How SIEM Protects Cloud Servers

IT professionals everywhere are taking a good look at security information and event management (SIEM) applications to help them oversee their vast technology infrastructures. What once were IT stacks housed solely on premises now include increased expansion into cloud repositories, resulting in the prevalence of hybrid approaches. The ability to monitor security across these wide-reaching environments has never been harder—or more paramount.

SIEM applications have risen in popularity for good reason: They aggregate data from many different types of systems to present a clear view of the actionable security tasks your team must address to protect your business. Simply stated, they can be one of the most powerful weapons in your arsenal when it comes to detecting and remedying potential security threats.

The Vulnerability of Cloud Data

One might ask whether information stored on cloud servers is more at risk of being compromised than what resides on on-premises equipment. The short answer: sometimes. Although a server is a server whether it’s down the hall or across the country, IT teams often fail to sync up the robust security postures they implement onsite with what they apply to servers spun up into the cloud.

Security professionals erroneously assume the big cloud computing vendors (e.g., Amazon Web Services - AWS®, Microsoft Azure®, and Google Cloud Platform™) automatically apply rigid security controls to any data in their purview. Unfortunately, this isn’t the case. In fact, this responsibility falls squarely on your team’s shoulders, and many companies have experienced hacks or breaches by failing to properly secure data on their cloud servers.

The Role of SIEM in the Cloud

SIEM software acts as an overlay to many of the systems you rely on every day to guard against security threats affecting cloud-deployed data. These systems can include security policy management software, anti-virus applications, firewalls, intrusion prevention solutions, and many more. SIEM also pulls in data points from operating systems such as Windows, Linux, UNIX (including AIX), and IBM i, as well as from SQL Server and Oracle® databases.

The key to making sense of these troves of information from different data streams—which invariably exist in completely different formats—is to normalize it. SIEM accomplishes this to provide a sharp view of potential areas for concern, with the full detail maintained behind the scenes if it’s needed. The result of all this activity is that SIEM solutions can extend the value you’re already getting from these related systems and simplifying how you identify and tackle issues.

SIEM Use Cases

With a SIEM solution in place, your administrators have a bird’s eye view of many common security vulnerabilities and can separate those requiring attention from the low-level noise of everyday activity.

You can detect suspicious happenings with:

• Logins and logouts
• User additions, deletions, and privilege changes
• Services starting and stopping
• Roles added or changed
• Malware
• Bandwidth

Example 1: Receive proactive notification if a user logs into a cloud server directly instead of accessing it via the normal route of using a set of keys. This could indicate their account role was changed and they are looking for data they aren’t authorized to view. Likewise, you could find that an employee escalated their authority from user to administrator for an hour and gained access to information related to a different part of the business. Remember: Insider security threats are commonplace, and diligence in this area is essential.

Example 2: Discover that an accounts payable employee has just been given privileged access to add  new companies for payment. If they also have the ability to approve funds for payment, this indicates a compromised system wherein this person could create a shell account and funnel payments into it for their own use.

Example 3: A new server was spun up in the cloud, and it failed a security audit. It’s possible this was due to simple misconfigured security settings (a rising problem), or a malicious actor may have compromised the cloud environment and is stealing resources. In any case, you’ll want to investigate to fix the issue.

SIEM is a Powerful Ally

Cyberattacks—both internal and external—are happening with frightening regularity, leading IT organizations to prepare as much for the ‘if’ as the ‘when.’ Preventative measures such as SIEM put your business on the offensive when it comes to rooting out potential issues and taking strong steps to curtail suspicious behavior within your cloud-deployed infrastructure. Leveraging SIEM is key to your ability to detect and prioritize any activity that could be detrimental to your operations—and your customers’ trust.