There are a couple of different ways of taking an enterprise-hosted application, including a SIEM, and migrate it into a commercial cloud. The easiest way might be termed “lift and shift”, in that you simply take the existing application in a corporate data center and upload it to run on the cloud hardware. It might run directly on an OS like Linux, or it might be encapsulated in a VM, but little or nothing changes within the application.
The point is that the application runs just as it would in a physical data center, except that it happens to be running on a cloud. While this is a fast and straightforward way to migrate, it delivers few of the benefits of cloud computing.
A second approach it to migrate the application, but to make certain modifications and enhancements that take advantage of certain cloud capabilities, such as cost reduction and load-balancing. However, the fundamental architecture remains the same. They may still run portions of the application locally, or even store data in a traditional enterprise database. If they do run some components locally and some in the cloud, they might more properly be known as “cloud-based,” or cloud hybrid.
The third approach, cloud native, is often the most time-consuming, but represents the best strategic alternative for an enterprise SIEM. With a cloud native approach, you start from scratch, keeping the original functionality but completely rethinking the design of the application to take full advantage of the cloud.
A Cloud Native SIEM
If you apply this approach to enterprise SIEM, it means that you have to entirely rethink what data you’re collecting, where you are storing it, how your application works to analyze that data, and how you present results. It’s not as easy as it might sound, but the end result is often worth the effort. You can end up with a faster and more flexible platform.
Most enterprises use multiple data collection tools for their measurement of security risks. These may include performance data, records of individual logins and what is being accessed, accesses by location, and other types of behavioral data. Some of these collection tools can be scattered across different systems and physical locations, both for performance reasons and for redundancy.
Under these circumstances, a flexible and scalable SIEM solution located in the cloud is a natural way of aggregating and analyzing data. While a fully cloud native SIEM can take multiple forms, in general it means that it collects, analyzes, and stores data entirely in the cloud. There is no business logic, user interface components, or data services running locally. It’s not a hybrid application in any way.
Second, a cloud native SEIM employs a fully services architecture, typically microservices or serverless. The application is no longer a monolith, but a collection of loosely-coupled components, usually running in containers, that pass data and state back and forth.
There are multiple advantages with such an architecture. Microservices can easily be swapped out for more modern components, as long as the interfaces remain the same. A loosely coupled architecture also tends to scale better, with stresses spread out over multiple independent components, rather than concentrated in a single monolith.
Last, a cloud native SIEM has to be able to support CI/CD (Continuous Integration and Continuous Deployment); that is, it has to be upgradable and repairable on the fly. Any changes and enhancements should be able to follow an automated pipeline that integrates, runs tests, and if desired, delivers into production in the cloud environment. While automation may not be fully implemented in some circumstances, it’s important to have a pipeline that deploys directly to the cloud.
Cloud Native Delivers for SIEM
There are important reasons to run SIEM as a collection of services entirely in the cloud. First, you have the advantage of aggregating and analyzing data from worldwide sources in a single application instance. If you have many different locations where you’re collecting data, it is easier and more seamless to aggregate that data into one or more cloud locations.
Second, a cloud native solution is scalable both up and down. In times of light event traffic, it is able to scale down servers and other resources used in the cloud, lessening the cost and simplifying the administration. As event traffic grows, you can have the cloud continue to add servers, and perform load balancing, to accommodate the increased workload. In an on-prem solution, this has to be done manually, if at all.
Third, a large part of the problem with a locally hosted or hybrid SIEM solution is that it can be difficult to upgrade and reconfigure. Often installs have to be done manually, and IT staff has to reconfigure it to collect and analyze the correct data. A cloud native solution can offer an easier route to maintain over time.
There is still value in on-prem and cloud hybrid SEIM solutions. If the event environment is relatively stable, and if the configuration doesn’t change very often, existing legacy SIEM solutions may suffice. Also, legacy on-prem solutions may also have more features than newer cloud native ones, so you have to carefully examine what features are most important to your organization, and what solution offers those features.
But today’s cloud native SIEM solutions provide the performance and flexibility demanded by most enterprises. The ability to run as a collection of services entirely within the cloud makes this solution today’s answer to risk analysis for security data.
Try Gurucul’s Cloud Native SIEM
Not surprisingly, Gurucul offers a cloud native SIEM. With Gurucul, you can experience all the benefits of a cloud native SIEM with all the functionality of a beyond next-generation SIEM. Check out Gurucul Analytics-Driven SIEM for high efficacy, real-time threat detection and response.