Design Guidance for SIEM Integration

One of the pillars of the Cloud Adoption Framework is security. When you migrate worklads or create workloads ion the cloud, implement different security layers to reduce the risk of attacks. Oracle Cloud Infrastructure (OCI) uses the defense in depth (DiD) framework to protect cloud infrastructure at different levels. OCI also applies the Zero Trust Security approach. For more information, see Approaching Zero Trust Security with Oracle Cloud Infrastructure.

What Is Defense in Depth and Why Is It Important?

Defense in depth is a multi-layer approach to security that helps protect data by using different types of security defenses. If one layer of defense fails or is compromised, other types of defenses mitigate the attack and become operational. For example, if you save your data inside multiple safes with different defense types such as biometric, network access, and authentication, each layer of security increases confidence that your data is secure. For each layer there is a potential monitoring system that provides a complete view of the security status for your safe.

Similarly, when applying this concept to the defense of IT systems, the defense in depth approach protects all layers of your systems. For example, the DiD framework offers protection across employee laptop computers, users and their identities, networks that connect systems, and applications that guard your data.

Elements of Defense in Depth

Defense in depth focuses on the following areas of control:

  • Physical controls: Preventing access to physical systems. Security personnel typically represent this control, instead of biometric systems or security doors.
  • Technical controls: Preventing access to IT systems, including hardware and software. This control includes firewalling and intrusion detection systems, web scanners, just-in-time access, network segmentation, and data encryption. This control is also implemented by monitoring your own systems using security information and event management (SIEM) platforms and using security, orchestration, automation and response (SOAR) platforms.
  • Administrative controls: Measure and verify security through the implementation of security policies, cybersecurity risk assessment, and management of employees and vendors.

For more information, see Keep Your Data Secure On and Off the Cloud: Defense In-Depth.

SIEM Integration Pattern

A SIEM platform is required to increase responsiveness to security attacks. Through SIEM systems, you can monitor security events from different sources such as networks, devices, and identities. You can also analyze these signals in real time using machine learning to correlate various signals and to identify threatening hacking activities and irregular security events traveling through the network. There are several third-party SIEMs available for integrating with logs and events produced in OCI. If your SIEM platform is not covered, we recommend that you contact your Oracle representative for support.

Service Log Consolidation

When you integrate monitoring systems with OCI, you can consolidate the logs that are generated in OCI Logging. Logging provides access to all logs from OCI resources, fully manages all logs in your tenancy, and is highly scalable. The logs include critical diagnostic information that describes how resources are performing and being accessed.

The kinds of logs are the following:

  • Audit logs: Logs related to events emitted by the OCI Audit service.
  • Service logs: Logs emitted by OCI native services, such as API Gateway, Events, Functions, Load Balancing, Object Storage, and VCN flow logs. Each of these supported services has predefined logging categories that you can enable or disable on your respective resources.
  • Custom logs: Logs that contain diagnostic information from custom applications, other cloud providers, or an on-premises environment. Custom logs can be ingested through the API, or by configuring the Unified Monitoring Agent. You can configure an OCI Compute instance to directly upload custom logs through the Unified Monitoring Agent. Custom logs are supported in virtual machine and bare metal scenarios.

For more information about how to consolidate logs by using Logging and OCI Service Connector Hub, see Security Log Consolidation in CIS OCI Landing Zone).

As a best practice, also capture events generated by Cloud Guard to obtain enough detailed data to send to your SIEM platform. This process helps you prepare for potential security issues.

For information about how to export the events generated by Cloud Guard, see Integrate Oracle Cloud Guard with External Systems Using OCI Events and Functions.

Third-Party SIEM Reference Architecture

In a third-party SIEM reference architecture, Logging captures logs from different sources such as audit logs, service logs (the VCN flow logs), and custom logs. There is a separate stream for each log, and each log is connected to its stream with a service connector hub that writes the logs inside the OCI Streaming service. In parallel, the events generated by Cloud Guard are collected and normalized through an OCI function that writes the events in OCI Streaming.

OCI Streaming can then interface with a third-party SIEM platform, such as Splunk or QRadar, which collects the streamed data for further analysis. For an example, see implement a SIEM system in Splunk using logs streamed from Oracle Cloud.

Diagram of a SIEM reference architecture showing OCI Logging integration.

The SIEM reference architecture includes the following architecture components.

region

An OCI region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate regions across countries or continents.

availability domain

Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don't share infrastructure such as power or cooling, or the internal availability domain network. As a result, a failure at one availability domain is unlikely to affect the other availability domains in the region.

virtual cloud network and subnets

A virtual cloud network (VCN) is a customizable, software-defined network that you set up in an OCI region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

Logging

Logging is a scalable and fully managed service that provides access to logs from your resources in the cloud. Types of logs include audit logs, service logs, and custom logs.

Streaming

Streaming provides a fully managed, scalable, and durable storage solution for ingesting continuous, high-volume streams of data that you can consume and process in real time. You can use Streaming for ingesting high-volume data, such as application logs, operational telemetry, web click-stream data, or for other use cases where data is produced and processed continually and sequentially in a publish-subscribe messaging model.

Service Connector Hub

Service Connector Hub is a cloud message bus platform that orchestrates data movement between services in OCI. You can use the platform to move data between OCI services. Data is moved by using service connectors. A service connector specifies the source service that contains the data to be moved, the tasks to perform on the data, and the target service to which the data must be delivered when the tasks are completed.

Oracle Cloud Guard

Cloud Guard helps you monitor, identify, achieve, and maintain a strong security posture on Oracle Cloud. Use the service to examine your OCI resources for security weakness related to configuration, and your operators and users for risky activities. Upon detection, Cloud Guard can suggest, assist, or take corrective actions based on your configuration.