The SIEM is a central point where data is collected and correlated, and as we move to consume more cloud services and data sets the SIEM itself must also change in architecture. Architecture change is hard to make for existing products. Calling a product a ‘cloud solution’ is not the same as taking an on-premises product and hosting it for customers. It means building a new SIEM for a new world.
There are a lot of reasons users seek new SIEMs. SIEM is difficult, especially as the tools have gotten increasingly complex and capable. Most SIEM vendors have ventured into other security aspects outside of the SIEM to increase software sales and own the data being fed into the SIEM itself.
Security Trends: SOAR and EDR
The most common trends are SIEM vendors venturing into automation in the form of security orchestration, automation and response (SOAR) and endpoint production in the form of Endpoint Detection & Response (EDR), but there are examples of expansion into many areas.
One must wonder if the expertise of the software vendors or the acquisitions they make are in the best interest of the customer.
Almost none of these ventures has resulted in a lot of benefits for users. In fact, it has limited the choices and interoperability between the SIEM and other solutions, thus making those augmenting solutions inferior by design.
Many, if not all security buyers, prefer to select a best-of-breed toolset to ensure they are meeting requirements and securing their digital assets.
Cloud-Native SIEM according to the CNCF
Gartner specifically addresses the need for cloud-native SIEM in research. This is with good reason, but understanding what “cloud-native” means is critical.
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach.Cloud Native Computing Foundation
These techniques enable loosely coupled systems that are resilient, manageable, and observable. Combined with robust automation, they allow engineers to make high-impact changes frequently and predictably with minimal toil.
Breaking down the definition from the CNCF for cloud-native SIEM we can extrapolate the following:
1. Running in Dynamic Environments, Most Often in Public Cloud
Logz.io runs only on public clouds supporting 9 regions across Amazon AWS and Microsoft Azure. This allows us to use the latest technologies from these providers to build differentiated offerings using AI and Machine learning services along with storage and compute resources created by the cloud giants.
2. Running on Containers in Microservices Architectures
Logz.io is built on a microservices architecture running in containers orchestrated by Kubernetes. This allows us to flex our infrastructure based on dynamically allocating resources.
3. API-First Technologies
We use APIs internally and externally. There are extensive APIs for the platform to do everything from administration, data ingestion, and querying data. This allows for modern SecOps teams to combine our technology with their existing stack in creative ways. This is how cloud native operates, with composable components.
4. Rapid Release
Logz.io releases software to production dozens of times a day. This continuous release entails extensive pipelines to ensure code quality, code security, and functionality. This increase of velocity ensures we continually beat customer expectations.
This is defined as the ability to recover quickly. This is accomplished in two ways. The first is based on the previous bullet by using our rapid deployment capabilities. This allows for a fast rollback if there is an issue with a change. Often this is done in an automated manner creating a more reliable and resilient product. The second is done by utilizing geographically distributed infrastructure on the cloud providers.
Logz.io and Open Source
The CNCF fosters this ecosystem with open source technologies which must be Apache 2.0 licensed. Logz.io is a strong believer in open source technologies both to ensure that there is a path forward for the technologies and to contribute upstream code to these open source projects providing value to those who are running these stacks themselves and making our upgrades easier. It’s a win-win for both sets of users.
Logz.io is a sponsor of the CNCF and a contributor to OpenSearch, OpenSearch Dashboards, Jaeger, and OpenTelemetry.
Logz.io Cloud SIEM will soon be based on OpenSearch and OpenSearch Dashboards, and we will continue to contribute features and capabilities back to these projects to benefit DevOps and SecOps users who wish to run these stacks themselves.
We make it easy to migrate to and from Logz.io since we are fully compatible with these common open source projects and platforms and do not have any proprietary data collection or agents allowing you to future proof your technology choices. If you need scalable and high-value SaaS solutions, you know where to look.