Deploying and consuming services via a software as a service (SaaS) model is nothing new. Modern SaaS draws its origins from the 1960s, when dumb terminals—workstations run by end users—were networked to mainframe computers in a hub-and-spoke model. Delivered directly from vendor-managed cloud infrastructure, today SaaS solutions have increasingly become the deployment model of choice for consuming business applications of all types.
According to the 2017 State of the SaaS-Powered Workplace report by BetterCloud, 86% of businesses will run 80% of their applications as SaaS by 2022. Roughly in line with that is a November 2018 Gartner report that predicts 80% of SIEMs will have a SaaS deployment option by 2023. It also concludes that only 20% of SIEMs support SaaS today, which is to say that SIEM vendors have some serious catching up to do.
This blog post delves into the factors driving SaaS SIEM adoption.
Driving Factors for SaaS SIEM
Two chief reasons exist for organizations adopting SaaS SIEM:
- Reducing operational overhead
- Adhering to procurement guidelines
Reducing Operational Overhead
SaaS applications provide freedom from the operational burden of managing software (and its requisite hardware footprint). That is, the onus is passed to the software vendor. Such overhead is particularly tangible for SIEM—a technology for which deployment complexity, patching and upgrading requirements, capacity management and expansion, etc., often require a dedicated personnel headcount.
Here are some examples:
Elasticity and Capacity Management
Elasticity refers to the ability of cloud services to scale capacity up or down as needed. In the world of SIEM, many situations might result in a sudden spike or permanent increase in log ingestion for which elasticity may be useful. For example:
- Adding new log sources – If a new log source is added to a SIEM, it may result in a sudden surge in data volumes.
- Fixing a broken log feed – If a tool comes back online after being down for some time, not only will data volumes increase as it begins to send log data to the SIEM again, but it may also have a large backlog of queued messages that accumulated during its downtime. Once the initial backlog of messages is handled, ingestion rates typically return to normal levels.
Regardless of whether a surge in log volume or velocity represent a new normal for your organization, or just a one-off event, cloud service elasticity can help your SIEM gracefully handle the situation.
Ongoing Capacity Management
Another well documented attribute of SIEM data is its tendency to grow over time as new sources are added, new use cases are tackled, or equipment such as firewalls are upgraded. With an on-prem SIEM, this may result in its capacity needing to be expanded by way of adding another node to the cluster. New physical or virtual appliances will need to be procured, installed, configured, tested, and then put into production. This takes time your team could otherwise spend on other projects. But with a SaaS deployment, these concerns are moot—it’s all handled for you as integral part of the service.
Maintenance and Upgrades
SIEM deployments often have high visibility, are required for compliance (downtime can have other repercussions) and can be complicated. Thus, keeping a SIEM and its related components up to date with the most current software can be a big task. Because SaaS is delivered from the cloud, vendors can automatically upgrade your deployment without your team lifting a finger.
Adhering to Procurement Guidelines
Operational efficiency is not the only reason to consider a SaaS-based SIEM; financial policies might guide procurement decisions. In many such cases, SaaS offers a clear benefit over a traditional on-prem deployment.
Here are some examples:
Cloud First and Cloud Only Policies
Cloud first is a term coined by US federal government policy. Intended to accelerate the pace at which it adopts cloud services, it requires government agencies to evaluate cloud computing options before making new investments. Cloud only policies take this further by limiting product purchases to only those delivered via SaaS and IaaS deployment models. These policies are often aimed to reduce or eliminate physical data center footprints and the financial overhead they create.
SaaS-delivered SIEMs permit security teams to abide by these procurement rules. And they have the added benefit of keeping security management in the cloud; there is no need to internally route log data for storage or analysis.
Budgetary Requirements – Capex vs. Opex
Many organizations prefer to categorize their budgets using operational expenditures (opex) as opposed to capital expenditures (capex). SaaS can simplify budgeting by spreading large expenses (e.g., software licensing fees) across an entire year, in addition to allowing customers to only pay for what they need (opex). This is in stark contrast to traditional, on-prem SIEMs, which usually have a large upfront investment and hardware costs (capex) in addition to ongoing software or maintenances fees (opex).
By removing the hardware component and charging a flat, recurring subscription fee, SaaS shifts more SIEM costs from capex to opex.
Securing your Data in the Cloud
Assuming one of the previous items has interested you in using SIEM in a SaaS capacity, how will your data will be handled once it’s in the cloud? After all, with your log data residing outside of your network perimeter, you’ll be relying on your vendor of choice to keep it safe.
Here are some items to consider during your due diligence:
- Compliance – Ask your vendor which regulations they comply with. A standard for SaaS solutions is the Statement on Standards for Attestation Engagements (SSAE 16) SOC 2 type 1 or 2.
- Encryption – How will your data be encrypted? Understand if and how your data will be encrypted: in transit, at rest, or (ideally) both.
- Pen testing – Does your vendor regularly pen test its environment looking for vulnerabilities? Are its pen tests conducted by internal staff or contracted out to third-party providers?
Introducing Exabeam SaaS Cloud
Exabeam SaaS Cloud reduces SIEM deployment, maintenance, and operational overhead by delivering the Exabeam Security Management Platform as a cloud-based service. SaaS Cloud ingests and behaviorally analyzes data from any cloud or on-prem data source, empowering enterprises to detect, investigate, and respond to cyber attacks more efficiently.
Exabeam customers can license SaaS Cloud through Exabeam Spectrum, which has a flexible set of deployment options that provide predictable, user-based pricing regardless of deployment type.
Learn more about cloud deployment options from Exabeam.