The analyst firm, Gartner, first defined the phrase "cloud access security broker," or CASB, in 2012. It has become a well-known and well-adopted technology for cyberdefense. You can think of it as a solution that sits between an organization's users and the various cloud services they access. And because it sits there, a CASB can help you authenticate and authorize users as they attempt to access the cloud, and it can also enable you to identify what flows in and out of the cloud. Your security operations center may be highly reliant on a SIEM solution today; you must soon ensure that your SIEM either integrates seamlessly with an external CASB solution or has built-in CASB capabilities. A SIEM solution with integrated CASB capabilities can help you avoid the hassle of using multiple security solutions, manufactured by different vendors, and the resulting compatibility issues that arise during integration. ManageEngine Log360 is a unified SIEM solution with integrated DLP and CASB capabilities that can help you secure both your on-prem and cloud environments.
A CASB should be part of your SIEM for five major reasons: to address the high uptake of cloud applications, to correlate events that happen in different parts of the network, to prevent data leaks, to provide visibility into shadow IT, and to offer visibility into identity and access management (IAM). These five reasons can be considered as the benefits of a CASB-integrated SIEM solution.
Addressing the high uptake of cloud applications
An average employee uses as many as 30 SaaS cloud applications. On top of that, they use these applications on their own mobile devices. As if this were not enough, most organizations nowadays use a multi-cloud environment with various PaaS and IaaS delivery models. Therefore, you need to have a CASB-enabled SIEM solution that gives visibility into the applications in use and how they are being used. With such a solution, you can also be aware of the level of risk a particular application poses to your organization.
A SIEM tool without a CASB integration will not give you this visibility into cloud activities. And a standalone CASB will lack the necessary security context provided by events of interest happening in other parts of the network. Log360 provides complete cloud visibility, and can secure your cloud-based resources and accounts from unauthorized accesses and prevent data thefts, as shown in Figure 1.
Figure 1: Log360 dashboard showing Top Cloud Apps by accesses, upload, and download size
Correlating events that happen in different parts of the network
Cyberattacks have become sophisticated in recent times; you have instances of living-off-the-land attacks, cloud malware with initial access in an on-premises server, cloud ransomware and disruptionware, and insider attacks. You need the ability to see patterns and correlate seemingly unrelated events that happen in different parts of the network and to group them together as a single security incident. Log360 comes with numerous built-in correlation rules to detect threats such as ransomware and DDoS attacks. It also allows you to build custom correlation rules as per your organization's security requirements and use cases.
Preventing data leaks
With the advent of cloud apps, there is a substantial risk of both intended and unintended data leaks. For example, an employee in the marketing department may use an app called Font Candy to create vibrant typography. However, this app may be unsanctioned within the organization, and the employee may have private contact details and classified information stored within it. In such a scenario, you need the ability to manage unauthorized uploads of sensitive data and prevent data leaks. With a CASB, you can also enforce cloud security policies and controls to prevent data from being transferred over the internet. A CASB-integrated SIEM tool like Log360 will enable you to see all this information on the same console as the rest of the important security information as shown in Figure 1.
Providing visibility into shadow IT
Nowadays, most organizations have a list of sanctioned cloud apps that employees can use if they wish. These applications could have become sanctioned after the organization deemed them to be secure and effective for employee productivity. The sanctioned applications are either owned or controlled by the organization. On the other hand, you can also have shadow applications that are outside the ownership or control of IT organizations. Shadow applications may have vulnerabilities and loopholes that could be exploited by attackers.
A CASB will give you the ability to discover shadow applications and the top users who access these applications. A SIEM solution will allow you to see this information along with other activities the user may have done on the network. This way, you can get the complete picture of possible malicious activities. Log360 provides comprehensive reports on the shadow apps accessed by users along with the app reputation, the category of the app, and numerous other details (see Figure 2), which enables your security team to decide whether to approve or ban the apps.
Figure 2: Log360 reports offering insights into shadow app requests
Offering visibility into IAM
According to Erik Wahlstrom, research director at Gartner, "Organizations shouldn't replace their IAM programs with CASBs, but rather intersect the two for increased governance and access control of cloud applications." A CASB can provide better IAM through ways such as adaptive authentication and user-based risk analysis.
By bringing this capability within SIEM, you will get to see the risky behavior of users in a single console and also use playbooks and workflows to respond to these threats.
In the next few years, there will be a continuous, fast rise in the adoption of CASB solutions; the CASB market is expected to grow at a CAGR of 17.9% between 2024 to 2030 . While I am not sure how much of this adoption will be propelled through SIEM integrations, I am sure it will be a sizeable chunk. To evaluate a SIEM solution with integrated DLP, CASB, UEBA and SOAR capabilities, sign up for a personalized demo of Log360