Security Trends From the 2022 RSA Conference USA
Part 2 – The Cloud Continues to Stimy SIEM and XDR
This is the second installment of a series of blog posts covering popular customer topics from the RSA Conference in San Francisco this year. We’ll start with a big topic that has been around for a long time and continues to be a major area of concern; monitoring for threats and securing cloud environments continues to stimy SIEM and XDR.
The conversations from prospects were often two-fold and a bit backwards in how they started. The first question started out with folks asking what we do for the cloud in terms of SIEM monitoring, indicating that they have yet to implement a cloud SIEM. After a short “pitch,” the second question was really a statement, “my current provider claims to work in the cloud, but really doesn’t work well in the cloud at all.” This scenario occurred in at least 20% of my conversations.
So, What Are the Challenges?
I can break down what we heard at the conference into four primary challenges with current SIEM solutions:
- Inconsistent Visibility: We’ve seen the emergence of enterprises leveraging multiple public clouds environments to distribute costs and workloads, support different applications, and provide resilience to potential downtime. Since most organizations are hybrid, the fact that on-premises visibility does not match cloud visibility creates gaps in monitoring and detection that threat actors know how to exploit. This has created additional challenges for legacy SIEM tools or even self-proclaimed Next Gen SIEM platforms.
- Unpredictable Performance: The ability to ingest, correlate and analyze data from cloud workloads for the purpose of identifying threats has been fully developed by most vendors. In fact, the majority of legacy SIEM providers appear to have adopted a “lift and shift” approach for their cloud offering. This is where the on-premises solution has been hacked to work within a virtual machine and operate in some capacity in the cloud but was never designed for being fully implemented in a cloud environment.
- Cost Escalation: As organizations migrate further into cloud environments for rapid scalability, more pressure is placed on security budgets to keep up with the escalating costs of ingesting data from both on-premises and cloud environments. Furthermore, supporting and monitoring new applications can also suddenly increase the volume of data being sent to a SIEM, making it difficult to forecast how much costs are going to change. This results in CISOs having to either fight for additional budget or limit the number of data sources being consolidated into the platform. (We believe that it is unacceptable for a threat detection solution to force this type of trade-off on its customers.)
- Limited Choice: Just about every solution on the market can only be deployed either as a SaaS offering or with a single cloud provider, commonly AWS, Microsoft Azure or even GCP (Google). This limits customer deployments in certain environments and doesn’t provide customers with the ability to support their primary cloud provider of choice.
A Widening Gap in Threat Detection
Since 2021, Gurucul’s Threat Research Team has identified several attacks designed to spread out across multi-public cloud instances supported by a single customer. While these types of techniques are meant to evade traditional SIEM and XDR solutions, Gurucul’s advanced capabilities were able to detect the attack. This is because other vendors can only correlate data from across cloud environments (despite claiming analytics in many cases) and do not support a rich set of analytics and machine learning models for identifying multiple threats which are part of the same attack campaign.
The best part of RSA Conference 2022 in San Francisco was that these questions and concerns gave me the opportunity to explain how Gurucul is different across the board from existing solutions. As a true cloud-native platform, that can operate in all the major cloud providers, deploy in the most complex hybrid or distributed/regional cloud deployment models, and support a rich set of cloud analytics and transparent machine learning models, Gurucul is situated to address all their pain points. Better yet, by charging on a per user or entity basis, we know we can lower their TCO immediately and over time to save the CISO from budget request headaches. What more could you ask for?
To learn more please visit our Cloud Security Monitoring Solution page.
And if you missed it, don’t forget to check out Part 1 of this blog series: Identity and Access Analytics for Zero Trust and XDR.
Be sure to request a demo of our cloud-native Next Gen SIEM to see for yourself how we secure cloud environments.