Many enterprises rely on a security information and event management (SIEM) tool to collect and manage network logs. When evaluating or deploying a cloud access security broker (CASB), it’s not uncommon to wonder, “I already use a SIEM to analyze my logs, why do I need a CASB?” or “I use a SIEM to remediate and report on security incidents, do I have to do this separately in a CASB for cloud-based threats?” Far from being competitors, CASB and SIEM have developed as integral partners in the enterprise security stack. In cases where a SIEM is used to centrally collect networking logs, a CASB can collect these logs without having to directly collect them from multiple disparate sources. CASBs also feed threat events to a SIEM for remediation.
CASB integration points cover event integration with technologies such as security information and event management (SIEM) for a single view of an organization’s security events, plus support for a number of existing security processes such as incident response.
– Gartner Market Guide for Cloud Access Security Brokers, Craig Lawson, Neil MacDonald, Brian Lowans, 22 October 2015
Before we dive in to how a CASB and SIEM integrate together, let’s first dispel a common misconception: a SIEM is not a replacement for a CASB, and vice versa. SIEM solutions collect data from many different sources including on-premises applications, databases, firewalls, web proxies, network switches and routers, antivirus, intrusion prevention, and data loss prevention solutions and provide filtering and correlation between events across these systems. In contrast, CASBs focus exclusively on the cloud and offer deep analytics and controls for cloud services. Here are some of the high-level functions of a CASB not available in SIEM solutions:
- Discovers cloud usage occurring over network firewalls and web proxies using a comprehensive registry of all cloud services, their URLs, and IP addresses
- Provides an objective and detailed risk assessment of each cloud service in use based on the security controls and business attributes of each cloud provider
- Coaches users and enforces governance policies in real time when users attempt to access cloud services that do not meet the risk criteria of the organization
- Leverages cloud service signatures that filter casual browser activity from actual cloud usage (e.g. login to Amazon AWS console versus viewing a webpage hosted on AWS)
- Detects insider threats, compromised cloud accounts, and privileged user threats via user and entity behavior analytics (UEBA) based on machine learning
- Enforces adaptive policies in response to threats such as suspending access in cases of insider threats or requiring additional authentication factors for compromised accounts
- Enforce data-centric security and compliance policies including data loss prevention, access control, and encryption
Cloud-related functions of SIEM
The primary role of a SIEM is to collect and centrally manage logs from host, network, and application infrastructure including firewalls, web proxies, Active Directory, and MDM. A SIEM can also collect user event logs from cloud services that provide user activity feeds via API, such as Salesforce. These events can be filtered based on time, user, web URL, IP address, and other attributes. This enables a SIEM to correlate events across systems and filter to specific events.
The raw cloud usage data a SIEM stores is extremely valuable but is not a replacement for a cloud access security broker. Since SIEMs don’t have a registry of cloud service URLs and IPs, they are generally unable to provide a comprehensive view of cloud usage. Moreover, they require manual correlation of events to uncover threats, which does not scale to the volume of events that occur with enterprise cloud usage. With billions of cloud usage events each day, it’s not possible to manually filter data for threats. Machine learning designed and implemented for cloud activity is needed to detect and stop threats in action.
How a CASB integrates with a SIEM
CASBs integrate with SIEMs in two ways: by collecting network log data stored by the SIEM and by exposing anomalous events and threats in the SIEM, effectively making SIEMs cloud-aware.
Log collection from a SIEM
To discover cloud usage, CASBs collect log data from network firewalls and web proxies. This process can be streamlined if a SIEM is already used to centrally collect these logs because the CASB can collect them from the SIEM rather than multiple disparate sources. The CASB generally uses an on-premises connector, a piece of software that interacts with the SIEM to collect log data. The on-premises connector also tokenizes and compresses log data before uploading it to the CASB’s cloud platform for further analysis to develop a complete picture of enterprise cloud usage and high-risk activities.
A CASB contributes unique visibility and analysis to cloud traffic based on a proprietary database of cloud services, which includes hundreds and sometimes thousands of URLs and IP addresses used by each cloud service. CASBs also filter casual browsing versus cloud service use, and apply machine learning algorithms specific to SaaS user and administrator behavior. In practice, this means distinguishing when an employee is using AWS versus browsing a webpage hosted on an Amazon server, or detecting a threat based on the way employees have used a specific cloud application.
Reporting on cloud threats in a SIEM
Enterprises have made significant investments in reporting and remediation workflow within their SIEM. In these situations, you may want to report on cloud-based threats surfaced by a CASB in your SIEM, or correlate cloud-based threats with other types of events. A CASB can provide a SIEM with cloud-related usage and threats in two ways: by sending events to a SIEM via a syslog feed and by exposing an event API for the SIEM to query. For example, you may configure the syslog feed to send all anomalous activities detected by the CASB to the SIEM. Within a SIEM, a security analyst may also want to pull additional usage data from the CASB for greater context surrounding a user’s cloud activity for an investigation.
A CASB does not require a SIEM to operate, but the two technologies are complementary and enhance the value of each other. A SIEM provides a streamlined way to collect log data and the ability to correlate cloud usage with other activity. A CASB unlocks valuable cloud usage and threat intelligence that has, until now, been hidden in SIEM data. CASBs effectively make existing SIEM investments cloud-aware, enabling enterprises to get more value from their SIEM by discovering cloud usage and surfacing threats. To learn more about the cloud access security broker (CASB) market, download a free copy of the latest Gartner report: How to Evaluate and Operate a Cloud Access Security Broker, Neil MacDonald, Craig Lawson, 8 December 2015 here.