Traditionally, security information and event management (SIEM) systems collect data from enterprise networks, applications, and logs from operating systems, databases, and other sources. Doing that on-premises is standard practice and something that’s well understood, but for cloud deployments it gets a little tricky.
According to a study released last month by the research firm Quocirca, only 2.5 percent of enterprises have full visibility across all their infrastructure. For example, 69 percent of companies say they have good or excellent visibility into their on-premises servers; for IaaS, SaaS, and PaaS environments, however, the results drop to 58, 57, and 54 percent, respectively.
According to Quocirca analyst Bob Tarzey, who produced the report, monitoring cabilities are not keeping up with the pace of change, and when companies do collect the data, it is often through disparate system. This siloed approach creates problems in correlating security events and troubleshooting problems, said Rick Fitz, senior vice president of IT markets at the big data technology vendor Splunk, which sponsored the report.
Another study released last month, from Ixia, showed that 59 percent of respondents said getting visibility into cloud environments was more difficult or significantly more difficult compared to their physical data centers. In addition, 25 percent said that they had initially missed a security attack as a result of the cloud visibility problem.
But it's not just about security threats. According to Allan Kristensen, director of solutions architecture at RedLock, a cloud infrastructure security company, the pace of migration to the cloud is also causing configuration problems.
"In May, when we assessed our customer environments, we saw that 40 percent were misconfigured," he said. "Now it's 53 percent."
RedLock is an example of the new crop of cybersecurity startups that specifically target cloud environments. It collects data from Amazon Web Services, Microsoft Azure, and Google Cloud Platform and offers a standalone SIEM for cloud -- but it can also feed into existing on-premises SIEMs, Kristensen said.
One problem area is log management in cloud environments. Unlike on-premises servers, which usually have a longer lifespan, cloud machines and containers spin up and down very quickly. Additionally, Off-premises traffic to and from cloud-based applications doesn’t hit corporate firewalls, routers, and other security systems.
"Can you tell who's using your infrastructure, what they’re doing, and what kind of traffic you see coming in and out of the environment?" Kristensen asked. "Those are key things."
If a company has moved most of its critical infrastructure to the cloud, it starts to make sense to have the SIEM itself be in the cloud as well. AlienVault, for example, is another startup that collects security logs from cloud environments. It runs fully in the cloud.
"There are definitely some customers who are reluctant to do it, to have someone else have their data," said Denny LeCompte, senior VP of products at AlienVault. There's an emotional component. "But everyone we talk to has lots of sensitive data in the cloud -- their financial data is in cloud, their personnel data is in the cloud. Putting their logs in the cloud shouldn't be that nerve-wrecking."
In fact, AlienVault offers connectors to VMware and HyperV, so that enterprises can collect data from their on-premises infrastucture as well and feed it all into the cloud-based SIEM, eliminating the need for an on-premises SIEM altogether and consolidating everything in one place.
Traditional SIEMs could pull in data from cloud environments, but have been slow to catch up, leaving space for vendors like Splunk, AlienVault, and RedLock.
"The traditional SIEM vendors are struggling in this area," said John Martinez, VP of customer solutions at Evident.io, which provides data sources for SIEMs and log analysis engines. "The customers are saying they're not adapting the products to the cloud and the various formats of the cloud vendors."