<p>The traditional enterprise SIEM pulls security log data from sources across the IT environment, then normalizes it, analyzes it and retains it. But because SIEM providers typically charge more to hold more data, organizations generally must retain less data than they would prefer and accept the limitations of subsequent analyses.</p>
<p>Additionally, <a href=”https://www.techtarget.com/searchsecurity/tip/SIEM-benefits-and-features-in-the-modern-SOC”>SIEMs</a> retain data in their own, often proprietary formats. In fact, how SIEM vendors parse and normalize data is one way they differentiate themselves from competitors. Each seeks to use unique schemas, compression techniques and specialized databases to improve both result quality and speed. Consequently, enterprises have limited input into how their data is ingested and digested, and proprietary parsing and formats can make it harder to change vendors.</p>
<p>Some CISOs — finding the limitations and trade-offs of data ingestion and retention in SIEM too constricting — are choosing to decouple their security log data feeds from their SIEMs. By doing so, they typically gain freer access to the data, increase control over retention timelines, improve analytical capabilities, rein in SIEM costs and break free of vendor lock-in. But decoupling data from the SIEM also has its challenges and requires significant commitment, investment and planning.</p>
<section class=”section main-article-chapter” data-menu-title=”How decoupling data from the SIEM works”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>How decoupling data from the SIEM works</h2>
<p>To decouple security data sources from the SIEM, security teams insert systems that they control in the middle of these data flows. In practice, this means establishing a separate, dedicated data store to hold the security log data, typically a data lake living in a comparatively inexpensive cloud storage service. It also means establishing a new data pipeline that takes in log data, preprocesses and normalizes it and then dumps it in the data lake. The enterprise then feeds its SIEM with data from the lake.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”Benefits of decoupling SIEMs from data pipelines and storage”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Benefits of decoupling SIEMs from data pipelines and storage</h2>
<p>Establishing an independent, enterprise-controlled data layer between the sources of security log data and the applications that consume it — e.g., SIEMs and other tools such as <a href=”https://www.techtarget.com/searchsecurity/tip/Top-10-UEBA-enterprise-use-cases”>user and entity behavior and analytics</a> — enables the enterprise to do the following:</p>
<ul class=”default-list”>
<li>Dictate the data schema for log records.</li>
<li>Completely control filtering of records and easily vary it by destination.</li>
<li>Completely control the retention horizons for every kind of data from each platform.</li>
<li>Accurately and easily track all security data sources and all security data consumers.</li>
<li>Easily enforce consistent adherence to institutional <a href=”https://www.techtarget.com/searchsecurity/feature/How-to-create-a-data-security-policy-with-template”>polices on data collection and retention</a>.</li>
<li>Easily add new security tools that need access to existing data feeds.</li>
<li>Easily change — and even drop — SaaS and SIEM vendors without losing data.</li>
</ul>
<p>Trading costlier SIEM-based storage for cheaper cloud bulk storage will also probably reduce the cost of storing security data, per se. But — and this is important to understand — that cost reduction might not result in net savings, as new tools or services and staff time costs could overbalance those savings.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”Challenges of decoupling SIEM from the data layer”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Challenges of decoupling SIEM from the data layer</h2>
<p>Of course, along with its benefits, decoupling data from SaaS or SIEM platforms also comes with challenges. These include the following:</p>
<ul class=”default-list”>
<li>Designing a powerful, secure, scalable and cost-efficient data lake and data pipeline, including selecting appropriate data exchange protocols and data storage schemata.</li>
<li>Engineering a powerful, secure, scalable and cost-efficient data lake and data pipeline, including selecting tools and services with which to build it and testing it ad
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: