issues you never dreamed about. Things are bound to look worse before they get better and it can seem overwhelming; kind of opening a Pandora’s Box of malware and botnets.  For the most part it is because you now know what you didn’t know before.  In some respect it is like looking at your hotel room comforter under black light and a microscope. But once you realize what you’re looking at and that much or the remediation can be automated, soon, (with a bit of fine tuning and normalizing correlation feeds) you will be measure that the anomalous events lessen and the alert prioritizations allow you to make timely and intelligent decisions.

Best practice #8: Evolution. Security is a moving target. You need to revisit you processes and workflows every few months to make sure you are up to date with compliance requirements, new users/access points and expanded or redefined workflows. This is more than recognizing the latest virus threats. New users access your network with regularity. New layers of regulations are added. There are new applications requiring monitoring. All in all, by giving your cloud-based SIEM and log management solutions the new and necessary data, your enterprise will be more secure than it was yesterday.

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@ThingsExpo Stories
SYS-CON Events announced today that O'Reilly Media has been named “Media Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York City, NY. O'Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O'Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying "faint signals" from the alpha geeks who are creating the future. An active participa...
We’re entering a new era of computing technology that many are calling the Internet of Things (IoT). Machine to machine, machine to infrastructure, machine to environment, the Internet of Everything, the Internet of Intelligent Things, intelligent systems – call it what you want, but it’s happening, and its potential is huge. IoT is comprised of smart machines interacting and communicating with other machines, objects, environments and infrastructures. As a result, huge volumes of data are being generated, and that data is being processed into useful actions that can “command and control” thi...
There will be 150 billion connected devices by 2020. New digital businesses have already disrupted value chains across every industry. APIs are at the center of the digital business. You need to understand what assets you have that can be exposed digitally, what their digital value chain is, and how to create an effective business model around that value chain to compete in this economy. No enterprise can be complacent and not engage in the digital economy. Learn how to be the disruptor and not the disruptee.
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists will peel away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud environment, and we must architect and code accordingly. At the very least, you'll have no problem fil...
There's Big Data, then there's really Big Data from the Internet of Things. IoT is evolving to include many data possibilities like new types of event, log and network data. The volumes are enormous, generating tens of billions of logs per day, which raise data challenges. Early IoT deployments are relying heavily on both the cloud and managed service providers to navigate these challenges. In her session at Big Data Expo®, Hannah Smalltree, Director at Treasure Data, discussed how IoT, Big Data and deployments are processing massive data volumes from wearables, utilities and other machines...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal an...
The worldwide cellular network will be the backbone of the future IoT, and the telecom industry is clamoring to get on board as more than just a data pipe. In his session at @ThingsExpo, Evan McGee, CTO of Ring Plus, Inc., discussed what service operators can offer that would benefit IoT entrepreneurs, inventors, and consumers. Evan McGee is the CTO of RingPlus, a leading innovative U.S. MVNO and wireless enabler. His focus is on combining web technologies with traditional telecom to create a new breed of unified communication that is easily accessible to the general consumer. With over a de...
SYS-CON Events announced today that MetraTech, now part of Ericsson, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Ericsson is the driving force behind the Networked Society- a world leader in communications infrastructure, software and services. Some 40% of the world’s mobile traffic runs through networks Ericsson has supplied, serving more than 2.5 billion subscribers.
Disruptive macro trends in technology are impacting and dramatically changing the "art of the possible" relative to supply chain management practices through the innovative use of IoT, cloud, machine learning and Big Data to enable connected ecosystems of engagement. Enterprise informatics can now move beyond point solutions that merely monitor the past and implement integrated enterprise fabrics that enable end-to-end supply chain visibility to improve customer service delivery and optimize supplier management. Learn about enterprise architecture strategies for designing connected systems tha...
From telemedicine to smart cars, digital homes and industrial monitoring, the explosive growth of IoT has created exciting new business opportunities for real time calls and messaging. In his session at @ThingsExpo, Ivelin Ivanov, CEO and Co-Founder of Telestax, shared some of the new revenue sources that IoT created for Restcomm – the open source telephony platform from Telestax. Ivelin Ivanov is a technology entrepreneur who founded Mobicents, an Open Source VoIP Platform, to help create, deploy, and manage applications integrating voice, video and data. He is the co-founder of TeleStax, a...
The Internet of Things (IoT) promises to evolve the way the world does business; however, understanding how to apply it to your company can be a mystery. Most people struggle with understanding the potential business uses or tend to get caught up in the technology, resulting in solutions that fail to meet even minimum business goals. In his session at @ThingsExpo, Jesse Shiah, CEO / President / Co-Founder of AgilePoint Inc., showed what is needed to leverage the IoT to transform your business. He discussed opportunities and challenges ahead for the IoT from a market and technical point of vie...
Grow your business with enterprise wearable apps using SAP Platforms and Google Glass. SAP and Google just launched the SAP and Google Glass Challenge, an opportunity for you to innovate and develop the best Enterprise Wearable App using SAP Platforms and Google Glass and gain valuable market exposure. In his session at @ThingsExpo, Brian McPhail, Senior Director of Business Development, ISVs & Digital Commerce at SAP, outlined the timeline of the SAP Google Glass Challenge and the opportunity for developers, start-ups, and companies of all sizes to engage with SAP today.
Cultural, regulatory, environmental, political and economic (CREPE) conditions over the past decade are creating cross-industry solution spaces that require processes and technologies from both the Internet of Things (IoT), and Data Management and Analytics (DMA). These solution spaces are evolving into Sensor Analytics Ecosystems (SAE) that represent significant new opportunities for organizations of all types. Public Utilities throughout the world, providing electricity, natural gas and water, are pursuing SmartGrid initiatives that represent one of the more mature examples of SAE. We have s...
The Internet of Things will put IT to its ultimate test by creating infinite new opportunities to digitize products and services, generate and analyze new data to improve customer satisfaction, and discover new ways to gain a competitive advantage across nearly every industry. In order to help corporate business units to capitalize on the rapidly evolving IoT opportunities, IT must stand up to a new set of challenges. In his session at @ThingsExpo, Jeff Kaplan, Managing Director of THINKstrategies, will examine why IT must finally fulfill its role in support of its SBUs or face a new round of...
One of the biggest challenges when developing connected devices is identifying user value and delivering it through successful user experiences. In his session at Internet of @ThingsExpo, Mike Kuniavsky, Principal Scientist, Innovation Services at PARC, described an IoT-specific approach to user experience design that combines approaches from interaction design, industrial design and service design to create experiences that go beyond simple connected gadgets to create lasting, multi-device experiences grounded in people's real needs and desires.
The true value of the Internet of Things (IoT) lies not just in the data, but through the services that protect the data, perform the analysis and present findings in a usable way. With many IoT elements rooted in traditional IT components, Big Data and IoT isn’t just a play for enterprise. In fact, the IoT presents SMBs with the prospect of launching entirely new activities and exploring innovative areas. CompTIA research identifies several areas where IoT is expected to have the greatest impact.
Can call centers hang up the phones for good? Intuitive Solutions did. WebRTC enabled this contact center provider to eliminate antiquated telephony and desktop phone infrastructure with a pure web-based solution, allowing them to expand beyond brick-and-mortar confines to a home-based agent model. It also ensured scalability and better service for customers, including MUY! Companies, one of the country's largest franchise restaurant companies with 232 Pizza Hut locations. This is one example of WebRTC adoption today, but the potential is limitless when powered by IoT.
The Internet of Things will greatly expand the opportunities for data collection and new business models driven off of that data. In her session at @ThingsExpo, Esmeralda Swartz, CMO of MetraTech, discussed how for this to be effective you not only need to have infrastructure and operational models capable of utilizing this new phenomenon, but increasingly service providers will need to convince a skeptical public to participate. Get ready to show them the money!
The Internet of Things is not only adding billions of sensors and billions of terabytes to the Internet. It is also forcing a fundamental change in the way we envision Information Technology. For the first time, more data is being created by devices at the edge of the Internet rather than from centralized systems. What does this mean for today's IT professional? In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will addresses this very serious issue of profound change in the industry.
SYS-CON Events announced today that BMC will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. BMC delivers software solutions that help IT transform digital enterprises for the ultimate competitive business advantage. BMC has worked with thousands of leading companies to create and deliver powerful IT management services. From mainframe to cloud to mobile, BMC pairs high-speed digital innovation with robust IT industrialization – allowing customers to provide amazing user experiences with optimized IT per...