23 Oct Test: In a Cloudy World, On-Premises Still Might be The Way To Go
in Blogs
Here are four reasons to deploy an on-premises security operations platform
– Stephen Salinas, Head of Product Marketing, Stellar Cyber
San Jose, Calif. – Nov. 1, 2024
In 2012, I worked for one of the first vendors to deliver security-as-a-service. In those days, securing your environment from the cloud was cutting-edge, and many security teams were leery of introducing what they perceived as another point of failure into their security framework. Today, deploying a SIEM, XDR, or SecOps platform on bare metal seems old-fashioned to many of today’s security leaders.
Indeed, there are valid reasons security teams look to the cloud as their preferred deployment option for security products, from speeding deployment to decreasing costs and the flexibility to access the product from any secure web browser. That said, a security team has equally valid reasons to opt for an on-premises security operations platform.
Four Reasons to Deploy On-Premises
1. Highly Sensitive Data
Every security team prioritizes the confidentiality of its company’s data. However, if your organization deals with classified information, you may be required to ensure that data never leaves your environment. In such cases, using any cloud-based security products is a non-starter. By deploying your SecOps platform on-premises, you can rest assured that your sensitive logs and other security information remain securely within the walls of your environment, providing an extra layer of protection.
2. Regulations
The degree to which regulatory agencies scrutinize an industry can vary widely depending on the data type the organization handles and the potential for that data, if compromised, to cause customers significant harm. For instance, healthcare, finance, and government organizations must adhere to strict regulatory requirements, such as GDPR, HIPAA, and other regional data protection laws. If your organization is part of one of these highly regulated industries, you may have no choice but to deploy your SecOps platform on-premises.
3. Customization and Version Control
Depending on your security team’s capabilities and targeted use cases, you may need to deploy some custom configurations and/or code on top of an off-the-shelf SecOps platform. When working with a cloud-based SecOps platform, the vendor may restrict your ability to make these sorts of customizations to the platform. Additionally, the vendor may apply updates to the SecOps platform with little to no advance notice, which could cause your security team some heartburn. With an on-premises deployment, your security team can implement bespoke security policies or automation that might be difficult to implement on a cloud-based platform. This level of flexibility and control can empower your analysts, allowing them to tailor the platform to their specific needs and maintain version control without any external restrictions.
4. Performance Considerations
While most organizations work with high-speed networks capable of minimizing latency – even when uploading or downloading large datasets – some might struggle with network reliability/stability due to the location of their offices. Additionally, there are situations where an organization or part of the organization has no internet connection to comply with internal or external policies. If you are in a similar situation, the on-premises deployment model is your only real option.
Choosing Your Next On-Premises SecOps Platform
While I’ve outlined four reasons why an on-premises deployment of a SIEM or security operations platform might be required, there are many others. Te next logical question might be, “How do I select a SIEM/SecOps platform that meets my deployment needs?”
Here are three recommendations for selecting your on-premises platform.
1. Capabilities
While this should go without saying, security operation platforms that support on-premises deployment capabilities vary widely. On the low end, you might have vendors touting an on-premises deployable platform that enables you to ingest log data from many different sources, but requires you to create, manage, and maintain all detection and correlation rules. This product is a glorified log management tool that will undoubtedly make your team less effective in the long run.
On the other end of the spectrum are products with easily configurable integrations capable of capturing third party security alerts, log data, network traffic, and user and asset activity streams. Then, machine learning and artificial intelligence models, combined with vendor-curated detection rules, will uncover advanced threats automatically with no human intervention.
When evaluating your options, ask probing questions regarding capabilities and insist on a proof of concept (PoC) in your environment to validate the vendor’s claims.
2. Integrations
Integrations are critical to getting value from any security operations platform. Anyone who has worked with a product that requires significant manual, custom-built integrations knows the nightmare this can quickly become. For one, not all security teams have the technical skills to craft their own integrations, so they must either contract with an external resource, pay the vendor additional fees, or hire a dedicated resource to own integrations. In any of these cases, the result is a platform that costs much more than expected over time.
The better option is to select a platform where the vendor invests their effort and resources into creating integrations that your security team can easily configure. These platforms offer dozens or even hundreds of pre-built integrations at no additional cost.
When talking with vendors, make sure they understand the products you intend to integrate and then determine whether their platform supports them. Validate whatever they say during the PoC process.
3. Roadmap
Finding out unexpectedly that a product you invested in and incorporated as the hub of your security workflows has no future can frustrate even the most seasoned security leader.
For example, Palo Alto Networks’ recent purchase of IBM QRadar SIEM Cloud has left IBM QRadar On-premises customers out in the cold. If these customers must remain on-premises, they need another vendor to meet their deployment needs and help them migrate their existing QRadar data, configurations, and rules into the new platform quickly.
While products with roadmaps can be swept up in shareholder-related actions, such as mergers or acquisitions, seeing that the vendor has plans beyond the current version of the platform at least lets you know that the platform will continue to evolve based on changes in the threat landscape and user needs.
Closing Thoughts
Security is not a one-size-fits-all proposition. While the cloud offers the ability to scale a business fast and helps a security team manage its costs and resources, there are valid reasons to deploy a SIEM/XDR/SecOps Platform on-premises. Following the simple recommendations I’ve discussed is a good starting point in your search for your next platform.
– Stephen Salinas is the head of product marketing at Stellar Cyber.
About Stellar Cyber
Stellar Cyber’s Open XDR Platform delivers comprehensive, unified security without complexity, empowering lean security teams of any skill level to secure their environments successfully. With Stellar Cyber, organizations reduce risk with early and precise identification and remediation of threats while slashing costs, retaining investments in existing tools, and improving analyst productivity, delivering an 8X improvement in MTTD and a 20X improvement in MTTR. The company is based in Silicon Valley. For more information, visit https://stellarcyber.ai.