Open in app

Sign in

Write

Sign in

Architect Your SIEM To Be A Commodity

Understanding An Interchangeable SIEM Architecture

Chuck Johnson
4 min readApr 28, 2021

At its core, a SIEM (Security Incident & Event Management) ingests, filters, normalizes and alerts upon events provided by downstream systems. Some SIEM vendors also venture into the event collection and aggregation arena to provide a richer view of event data from specific resources like Windows or Linux servers. The reason SIEM vendors develop agents to gather localized log data isn’t just because they can obtain richer data feeds; it is also because this raises the bar of difficulty in migrating to another SIEM. To understand this further, let's look and monolithic, microservices, and configuration as code architectures.

Monolithic Architecture

Monolithic is defined as formed from a single large block or piece. Monolithic architecture combines many parts of an application to make a whole. To deploy one part is to deploy all parts as all parts share the same codebase. An issue or bug in one part of the application will affect all parts of the application due to its shared nature.

Microservices Architecture

Micro-services are a decomposed monolithic application. Micro-services are small, easily managed, and scalable services that together provide a comprehensive, monolithic service, yet they are faster to develop, easier to understand, and easier to maintain. Micros-services are nimble through specificity; they are focused on a specific service. Because of the loosely coupled design, new services can be introduced with a low barrier to entry since the architecture enables independent deployment, scaling, and support.

In the world of retail, think of Batteries Plus. They are small, specific, and nimble in the world of batteries. The team that runs the company maintains a significantly more thorough understanding of the battery industry than, say, Target. Micro-services are small, specific, and nimble services that make understanding the service in-depth easier for the team supporting it.

Configuration a Code Architecture

Today's successful companies utilize DevOps processes to obtain a competitive advantage over the management of their systems. They utilize automated post-deployment configurations tools and processes to enable quick build, deployment, and change of low-cost run-of-the-mill virtual machines. Post-deployment system configuration is maintained and deployed as code utilizing frameworks developed by companies in this space or by open-source efforts. This automated post-deployment configuration framework enables the ease and speed of deployment of known working configurations.

Loosely Coupled SIEM Architecture

When you start to compare SIEM vendors, many of the things they offer are table stakes, including:

  • Log/Event Collection
  • Log/Event Parsing / Normalization
  • Log/Event Search / Hunting
  • Log/Event Correlation / Pivot
  • Use-Cases & Alerting
  • Log/Event Storage
  • Dashboards / Reporting / Visualization

What sets future-looking SIEM vendors apart will be their configuration as code, machine learning, and AI capabilities; their ability not just to ingest and parse data and search it for what you declare, but to be configured and supported through DevOps processes. SIEM vendors need to do all of this while analyzing and combing your data to find the things you didn’t declare; help you find the things you weren’t looking for.

A loosely coupled SIEM architecture consists of breaking apart many of the core things a SIEM does into independent, decomposed services that stand and scale on their own while supporting this strategic view.

Event / Log Aggregation

Nimble companies should develop a stand-alone event & log aggregation solution that is decoupled from their SIEM vendors' log collection offering. This decoupling will make it easier to migrate to another SIEM later. Just repoint your aggregation points. Your SIEM vendor will never be as good at collecting logs as the company that only offers log collection as their product. Target will never be as good at batteries as Batteries Plus.

Incident / Case Management

Nimble companies should develop a stand-alone solution for case management; in fact, most larger companies already have enterprise-wide case and incident management products in place. Many open-source solutions exist in this space, enabling you to decouple this service from your SIEM vendor monolith.

Use Case Development / Management

Numerous SIEM use-case frameworks are popping up, including SPEED and MagMa). These frameworks facilitate the management & organization of detection rules and the understanding of coverage against cyber threats while also decoupling this service from their SIEM vendors’ offering. These frameworks migrate the secret sauce of your organization, its contextualized use-cases, back into your DevOps post-deployment configuration model.

Once you decouple your aggregation and case management and take back ownership and maintenance of your use-cases outside of the SIEM, you are now more easily able to evaluate SIEM vendors and, more importantly, more easily able to move between them.

To understand more about selecting a SIEM, please read my article Pencils & Crayons — The Art of Selecting A SIEM.

Information Technology
Cybersecurity
Architecture
Information Security
Infosec

--

--

Chuck Johnson

Written by Chuck Johnson

107 Followers

A witness to life; its patterns & flow. A discoverer of the essence of things. A creator of designs through observation. A security architect. Author.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams