After reading this article on SIEM moving to the cloud <here>, it got me wondering… is all this talk of moving functions to the cloud simply a way of making security someone else’s problem? I worked for a SIEM vendor in the past so I’m somewhat familiar with the technical challenges of aggregating and correlating vastly different data sources into something that makes sense, and is actionable. There are business challenges as well. Which sources do we care about? Which events are just noise and which do we need to respond to? What are the appropriate responses? Do we even have an incident response policy? Have we tested it?
Those are the questions IT security and operational teams should answer well before deciding if this is a function that should be outsourced. The “cloud” is cool. It offers real benefits. But it doesn’t solve the tricky bit about balancing technology with people and process.
I realize that the compliance driver is the reason for implementing SIEM in the first place so it’s not going away… however, if the focus is switched to how desktops, servers, and laptops are configured in the first place – that would certainly reduce the number of alerts generated by a SIEM, alleviating the costs associated with managing it. And perhaps making outsourcing unnecessary. Not to mention making audits much less painful…
