10 Questions Security Operations Managers Should Ask About Cloud SIEM Vendors

Security teams demand better visibility into their environments that now support distributed teams and extend to the cloud. As organizations provide more access to data and collaboration tools, securing and making services available around the clock are critical priorities for security operations centers (SOCs) and their teams.

Digital transformation has accelerated and will continue to advance making it necessary for organizations to adopt cloud solutions. This landscape increases the attack surface for external and internal threats putting SOC teams under pressure to detect potential threats from an overwhelming number of alerts. 

In this article, I’ll answer the 10 questions security operations managers should ask when assessing a cloud-delivered SIEM vendor. 

1. From where is the solution delivered, and where is my data stored?

Exabeam SIEM is cloud-native and delivered via Google Cloud Platform (GCP). We leverage GCP to store data securely and leverage many of their data centers across the globe. The exact location and country used in your deployment will be determined at the time of purchase as we continuously keep adding new locations. Customers may choose where their SIEM service is hosted from a list of available, global locations.

Exabeam uses every care to protect our customers’ data. As part of our commitment to making data private, each customer’s data is isolated and not visible to other tenants. 

2. How is my data protected?

All customer data is protected through an end-to-end encryption data flow pipeline. We start by ingesting logs and data from APIs, Cloud Collectors, and Exabeam Site Collector using secure communication channels (Syslog, agents, Kafka sources using SSL/TLS) in your environment and then upload them through TLS-secured channels onto the cloud-delivered Exabeam Security Operations Platform (SMP). In addition, Exabeam Security Operations platform encrypts data at rest to ensure the highest level of security for your data.

Exabeam products are SOC II Type 2 certified. To meet the requirements for certification we have developed and follow strict information security procedures and policies for the security, availability, processing, integrity, confidentiality, and privacy of customer data. This aligns with Exabeam’s ongoing commitment to create and maintain a secure operating environment for our clients’ data.

3. Does the solution provide the scaling and ease of management benefits of a true SaaS model?

Yes. As customer demand increases either due to a temporary spike in usage or normal customer growth over time, we leverage the elasticity of the cloud to add the necessary, incremental resources to meet that demand through auto-provisioning. In addition, we monitor hundreds of metrics for every service location to ensure availability. Customers can expect to collect data from on-premises or cloud data sources from 22 product categories, 292 different vendors, and 549 different products. There are over seven thousand pre-built log parsers that offer rapid log ingestion processing over 1 million events per second using a new Common Information Model (CIM) and petabytes of storage for years’ worth of log data.

4. How is my data collected and transported to the SIEM?

Exabeam uses Collectors: a combination of site collectors, cloud collectors, and context collectors to ingest security logs. The site collector continuously queues and uploads on-premises logs, as well as managing the forwarding rate and message backlog. Data is encrypted and compressed in transmission and at rest in the Exabeam Security Operations Platform. A persistent connection to the Exabeam Platform allows the site collector to connect to your assets, such as Active Directory for context and authentication, access API for log repositories, and any Incident Responder actions.

Cloud collectors collect logs from cloud services. Collecting logs from cloud services can require skills not readily available in an organization. Exabeam has pre-built connectors that collect logs from cloud services and orchestrate actions back to the cloud services for response automation.

Context collectors ingest third-party threat intelligence to add context to previously ingested security logs.

5. What is the expected impact on network or internet links?

The Exabeam cloud-delivered solutions receive data from your Collectors over the network or internet link through approved ports/protocols documented here.

Collectors minimize the impact on the network through compression, batching, and local buffering to gracefully work in congested networks.

6. How does the vendor balance the cadence of feature and function upgrades with adequate testing to ensure availability and quality?

Exabeam has a cloud-native architecture that enables continuous product delivery and updates with no downtime. Updates are immediately available to customers. 

We ensure the highest quality of all our feature rollouts by implementing proactive controls including:

• Early access and beta customer program — Our beta program allows customers to try pre-release features. If you are interested in accessing a beta release, please contact [email protected].
• Secure code development training — Regular security and code development training and rigorous process requirements arm our employees with the knowledge and support they need to keep all of our sensitive customer data safe. 
• Static code analysis — We have facilitated security hardening during development by implementing processes to identify, triage and remediate vulnerabilities.
• Internal penetration testing — We conduct regular internal pen tests to gauge network vulnerability and incident response. 
• Third-party external penetration testing — We also conduct unscheduled pen tests by third-party organizations to review common techniques, tools and procedures used by external threat actors.

7. How does the vendor support security technologies that are part of their platform?

Built for security people by security people, Exabeam reduces business risk and elevates human performance. The powerful combination of our cloud-scale security log management, advanced search, and prepackaged correlation rules / correlation rules builder gives security operations an unprecedented advantage over adversaries – giving security operations teams a holistic view of incidents for faster, more complete response.

One specific feature is Outcomes Navigator – Link log sources to outcomes and see security coverage outcomes and compliance. Optimize your security posture by understanding exactly what data sources you need to ingest and ensure critical fields support the outcomes important to you and your organization. You can see your outcome enablement, with suggestions for additional log types to improve visibility and compliance.

8. Is the licensing and pricing model consumption based?

Yes. Our solutions are cloud-delivered and licensed accordingly. These solutions are priced by the volume of data ingested by your organization. As your security organization matures and brings in a wider variety and higher volume of data to support expanded requirements, Exabeam offerings can scale to meet your growing needs.

Exabeam offers a Service Health and Consumption feature. Service health provides high-level and detailed views of the health and performance of your cloud-delivered services. Monitoring visualizations makes it easy to understand the current state of your Exabeam implementation. The performance component illustrates how your data contributes to overall license consumption and highlights significant changes. 

9. How does the vendor ensure availability of the SIEM solution?

The Exabeam Security Management platform is built on GCP which has a 99.5% uptime service level agreement (SLA). Uptime is further enhanced with application-level resiliency and redundancy. Exabeam has a global team of cloud operations experts who monitor dozens of health signals around the clock to proactively detect and remediate concerns before they become issues.

Exabeam offers a Service Health and Consumption feature. Service health provides high-level and detailed views of the health and performance of your cloud-delivered services. Monitoring visualizations makes it easy to understand the current state of your Exabeam implementation. The performance component illustrates how your data contributes to overall license consumption and highlights significant changes. 

10. What happens at the end of the agreement?

You own your data, and it is available to you at all times. With Exabeam, you have access to all log data sent to Exabeam which you can analyze or copy for retention regulations and other log management needs. If you choose to transition from the SIEM solution, you can arrange for access to extract your data for 30 days after the end of the contract. You can do this on your own or optionally engage our professional services team for assistance with this process.

Security Information and Event Management (SIEM) solutions have been around for more than 20 years in various incarnations. In the original SIEM models, the operational back end was entirely on-premises from the databases to the front-end applications, including user interfaces, case management features, and more.

Whether home-grown SIEM or licensed SIEM from a vendor, there were always

considerations from rack space to data storage costs, as well as other operational overhead.
Download this guide to learn more about the advantages of cloud-delivered SIEM solutions.