SIEM is Not the Same for Cloud Security>
Sweet code – Twain Taylor
Why SIEM wonât work for the cloud With the cloud, a couple of things have changed, and this calls for a change in security analysis as well. 1. Microservices The biggest change is that applications have shifted from being monoliths to being a collection of microservices. In this model, each request passes through multiple services, and each service communicates with multiple other services frequently. Each service needs to be secured with its own version of a firewall, creating policy-based security. Multiple containers power each microservice, and every container needs to be hardened at the kernel level, registries with third-party container images, and the orchestration layer. In addition, collecting logs and events from containers is difficult because containers by default do not store log data persistently, and depending on how your container environment and logging tools are configured, they may not be able to aggregate container logs and events. 2. Rules-based The problem with this is that in a dynamic cloud environment these rules become outdated as soon as theyâre created. 3. SIEM requires upfront planning The lifespan of a container is typically a few hours long, and organizations spin up new containers in the thousands per day. SIEMâs upfront planning cannot take into account such frantic rates of change. 4. SIEM stalls action SIEMâs rigid architecture results in many gaps in information. What the cloud needs The cloud needs a new breed of information management tools. 1. Scalable elastic architecture 2. Diverse sources: ingest without parsing 3. Quicker time to action
Link: https://sweetcode.io/siem-not-cloud-security/