A SOC tried to detect threats in the cloud … You won’t believe what happened next
Now, we all agree that various cloud technologies, such as SaaS SIEM, help your Security Operations Center (SOC). However, we also need to talk about how traditional SOCs are challenged by the need to monitor cloud computing environments to find threats. In this post, I wanted to quickly touch on this same topic and update some past analysis on this topic (and maybe remember how sad things were in 2012).
Already in my days as an analyst, I’ve noticed that some traditional organizations tried to include their cloud environments in the realm of security control at some point in their cloud migration trips. Surprisingly (Hey … did it surprise you? No? Do you think so!), Some of these projects didn’t go well. SOC teams were not equipped to meet various cloud challenges (old paper on this). There were also cases where both businesses and IT migrated to the cloud, but security was left behind and had to address cloud challenges with local tools and practices. Essentially, security was left behind … again.
Here we wanted to quickly summarize some of the challenges, covering the usual range of people, tools and processes:
- Unusual methods of collecting records (compared to local systems). Cloud providers have not necessarily simplified this journey for customers, although compared to 2012, decent records currently exist in many cases.
- Telemetry data volumes can be high (especially of all those web-oriented production systems); sometimes this has led to a “fragmentation of records,” where cloud records never reach a SIEM, but are left to rot in some cloud storage cubes.
- Sometimes there are exit costs, especially if you want to move records from one cloud to another for analysis.
- Alien licensing models for security tools (compared to the premise), some teams can’t afford what they used to afford the premise or can’t afford a new native tool in the cloud, in addition to the local tool they already have.
- Alien detection context – instances, containers, microservices, etc. – has confused many computers born and created with server names and IP addresses by context. This topic is large enough to be explored in a dedicated post later.
- Lack of clarity in cases of use of cloud detection there are despite useful resources like ATT and CK Cloud. Unfortunately, cloud providers have also not necessarily simplified this journey for customers, and many traditional SOC teams do not know what to detect in the environments their business uses today (“Is container access bad?”).
- Besides, there is a lot of cloud; this means that the expansion of governance causes gaps in visibility for the SOC. Some examples include shadow IT (“BYOCloud” and department-purchased SaaS), as well as other cloud scattering systems (which is why people are looking for all those new attack surface management tools; this should help).
- SOC teams do not have cloud capability in general; complex public / hybrid / multi-cloud scenarios require a broader knowledge of various technologies, their security implications, diverse (and alien) data sources, while SOC teams are too busy doing R&D to grow their skills in the cloud.
- For those organizations that try to stay afloat old local tools many other challenges abound; the tools do not support many telemetry sources in the cloud– They do not have collection machinery, analysis / analysis, use cases, useful visuals, etc. Also, logging support is often not done at “cloud speed”.
- Lack of information from SOCs in cloud decisions, ranging from vendor options to IT architecture (and even security architecture). Frankly, many SOC teams are too busy and too focused on threats and do not have a staff dedicated to preparing their organization for the change of cloud …
A huge thank you to Iman Ghanizada (“The Certain Guy”) for his contributions to this post.
A SOC tried to detect threats in the cloud … What you won’t believe what happened next was originally posted on Anton on Security on Medium, where people continue the conversation by highlighting and responding to this story.
*** This is a syndicated blog from the network of security bloggers of Anton Chuvakin’s stories on media, written by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/a-soc-tried-to-detect-threats-in-the-cloud-your-wont-believe-what-happened-next- 4a2ba0ab5d81? Source = rss-11065c9e943e —— 2