Introduction

Oracle Cloud Infrastructure (OCI) and services provide effective and manageable security that enables you to run your mission-critical workloads and to store your data with confidence. To achieve cloud security operational excellence, it is crucial to continuously monitor and improve the security posture of our customers’ OCI tenancy and adopt essential cyber hygiene practices. For our customers navigating the dynamic cloud security landscape it can sometimes be challenging to integrate third-party SIEM solutions.   The CIS Landing Zone provides an automated security framework to get customers deployed in OCI securely while simplifying the shared security model.   An additional enhancement to the CIS Landing Zone was made to include a SIEM workload module for deploying SIEM solutions from specific third-party vendors.  This article will focus on deploying Stellar Cyber with the module.

SIEM Integration Pattern

A SIEM platform is required to increase responsiveness to security attacks. Through SIEM systems, you can monitor security events from different sources such as networks, devices, and identities. You can also analyze these signals in real time using machine learning to correlate various signals and to identify threatening hacking activities and irregular security events traveling through the network. There are several third-party SIEMs available for integrating with logs and events produced in OCI. If your SIEM platform is not covered, we recommend that you contact your Oracle representative for support.

Service Log Consolidation

When you integrate monitoring systems with OCI, you can consolidate the logs that are generated in OCI Logging. Logging provides access to all logs from OCI resources, fully manages all logs in your tenancy, and is highly scalable. The logs include critical diagnostic information that describes how resources are performing and being accessed.

The kinds of logs are the following:

  • Audit logs: Logs related to events emitted by the OCI Audit service.
  • Service logs: Logs emitted by OCI native services, such as API Gateway, Events, Functions, Load Balancing, Object Storage, and VCN flow logs. Each of these supported services has predefined logging categories that you can enable or disable on your respective resources.
  • Custom logs: Logs that contain diagnostic information from custom applications, other cloud providers, or an on-premises environment. Custom logs can be ingested through the API, or by configuring the Unified Monitoring Agent. You can configure an OCI Compute instance to directly upload custom logs through the Unified Monitoring Agent. Custom logs are supported in virtual machine and bare metal scenarios.

For more information about how to consolidate logs by using Logging and OCI Service Connector Hub, see Security Log Consolidation in CIS OCI Landing Zone).  All of the various log types can be sent to Stellar Cyber and a number of them have been converted into dashboards.  If certain logs are seen as raw logs to Stellar Cyber, it is possible to work with Stellar Cyber on getting a dashboard specific for a particular log.

Stellar Cyber

Stellar Cyber Open XDR is a “single pane of glass” extended threats detection and response platform that simplifies security operations for OCI & hybrid-cloud environments.

Stellar Cyber XDR integrates with 550+ technology vendors across multi-clouds, on-prem, SaaS and NDR/EDR, databases and more for a unified visibility across entire threat surface.   Allowing customers to automate threats detection and response process.

Third-Party SIEM Reference Architecture for Stellar Cyber

In a third-party SIEM reference architecture, Logging captures logs from different sources such as audit logs, service logs (the VCN flow logs), and custom logs. As a best practice there is a separate stream for each log, and each log is connected to its stream with a service connector hub that writes the logs inside the OCI Streaming service. In parallel, the events generated by Cloud Guard are collected and normalized through an OCI function that writes the events in OCI Streaming. 

Note: Today the CIS Landing Zone SIEM Workload only supports the OCI Audit Logs but it’s possible to simply run the tool and customize the connector after to get the logs in question.

Deploying the SIEM Workload using OCI Resource Manager

Deploying the SIEM workload is very straight forward.  Navigate to https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/tree/main/workloads/siem_workload  and scroll down to deploy.

Stellar Cyber should be selected from the integration drop down after clicking next.  This will deploy the setup specific for StellarCyber.

After clicking next again check the option to run and apply.  

Upon successful completion a set of variables will be output to display the link to the StellarCyber instructions and next steps to finalize and complete the integration.

Resource Manager Outputs:

https://docs.stellarcyber.ai/prod-docs/5.0.x/Configure/Connectors/Oracle-Cloud-Infra-Connectors.htm

Conclusion

Deploying a SIEM solution to manage and analyze OCI logs should be automated and simplistic.   Stellar Cyber is one of many vendors that leverages the OCI streaming services making this less complicated.   Bundling the 3rd Party simplicity with the automation in a workload style makes security easier to consume and manage saving time and eliminating complexity.