Security Experts:

Why Cloud SEM is Better Than Your SEM

Ice Cream is Always Tastier on the Other Cone. Why Cloud SEM is Better Than Your SEM.

I'm going to take you through a story, then a rant and then I’ll sprinkle on some clarity. Although the correlation might be hard to grasp, I promise to take it full circle. If you get one thing out of this post, it’s that the cloud is tasty.

If you look at the average enterprise corporation, chances are, they handle their own mail locally with a few on-site mail servers and maybe a spam filtering appliance. That, or they outsource email to another company with lot more mail servers and a much bigger spam filter.

Cloud SEMOften the point of off-loading the email task from local to outsourced is to reduce costs and make email an operational expense vs. a capital expense. Outsourcing mail allows the corporation to eliminate the need for a full-time email engineer, and avoid the maintenance and cost of local mail servers, mail filters, storage, and DR equipment. There’s also the added benefit of mitigating the risk of downtime.

Most organizations don't realize it, but when it is outsourced, organizations have essentially taken their email to the cloud.

Google’s cloud is better than yours.

A few years ago, I watched a presentation on cloud services from Google. The presenter was charismatic, a natural showman and highly entertaining. However, aside from the jokes it was an unforgettable presentation that gave me insight into what uptime and SLA in the cloud is really about. Years later, I think about that presentation and what I gleaned from that showman.

Downtime is something that Google doesn't do. They brag about having such a solid email system, a massively scalable dynamic network and a flexible architecture that it never requires a shutdown. Last year, Google measured maintenance downtime in minutes and you probably didn’t even notice.

Gmail is probably the most popular mail host in the world. They crank through billions of emails per day. The infrastructure required to do this epic task is insane. On top of just collecting and sending email, they also filter it through what I believe is the best spam filter on the planet earth. The sheer amount of email from all over the world gives Google a high level visibility into world wide spam activity. We’re not just talking about local trends and anomalies, but global anomalies. Google uses this technology with its own mail filtering system.

When was the last time you received SPAM on your gmail account? I don't remember either, it doesn't happen often.

Now let's switch gears. SIM vs. SEM?

I've been in the SIEM space for upwards of seven years. I've seen everyone’s toys. I've played with everyone’s toys. I've broken everyone’s toys. Yes, I was that kid.

Now, I'm going to make a differentiation. If you subscribe to Gartner, they use the acronym SIEM, which is made up of two other acronyms. Those acronyms are SIM, which is Log Management and SEM, which is correlation. Some vendors, for example, are in the log management business, while other in the Magic Quadrant are the SEM vendors. You’ll often hear them spouting on and on about correlation. But SEM and SIM are completely different animals. SIM vendors are in the business of "GIVE ME EVERYTHING you have." SEM vendors are in the business of "GIVE ME EVERYTHING YOU HAVE (so we can boil it down into) ONLY SECURITY RELATED EVENTS BUT MAKE SURE ITS ONLY RELEVANT DATA TO THE CORRELATION RULES I NEED OR MY CORRELATION ENGINE CAN (and eventually) WILL FAIL." Or they want to sell you a pile of gear to be able to collect, filter and store that torrential downpour of event data.

The cost of which will leave a bad taste in anyone’s mouth.

Cloud SEM?

Why go cloud? Because their correlation engine is bigger and badder than yours. Because they have the staff, experience and higher level of visibility to make better decisions, reduce noise and reduce false positives. Because their SOC is better than yours.

The other reason is cost.

CAPEX vs. OPEX. When purchasing, and installing, and rolling out your own correlation engine, the costs are bananas. Right off the top, you have to purchase a ton of hardware, software, professional services, support, staff and pain and suffering. It's a capital expense and over the next three years you can amortize that purchase. Fantastic, but now let's discuss economies of scale.

There are cloud vendors who do correlation as a service. With it you can enjoy the benefits of a local log management tool to handle local forensics, local business analytics, local compliance and local troubleshooting. After, send off the elementary events to the cloud SIEM for the rest. Let them hire staff, train staff, maintain staff. Let them purchase gear, maintain support and build the better mouse trap. Let them chase false positives. Let them bear the brunt of a massively complicated tool while you enjoy the power of true correlation with the cost savings and without the headache.

Now for the cherry: Use it as a tax write off.

view counter
Dimitri McKay is a Security Architect and technology evangelist at Splunk. He has over 13 years experience working with Fortune 500 companies on network and systems engineering and security administration. McKay is a regular speaker at security events and frequent contributor to industry blogs and trade magazines on topics related to network and cloud security, compliance, SIEM and big data. He studied computer science and information technology at NYU and Harvard University. You can follow him on Twitter via @dimitrimckay.