Troubleshooting SIEM Systems? Look under the Hood at Storage

Modern SIEM systems require modern storage. See what capabilities should be on the must-have list when choosing the right storage solution to support SIEM operations.

SIEM

SIEM security systems sink or swim depending on their storage. This was true from the time SIEM came into the security market around 2005, and it’s especially true today. Sixty-one percent of enterprises require at least 1TB of storage or more for their SIEM systems every day, thanks to the number of data and log sources ingested by the systems, according to IDC

As IDC notes, “The performance of a SIEM strategy is interwoven with the capabilities of its storage system. The right storage system will help the security team accomplish their work to their highest ability.” This findingfrom the IDC report, “How the Right Storage Can Improve SIEM Operationssolidifies the argument that SIEM systems are only as good as their storage

Modern SIEM Demands Modern Storage

When cyberattackers become more aggressive in their efforts to breach networks or demand ransom payments, there are even more events to be managed by SIEM systems, and therefore, more ways to store the events and logs. But not just any storage will do. Here’s what the IDC report identifies as critical storage characteristics:

  • Ability to accommodate modern data types and provide modern application support
  • Must support unstructured (file- and/or object-based) storage
  • Offer high performance, availability, and cost-effective scalability

Many organizations support their SIEM systems with direct attached storage (DAS). But this approach causes problems as the amount of SIEM data increases. The better option is disaggregated scale-out storage architectures that allow for more efficient sharing of purchased storage capacity across different servers, including enterprise storage management capabilities that drive higher availability and increased efficiencies. They make storage administration and scaling storage capacity easier and more cost-effective.

Visibility Relies on Storage Capabilities

We agree with IDC. In a Pure webinar last year, “How the Right Storage Can Improve SIEM Operations,” the panelists talked about the particular storage needs of SIEM systems. They concurred that even the best SIEMs that come with their own out-of-the-box capabilities don’t always give you the visibility that you might need and want in your environment. 

Visibility matters since you can’t protect what you can’t see. Security managers need to correlate anomalies across networks, endpoints, and end users to identify and build a targeted response to threats. If the pool of data is too small, or if insufficient storage causes slowdowns, the bad guys have more time to gain entry to networks.

Speedy Analysis Rests on Storage

At the Pure webinar, Eric Burgener, current Director of Technical Strategy at Pure and former Research Vice President at IDC, said the need for fast and capable storage ties in with the big data analytics problem associated with SIEM systems. There is a definite need for agility in SIEM solutions because they need to conduct their analyses at high speed. This need is outlined in the IDC report, along with other must-haves: 

  • High ingest performance to capture relevant data without impacting information and event collection capability
  • Sufficient performance to enable real-time search, alerts, and correlation to provide comprehensive security protection, delivery of forensic evidence to authorities, and demonstration of compliance with applicable regulations
  • High availability to ensure that component failures and/or upgrades in the storage system do not impact an enterprise’s ability to protect and/or recover its information assets
  • Multi-petabyte capacity that can scale to collect the data needed from a growing number of sources, enabling enterprises to retain data over long periods to improve accuracy
  • Unified unstructured storage capabilities (supporting file- and object-based data on the same storage platform) that make a system better suited to capture, store, protect, and analyze security telemetry (since most of that data will be unstructured)

This is the must-have list we follow at Pure as well. That’s why we architected FlashBlade//S™, the disaggregated, all-flash, scale-out storage system. The performance, availability, scalability, and manageability of FlashBlade//S makes it the perfect fit for storage infrastructure supporting SIEM operations for successful, growing companies. 

As I wrote in an earlier Pure blog post, unstructured data growth continues to accelerate, and performance demands continue to evolve. The dynamic nature of unstructured data means that storage systems need levels of flexibility that hadn’t been seen in the market until FlashBlade//S. The trajectory of unstructured data also demands an Evergreen approach—that is, a solution that will continue to improve, provides access to new hardware and software innovations, and can grow and evolve seamlessly over time. 

To learn more about choosing the right storage solution for SIEM, download the IDC report.