To share key considerations and best practices for SIEM adoption, a recent episode of The Virtual CISO Podcast from Pivot Point Security featured Danielle Russell, Director of Product Marketing Management at AT&T Cybersecurity, a top SIEM vendor. Hosting the episode was John Verry, Pivot Point’s CISO and Managing Partner and a long-time SIEM proponent.
Danielle notes the ability to pull cloud-based data into your SIEM environment “… becomes increasingly important as organizations move their workloads and services not only to public cloud, IaaS or infrastructure providers, but also introducing SaaS applications, looking at productivity tools like Office 365 and G Suite and Box.”
Being able to detect threats as they manifest in these cloud-based environments is especially important as everyday business data increasingly resides in the cloud or moves through the cloud. Danielle recommends that even organizations that aren’t yet making major use of the cloud look toward a three- to five-year roadmap because “there’s a strong likelihood” that nearly every SMB will be leveraging the cloud soon.
John concurs: “Have you met a company that’s not [in the cloud]? … I’m amazed how many are cloud-first.”
John then makes a first-hand observation about the value of cloud-aware alerting in Pivot Point Security’s own SIEM environment:
“We run AT&T Cybersecurity internally—we’re fans of the product, to be blunt. The way that you’ve done it with these “apps” that you can just turn on … you just go into your portal… and you click a couple buttons. Then it’s like the next day and all of a sudden… our IT guy looks at me and goes, ‘Please tell me you just deleted a whole crapload of stuff in SharePoint.’ And I was like, ‘… Maybe?’ He had gotten an alert. We hadn’t really done anything. We hadn’t even really configured things but immediately, [the SIEM] was already telling us…, ‘Hey, I saw something that you might be concerned about,’ which I thought was fantastic.”
John also notes another key benefit of cloud support in your SIEM—ease of monitoring: “… we’ve got clients that I know are using hybrid environments. They’ve got 100 machines on-prem. They’ve got an Office 365 implementation. They might have Salesforce. They might have some Azure or Amazon EC2 stuff. And having this ability to consolidate all that information into a single pane of glass? Really elegant.”
Danielle points that a SIEM’s ability to alert in unique cloud scenarios comes down to the quality of its built-in threat intelligence: “I think this is probably one of the, if not understood, least appreciated aspects of what can make or break a SIEM deployment, and that is the quality of the threat intelligence that the SIEM platform uses.”
Danielle continues: “What you just described, being able to just turn on a cloud application and have the ability to automatically alert on things that might be suspicious or anomalous within specific environments, whether that’s Share Point or whether that’s Box… If you see a user starting to escalate privileges within your AWS environment and deleting a lot of production instances, those types of alerts, those are pretty specific types of events that you might want to be alerted to that are really unique to cloud environments.”
In summary, a SIEM’s ability to quickly and easily alert on events in cloud environments, as well as its capacity to support new or expanded cloud applications or infrastructure, should be on the short list of key features for almost every SMB’s SIEM evaluation process.
This blog post is based on an episode of The Virtual CISO Podcast, featuring Danielle Russell. To listen to the full episode and lots more besides, you can subscribe to The Virtual CISO Podcast here.
If Apple Podcasts aren’t your thing, you can find all our episodes here.