(By Anton Chuvakin, originally posted at https://medium.com/anton-on-security)
However, there are organizations that want both the breadth of a traditional SIEM product and also the modern features, such as threat hunting support (as a first-class feature), fast pivoting, scalable threat intel matching, etc. Are they doomed to pick between mature, but possibly outdated tools and modern, but incomplete ones?
Admittedly, this is a hard question to answer. I still see satisfied users of traditional SIEM tools (designed and built in the early 2000s, if not the 1990s). Furthermore, I see some satisfied users of a IaaS-deployed traditional SIEMs. Finally, I see happy users of modern SaaS tools such as, obviously, Google Chronicle — as well as others.
But what if you always check “all of the above” in every survey? And what if you want it all and you want it now? What if you like some of the “magical” modern features, but you also need staid compliance reports?
One choice is to deploy multiple SIEM tools, a blend of old and new. However, this approach will include a new set of responsibilities for you and your team: more integration, more friction, more things to connect to other things.
Now, is there a better way? Why, yes, there is! In fact, we announced just such a product using the technology from our friends at Cyderes. We are calling it Cloud Native Analytics Platform or CNAP. The stack is hosted on Google Cloud (with Chronicle, as before, running on Google core infrastructure).
Think of CNAP as a pre-assembled SaaS SIEM product bundle with a modern core (Chronicle). If you use CNAP, you will get all the Chronicle coolness, but you will also get a long list of “classic” SIEM features and, in fact, some functions of a broader “cyber defense platform.”
The list includes:
- Operational and compliance reporting, including custom reports
- Various SOC dashboards
- Additional detection and correlation capabilities including support for Sigma rules (naturally, it runs YARA-L content as well)
- Security workflow and select SOAR automatic actions
- Out of the box integration with a wider list of third party ticketing and SOAR platforms
- Support for additional less-common telemetry data sources and use cases (IoT security monitoring, etc)
Here is how Cyderes president Eric Foster describes it: “CNAP is a cloud native cybersecurity platform specifically designed to overcome those long standing hurdles in meeting SOC goals and operational metrics. CNAP provides comprehensive threat detection, investigation and workflow along with rich reporting for compliance use cases. CNAP is powered by and built entirely on Google Cloud and Chronicle, Google’s security analytics offering.“
Now, what does it all mean in practical terms?
- If you like Chronicle, but you want the broad SIEM built around it, CNAP is the way to get it today. In fact, CNAP makes Chronicle a better “drop-in” replacement for many legacy SIEM replacement projects.
- Note that you are getting all this based on the same pricing model as Chronicle — per employee — and you are not paying anything per gigabyte or per EPS or per log source [this is kinda a big deal!].
- CNAP is not merely “Chronicle+”; if you recall this discussion of “product + service fusion”, CNAP includes some human involvement by Cyderes personnel such as detection content tuning, report creation, etc (so you can also think of it as “lightly managed SIEM”)
- As a result, CNAP approach also makes it very easy to “upgrade” to a managed detection and response (MDR), if you need extra help with alert triage, custom content and playbook development, custom automation support, etc.
- CNAP also makes it easier to run a multi-SIEM setup, with Chronicle and another SIEM (if desired) by utilizing CNAP data pipeline tools.
- Finally, with CNAP, you would get the future Chronicle features as we build them.
So, now, you can have your modern SIEM and your broad SIEM capabilities too!
Here are some resources to learn more: