Multi cloud SIEM deployment cost considerations with IBM QRadar and Splunk

Cloud infrastructure and platform (CIPS) is the combination of both IaaS and PaaS segments into single platform. According to Gartner, The worldwide CIPS market grew 42.3% in 2019 to total $63.4 billion, up from $44.6 billion in 2018. Amazon, Microsoft and Alibaba secured the top three positions in the CIPS market in 2019, while Tencent and Oracle were in a virtual tie for the No. 5 position with 2.8% of the market each. Public cloud services will continue to grow rapidly as economy reopen. Cloud business leaders prefers multi cloud deployment strategies either within the region or across regions to have cost effective solution. IT security managers require security event management solutions prefers to have deployed on the cloud environment or either prefer SaaS offerings

IBM QRadar and Splunk are the leading vendors in the market today offers wide range of SIEM use-cases. IBM QRadar has both virtual deployment in the public clouds and QRoC (QRadar on the Cloud) SaaS services. IBM also has its own threat intelligence feeds (XForce) provides data enrichment for SOC analysts. IBM QRoC services are primarily hosted on IBM Cloud and managed by IBM DevOps. Splunk Enterprise Security SIEM also has both virtual deployment in public cloud and SaaS services. Splunk Cloud is hosted on AWS and leverage open source or 3rd party threat intelligence feeds.

Multi cloud SIEM deployment are mostly explored scenarios in recent days where customer has workload presence across AWS, Azure & GCP either within the geography (example – within USA) or across borders (example – in USA, Europe and Asia). In the typical SIEM deployment scenarios, there are three layers namely 1) Data collection Layer; 2) Data Processing, Storage and Correlation Layer and 3) Management and Visualization Layer. This doesn’t change even, if we consider public cloud scenarios – only difference is the first layer (Data collection) will be with customer, while the other two layers are managed by the SIEM product vendors.

During SIEM design considerations, it important to discuss with customer on the required log sources that need integration/ onboarding with the SIEM. This includes the public cloud native platform log sources. While cloud service providers constantly introduce newer capabilities, both IBM QRadar and Splunk supports cloud platform log source integrations and are enhancing additional components. Its important to understand the protocols and methods we should consider to integrate the cloud native platform log sources. Below figure provide insights on most common platform native cloud log sources across AWS, Azure & GCP with IBM QRadar and Splunk.

In addition to cloud native platform logs, the other log sources such as operating systems, security devices (such as firewalls hosted in cloud), marketplace components also require integration with the SIEM. Customer to consider the costs associated with deployment of virtual machine and its subscription for the deployment of data gateway or data processor within the cloud. Likewise the cloud platform subscription charges to enable the log forward to external sources and egress costs associated with the bandwidth for forwarding the logs. The below figure depicts the cost considerations for SIEM deployments in public cloud.

Recommendations for cost optimization in multi cloud SIEM deployments

Below are the recommendations that customers can consider to reduce the cloud expenses during SIEM deployment scenarios

  1. Identify and consider data sources that generates security events of interest – For example – Windows OS logs, only security event logs have to be considered
  2. Identify and consider cloud platform data sources that are specific to security events such as Brute force, DoS, IAM anomalous, malware events, audit logs.
  3. Prioritize and integrate data sources that are based on business critical asset category to avoid cost overruns – For example – PRODUCTION servers/ applications.
  4. Evaluate cost benefit analysis of having cloud hosted SIEM solutions and SaaS offerings
  5. Consider Data gateway deployment local to the region that helps compression of events while forwarding it to Data processor
  6. Consider data archival and data retention use-cases to leverage the cloud storage solutions such as S3 buckets, Azure blog storage