Protecting the cloud, one event at a time

Security Information and Event Management (SIEM) solutions often predate CWWP ones – these products were logical extensions of standard network reporting.  SEIM solutions focus on the analysis event data in real time for early detection of targeted attacks and data breaches.  They also collect, aggregate, and report on this data, primarily for incident response, forensics, and regulatory compliance requirements.

While SIEM solutions started out as simple log data analysis solutions, today’s SIEM solutions can also process other forms of security data, including network telemetry.  They can combine this information with contextual information across a range of other aspects, including users, assets, threats, and known vulnerabilities.  So while SIEM may have approached workload protection from the outside-in (i.e., originally focusing on attacks), they are a credible option for cloud workload security today.

Today, most SIEM systems work as follows:  they deploy collection agents (multiple ones, in a hierarchy) to pull-in any security-related events from devices, services, networks, and security solutions like firewalls and intrusion prevention systems.  All this data is aggregated into a central management console – while some processing can be automated through AI, in most cases security analysts need to review the data and prioritize incidents.

In other words, SIEM works from the event backwards – and in doing so they will protect cloud workloads by default.  SIEM solutions are also evolving:  as most of the SIEM vendors came from data collection, it’s a natural extension to move into security and operations response (SOAR).  However, few of them focus on compliance or posture management – these are hard-core attack management and prevention systems.  From an IT compliance standpoint, they don’t address those issues at all.

Our next blog will look at the most recent category – Cloud Security Posture Management.