Cloud security - how to put a SOC in it

Cloud security - how to put a SOC in it

Image:
Cloud security - how to put a SOC in it

Automating manual security tasks can help stop rapid attacks like malware as well as detecting stealthy APTs on the system

According to McKinsey, moving to the cloud will take up 80 per cent of companies' IT infrastructure and unlock more than $1 trillion of business value by 2030. Gartner estimates that the entire cloud infrastructure market equalled $64.3 billion for 2020.

Why is all this money getting spent? IT teams want to - indeed, have to - build the new services that their companies ask for, and cloud helps them achieve this faster. Developers can use cloud to build their applications using microservices and APIs, making it easier to scale or swap out components. As companies migrate, they will either lift and shift their existing applications straight into the cloud, or look at how to re-architect those applications to take advantage of new services or functionality. Both approaches have their benefits.

However, all this rapid deployment and expansion comes at a cost for security. According to research, 70 per cent of SOC teams have seen the number of alerts they have to deal with double over the past five years, and 93 per cent said they did not get through all the alerts that they had coming in during the day. With more alerts coming in all the time, and with more cloud applications creating more data to manage, this quickly becomes a Sisyphean task that can't ever be completed, or even get close to it.

Updating your SOC approach

For the security operations centre (SOC), this overwhelming flood of data means that a move to the cloud is necessary to keep up. This involves taking the data that application components create while they run in the cloud and the data that the cloud providers offer around their infrastructure. By getting this in one place, the SOC team will have the data it needs to work with.

Automating the response process around any new insights that come in can help analysts respond faster and more efficiently to issues that get raised. This can be done using playbooks that combine typical processes and investigation steps together so they can be automated. This can take a huge amount of manual work away from common tasks that security analysts will have to carry out every day. For example, investigating a phishing attempt will normally involve the same steps each time that a serious attack takes place, so automating this can help get the response completed quicker.

Automation can also take over some of the tasks that would otherwise require manual work. For instance, adding more data to a threat investigation task, such as user, device, and network traffic information, can require manual work to prepare and format. Automating these steps so that all the data is enriched for the analyst as standard can therefore help them concentrate more on incident response. This can also then be shared with other team members - with so much remote working taking place, having all the necessary data centrally helps improve response approaches where people are working in different locations and time zones.

It all comes down to money

One potential issue that all cloud migrations will run into is the cost side. Cloud makes it easier to create more new services and respond to business requests faster. However, all those new applications will create data for security teams to analyse, and that data has to be stored over time.

Observability describes how companies use logs, metrics and application tracing data together to get a better picture of how their applications perform, particularly in the cloud. This data can be incredibly useful for software developers, and it can provide great insights for security as well. However, storing this data over time can rapidly add more cost to run the SOC, even though all that data can be necessary for analysis and preventing attacks.

When attackers breach a network, some may opt for a fast smash and grab raid or try to install ransomware. Preventing this kind of attack is about speed of response, and where automation can really help. However, other attackers will try to stay with a network and move laterally to access more high-value data or systems. These kinds of attacks can play out over the course of months. Having data on system behaviour over that time is therefore essential to help the security team see diversions and anomalies. However, the sheer cost to hold that data over time is starting to enter into the equation too.

In response to this, you can look at how to take advantage of how cloud providers tier their data and offerings. Rather than running solely on production data, consider how your approach can use tiers of service for new, recent and long-term data. Rather than having to jettison old data to keep costs low, this approach should help you reduce the cost side and use cloud economics to your advantage.

With so much IT moving to the cloud, security will have to keep up. For SOC teams, this will involve making more use of automation across their processes, so they can handle the huge volumes of data that their systems will produce. However, getting this right involves understanding business priorities around the cloud, how much data is getting created and then making sure the right processes are in place to ensure those systems stay secure.

Colin Fernandes is EMEA Product Director at Sumo Logic