Friday, 9 September 2011 12:07 15671 Commenthttp%3A%2F%2Fblog.q1labs.com%2F2011%2F09%2F09%2Fsiem-and-cloud-might-be-cousins%2FSIEM+and+Cloud+might+be+cousins2011-09-09+17%3A07%3A56Heather+Howlandhttp%3A%2F%2Fblog.q1labs.com%2F%3Fp%3D1567

Posted by Heather Howland in Cloud Security, Security Intelligence

While I only have one first cousin, we have bizarre similarities and notable differences. First off, she’s 12 and about ten times smarter than I am (yes, I set myself up with that one). We share some slightly similar facial features, personality traits, and food tastes that favor northern Italian cuisine. She is an accomplished violinist already. I hack at my guitar every once in a blue moon. Anyway… enough kicking myself in the teeth.

What does this have to do with SIEM and cloud computing? Similar to my previous “cloud security” themed post, I will again reference the best practices paper by Q1 Labs’ CSO Chris Poulin. In this, he suggests that SIEM itself provides a cloud-type capability and is structurally similar. I find this a very interesting correlation and pretty darn accurate in many ways. Lets get into it.

A classic SIEM is fed data from all around an organization via different groups with varying requirements and responsibilities. These groups cross organizational divides and often have very different interests, data types, and use cases. SIEM has definitive customers and providers, as do cloud providers. For example, the systems management group may feed Microsoft Windows Active Directory events into the SIEM to be alerted on user login failures, signaling a brute-force password attack or escalation of privileges attempt.

Cloud providers are fed data from different customers, expecting their data to be protected, segmented from other customers, controlled, secured, and monitored. A cloud provider is also expected to not access customer data for their use or benefit unless allowed by the customer. While this may not 100% correlate to a SIEM environment, there are contractual obligations between the operational management function and SIEM consumers to ensure processes are in place to handle potential incidents, empowering the data owners and developing a clear escalation process.

Related: What’s in a cloud security plan?

This points out one of the differences between cloud and SIEM, and why they might be cousins, yet only distant cousins. The SIEM provider generally has total context and an overarching security responsibility, otherwise known as security intelligence, that spans across data from all groups. For example, correlating vulnerability scanner results with firewall logs and network activity to detect an active threat. In the case of cloud services, there is a clear dividing line between roles and responsibilities; especially involving customer data. The data belongs to the customer and has to be treated differently. An example is GMail. Most likely, it wouldn’t be accepted if Google started reading our email or forwarding it to other GMail users. Okay, they are reading it, but hopefully not forwarding.

What do you think, are there other similarities between cloud and SIEM? Besides SIEM being a lot smarter than cloud, that is.

Learn more about IT Security best practices in cloud environments.