How the Cloud team at Mosaic 451 is replacing today’s SIEM functionality using the AWS toolbox, some time and a few smart humans.
SIEM has been around now for almost 2 decades and has yet to live up to the hype. Few SIEM implementations are completed, and even fewer receive the constant expert care and feeding they need to truly be effective. They do, however, cost truckloads of money and need annual support to keep them happy and exploit free.
If you run a google image search about SIEM, you see lots of pretty graphics showing various images of taming chaos and providing structure.
Like this one:
While the problem sums up well in a graphic, the reality is quite different and much harder to fit into a nice rectangle. Rather than just grabbing an off-the-shelf SIEM, backing up the Brinks truck to pay for it, and then starting the long arduous installation process, we went back to the drawing board.
We asked the following questions:
- What does a SIEM do?
- What does it need to do?
- Can we do it as well or better using AWS tools?
In order to replace a SIEM, I have to know the answer to each of these questions. So, let’s take a deeper look.
What does a SIEM do?
“Security information and event management (SIEM) is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system.” – Wikipedia
Okay. Not helpful. Try this one from SearchSecurity
“Today, most SIEM systems work by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.”
Much better, and actually has some real information. Let’s break it down. SIEMs need to do the following:
- Gather data from wherever it lives and get it into a centrally searchable pile.
- Provide some sort of structure for analysis
- Run searches and correlate disparate data types and sources
- Allow for ad hoc searches by analysts at need
- Alert based on stored criteria
- Provide common visualizations to assist with finding a baseline
That’s Uber high level, but it’s a pretty good place to start.
What does it need to do?
Well actually, living up to the hype would be good. If not that, then at least show us how the sausage is made. In SIEM terms, that means we need to see how events are triggered and why. Black box magic, while good for stage shows, is not so good when you’re counting on the visibility needed to secure your data.
So That became our working premise, to do 1-5, do it in a visible way and do it for a fraction of the cost. Oh, yeah, and let’s make that data available for other business units too.
Can we do it as well or better using AWS tools?
We think so. Schema-On-Read is the key.
“Schema on read refers to an innovative data analysis strategy in new data-handling tools like Hadoop and other, more involved database technologies. In schema on read, data is applied to a plan or schema as it is pulled out of a stored location, rather than as it goes in.” – Technopedia
See the next post for a break down on each of the services.