According to the Hashicorp “State of the Cloud” for 2023 survey report 90% of large enterprises have adopted a multi-cloud infrastructure and 76% of organizations worldwide use a multi-cloud. Even within a single cloud provider, most enterprises intentionally have infrastructure in multiple regions for disaster recovery and data sovereignty compliance. There are several major challenges introduced to security operations center (SOC) teams, especially when implementing most SIEM and XDR solutions for monitoring distributed environments for threats.
Multi-Cloud Architecture Challenges
With applications and data hosted in multiple clouds, spread across different regions, and across cloud data centers, it is challenging for analysts to achieve consolidated visibility required to monitor and detect threats, gather context for investigations, and understand how to respond.
Requirements by specific countries and regions often forbid certain data to be moved from the local environment. For example, GDPR restrictions may prevent data from being exported out of the region or host country.
To overcome these hurdles, organizations often attempt to deploy a SIEM solution in each cloud and region. This is the primary mechanism that current SIEMs use to respect data sovereignty regulations. However, this means that the SIEM solution must be deployable within each cloud provider. The challenge is that while many SIEMs can ingest data from different cloud providers, they are usually tied to one primary cloud vendor in terms of deployment. In addition, even if the SIEM does support more than one provider, the security team must be trained to operate and actively manage each SIEM in each distinct cloud environment. That requires extensive training and certifications to accomplish.
Distributed Model for SIEM Deployments
Moving large data sets across clouds to combine and analyze data often leads to significant costs in transferring or making copies of data. Large-scale data transfers can also lead to greater risk and exposure for data loss or theft. Just as data can be spread across cloud providers, threats can also be spread across multiple providers. For security teams looking for threats, they need to see a consolidated view across the entire set of federated infrastructure. However, to consolidate the telemetry, the transfer costs charged by cloud providers when moving data from one to another cloud provider can escalate costs rapidly. In addition, some of the data being transferred may also end up replicated across multiple storage services, adding even more to the total cost of the solution.
The need to keep data distributed and the ability to deal with multiple silo requirements push SIEM deployments to a distributed model, and this is where a federated SIEM model shows its advantages.
How Federated SIEM Works
These challenges have reduced the reliability and scalability of most SOC solutions today. Part of the problem for security vendors is that their fundamental architectures must be completely rebuilt to support the one capability that can significantly improve cloud observability and threat detection accuracy across today’s enterprise cloud architectures, Federated SIEM. Federated SIEM can allow security teams to bridge the data silos, retain data for analysis locally, and investigate across toolsets that reside in their cloud, SaaS, and on-premises environments.
The Core of the Federated SIEM
At the core of a “Federated” SIEM is the ability to perform federated search. A single search request spans all data sources across security technologies, cloud environments, data stored in Amazon S3 buckets, Active Directory, cloud-hosted human resource systems, hypervisors, Windows event logs, etc.
A federated search retrieves information from across vendor solutions and environments. It uses API integrations with third parties to perform a unified search across the data sources that are participating in the federation, and it does this without requiring cross-cloud or restricted region data transfers to a centralized SIEM. This prevents having to pivot and manually login to many different applications to collect data, apply security analytics and power investigations.
Gurucul Next-Generation SIEM for Federated Multi-Cloud Architectures
Gurucul Next Generation SIEM has been architected to provide the necessary security analysis required for the detection of threats and other cloud security problems regionally, while still reducing the amount of data that must be centralized to fully identify attacks that target cloud resources. Gurucul does this by applying another layer of threat chaining and risk analysis to better validate and prioritize attack campaigns beyond just individual events from applications, virtual network constructs, and compute resources.
With Gurucul’s purpose-built cloud-native architecture, the platform is fully deployable and certified with multiple cloud providers including AWS, Microsoft Azure, GCP, Cloudflare, and several others. In addition, Gurucul supports the following:
- Limit egress cost while giving SOC analysts and threat hunters a single unified view to all of your organization’s data.
- Adhere to regional compliance regulations and data residency requirements by layering analytics at a regional or local level with a drastically reduced subset of data that is centralized.
- Apply data masking to ensure data privacy and confidentiality.
- Perform federated searches for additional investigation, threat hunting, and context gathering within the localized environment, but with a smaller data set transferred for centralized analysis.
Talk to a Next-Gen SIEM Expert
To discuss how Gurucul can improve the reliability and scalability of your security operations as you migrate to more complex cloud architectures, talk to one of our Next-Gen SIEM experts.
FAQS
What is a Federated SIEM?
A Federated SIEM (Security Information and Event Management) is a distributed system that enables organizations to consolidate and analyze security event data from multiple sources across different networks, locations, and entities while maintaining data ownership and control. It involves the establishment of a central SIEM platform that can collect and aggregate security logs and events from disparate sources such as network devices, servers, applications, and endpoints. This federated approach allows for a holistic view of an organization’s security posture, facilitates correlation and analysis of events across diverse environments, and enables collaborative threat intelligence sharing while respecting data privacy and regulatory requirements.
Why do companies need to support multi-cloud architectures?
Companies need to support multi-cloud architectures to leverage the benefits offered by different cloud providers, enhance flexibility, mitigate vendor lock-in risks, and optimize their cloud strategy. By adopting a multi-cloud approach, organizations can distribute their workloads across multiple cloud platforms, enabling them to select the most suitable cloud services for their specific needs, take advantage of competitive pricing, and reduce reliance on a single provider. It also enhances resilience and redundancy, as companies can utilize multiple cloud environments to ensure business continuity and minimize the impact of service disruptions or outages. Moreover, multi-cloud architectures promote innovation and avoid dependency on a single cloud vendor’s technology stack, empowering organizations to select best-of-breed solutions and remain agile in a rapidly evolving cloud landscape.
What is the relevance of federated SIEM searches?
Federated SIEM searches are highly relevant in today’s complex and interconnected digital landscape due to their ability to address the challenges of data fragmentation, regulatory compliance, and collaboration in security monitoring. By enabling organizations to consolidate and analyze security event data from diverse sources while respecting data ownership and control, federated SIEM searches provide a holistic view of an organization’s security posture. This comprehensive visibility enhances threat detection and response capabilities, allowing for the correlation and analysis of events across multiple networks, locations, and entities. Moreover, federated SIEM searches promote collaboration and information sharing, enabling organizations to leverage collective threat intelligence while adhering to data privacy regulations. Overall, federated SIEM searches offer an effective approach to managing security events, facilitating timely detection, and response to cyber threats in an increasingly interconnected environment.
About The Author
Sanjay Raja, VP Product Marketing and Solutions, Gurucul
Sanjay brings over 20 years of experience in building, marketing and selling cyber security and networking solutions to enterprises, medium-to-small business, and managed service providers. Previously, Sanjay was VP of Marketing at Prevailion, a cyber intelligence startup. Sanjay has also several successful leadership roles in Marketing, Product Strategy, Alliances and Engineering at Digital Defense (acquired by Help Systems), Lumeta (acquired by Firemon), RSA (Netwitness), Cisco Systems, HP Enterprise Security, Crossbeam Systems, Arbor Networks, Top Layer Networks, Caw Networks (acquired by Spirent Communications), Nexsi Systems, 3Com, and Cabletron Systems. Sanjay holds a B.S.EE and an MBA from Worcester Polytechnic Institute. Sanjay is also a CISSP as well as Pragmatic Marketing certified.