By Dana Mitchell, Director, Cybersecurity Solutions Group, Microsoft Canada
For security professionals, 2020 was a year like no other. Attackers capitalized on the COVID-19 pandemic. Every country in the world saw COVID-19 themed attacks and the Canadian Center for Cybersecurity observed an increase in related campaigns. For many security teams and security operation centres (SOCs), the impact of dealing with the increased attack volumes affects their ability to protect their organization. These increases mean longer response times, potentially missed threats and not surprisingly, concern from CISOs and CSOs regarding burnout amongst their teams. A recent study by IDG stated that 42% of respondents cited alert fatigue (IDG, 2020).
The reality is that SOCs have more work, added pressure and yet organizations are still looking to reduce cost due to the economic climate. How can we do more, reduce time to incident resolution and do it all without expanding headcount? If anything, this would say we need more headcount – but it’s clear, we need a solution that helps SOCs do more with less so they can focus on their imperatives.
For many, moving to the cloud can help address many of these challenges. There are many considerations when moving to the cloud – but in every case, the cloud can add support, increase automation to help workload and response times, and ensure organizations are saving costs while also reducing risk. When speaking with CISOs, below are the top three considerations for why moving to the cloud is necessary today:
“I need infrastructure to support a legacy SIEM.”
With frequently changing landscapes, teams are looking to expand and contract security analytics as requirements changes. When under attack, these teams need extra compute and storage capacity immediately. Legacy security information and event management (SIEM) platforms require careful planning for servers, software licensing and storage and thus organizations are often paying for capacity that is not used every day. A cloud-native SIEM does not have this limitation as additional capacity can be added as required, which provides unlimited scalability, and you only pay for what you consume daily. Moving to a cloud-native SIEM also removes the effort to manage and upgrade on-premises technology, along with the required skilled security team time to support it.
“I need to address data volumes and alert fatigue.”
An increased number of threats has resulted in an equal volume of alerts being surfaced to SOC teams. Studies have shown the impact of chasing alerts that are not real has a negative impact on how an analyst feels about their job and can often lead to attrition. With the top two changes these teams face being talent capacity and addressing actionable alerts quickly, research says that the organizational move to a cloud based SIEM are less likely to experience these pains versus on premises SIEMs.
Cloud SIEMs address alert volume and quality by applying artificial intelligence, machine learning along with security intelligence and automation – without human intervention (including SOAR) – to help ensure only valid alerts are surfaced for investigation and resolved quickly. This can have a real impact on the volume of alerts the team is required to manage, reducing the number of potential missed alerts and reduction in analyst time “chasing dead-ends” of false/positive alerts by up to 79% (Forrester, 2020).
“I need to save costs.”
At a time where 89% of CISOs are being asked to reduce budgets, with on-premises solutions organizations may find themselves choosing between paying more for capacity or putting a cap on the amount of data ingested, limiting their visibility into their network. The move to a cloud SIEM from an on-premises solution can save as much as 11% and with consumption-based pricing, CISOs are no longer choosing based on capacity limits. According to one Sr. Director of Security Technology and Operations; “If you take the costs of Azure Sentinel and compare it to the costs that we had to simply run our legacy solution, we are seeing a 15% savings with Azure Sentinel and we are getting more.”
Forrester recently reported Azure Sentinel Cloud SIEM is 48% less expensive than the legacy solution considering licensing, storage and infrastructure costs. This savings can both help CISOs reach their cost reduction targets and support re-investment to reduce security risk in other areas impacted by the threat landscape changes – overall it is a change many are making.
As organizations look for benefits like cost effectiveness, technology flexibility and automation, gone are days of on-premises SIEMs. It makes the most business sense to make the shift to a cloud-based SIEM. With the landscape evolving as quickly as the last six months have shown, it is important to consider the long-term workload and efficiency of SOCs – is what you’re doing today the best solution? Could you improve their workload? Could you reduce the risk to your organization? These are questions work asking and exploring now rather than waiting until it is too late.
For more information on cost-optimization of a cloud-based SIEM, click here to access the Forrester whitepaper. And if you’re looking to get started with a cloud-native SIEM, access our quick start guide to Azure Sentinel here.