The analyst firm Gartner first defined the phrase "cloud access security broker," or CASB, in 2012. It has become a well-known and well-adopted technology for cyberdefense. You can think of it as a solution that sits between an organization's users and the various cloud services they access. And because it sits there, a CASB can help you authenticate and authorize users as they attempt to access the cloud, and it can also enable you to identify what flows in and out of the cloud. Your security operations center may be highly reliant on a SIEM solution today; within the next two years, you must ensure that your SIEM either integrates seamlessly with an external CASB or has built-in CASB capabilities.

A CASB should be part of your SIEM for five major reasons: to address the high uptake of cloud applications, to correlate events that happen in different parts of the network, to prevent data leaks, to provide visibility into shadow IT, and to offer visibility into identity and access management (IAM).

Addressing the high uptake of cloud applications

The average employee uses as many as 30 SaaS cloud applications. On top of that, they use these applications on their own mobile devices. As if this were not enough, most organizations nowadays use a multi-cloud environment with various PaaS and IaaS delivery models. Therefore, you need to have a CASB-enabled SIEM solution that gives visibility into the applications in use and how they are being used. With such a solution, you can also be aware of the level of risk a particular application poses to your organization.

A SIEM tool without a CASB integration will not give you this visibility into cloud activities. And a standalone CASB will lack the necessary security context provided by events of interest happening in other parts of the network.

Correlating events that happen in different parts of the network

Cyberattacks have become sophisticated in recent times; you have instances of living-off-the-land attacks, cloud malware with initial access in an on-premises server, cloud ransomware and disruptionware, and insider attacks. You need the ability to see patterns and correlate seemingly unrelated events that happen in different parts of the network, and to group them together as a single security incident.

A CASB-integrated SIEM solution will enable you to see malicious activities in both on-premises and cloud environments.

Preventing data leaks

With the advent of cloud apps, there is a substantial risk of both intended and unintended data leaks. For example, an employee in the marketing department may use an app called Font Candy to create vibrant typography. However, this app may be unsanctioned within the organization, and the employee may have private contact details and classified information stored within it. In such a scenario, you need the ability to manage unauthorized uploads of sensitive data and prevent data leaks. With a CASB, you can also enforce cloud security policies and controls to prevent data from being transferred over the internet.

A CASB-integrated SIEM tool will enable you to see all this information on the same console as the rest of the important security information.

Providing visibility into shadow IT

Nowadays, most organizations have a list of sanctioned cloud apps that employees can use if they wish. These applications could have become sanctioned after the organization deemed them to be secure and effective for employee productivity. The sanctioned applications are either owned or controlled by the organization. On the other hand, you can also have shadow applications that are outside the ownership or control of IT organizations. Shadow applications may have vulnerabilities and loopholes that could be exploited by attackers.

A CASB will give you the ability to discover shadow applications and the top users who access these applications. A CASB-integrated SIEM tool will allow you to see this information along with other activities the user may have done on the network. This way, you can get the complete picture of possible malicious activities.

Offering visibility into IAM

According to Erik Wahlstrom, research director at Gartner, "Organizations shouldn't replace their IAM programs with CASBs, but rather intersect the two for increased governance and access control of cloud applications." A CASB can provide better IAM through ways such as adaptive authentication and user-based risk analysis.

By bringing this capability within SIEM, you will get to see the risky behavior of users in a single console and also use playbooks and workflows to respond to these threats.

In the next few years, there will be a continuous, fast rise in the adoption of CASB solutions; the CASB market will grow at a CAGR of 18% from 2021 to 2028. While I am not sure how much of this adoption will be propelled through SIEM integrations, I am sure it will be a sizeable chunk.

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks


© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.