Can you really build a cloud-native SOC? As more organizations adopt cloud-native and cloud-hosted technologies, what do security teams and security practitioners need to consider when it comes to the SOC and cloud security?
Girish Bhat, Vice-President of Security, CI & Platform Marketing at Sumo Logic, asked Dave Shackleford, CEO of Voodoo Security and a member of Sumo Logic’s CISO Advisory Board, to share his take on the challenges of cloud security and what’s involved in creating a cloud-native SOC. A long-time security practitioner, Dave is also involved with the SANS Institute, where he is a course author, instructor, and analyst focused on cloud security.
Survey says…
According to data from the SANS Institute, organizations are much more willing now than ever to put sensitive data types in the cloud—ranging from employee records and intellectual property to financial data, health records, and even payment card information.
The 2021 Data Breach Investigations Report from Verizon noted that, for the first time ever, more attacks and breaches occurred in cloud-based environments than in other environments, such as on-premise. “That,” says Dave, “is a really significant data point. With so much use of the cloud, attackers are focusing there as a priority.”
Cloud security challenges
It’s past time, then, to make sure that cloud environments are adequately protected and in parity with the controls that traditional security relies on to meet regulatory requirements and security best practices. Right now, security teams are facing a wide variety of challenges in dealing with cloud-based systems—from unauthorized access to lack of cloud skills and knowledge, lack of visibility in what is being processed in the cloud, and how to track and manage configuration changes on such a varied and extensive set of control planes.
The Cloud Security Alliance reported that data breach misconfiguration and inadequate change control lead the list of security threats. As Dave says, “Not only are we worried about attacks, we’re seeing these attacks actually happen.”
Going back to the SANS research, Dave shared that the big challenges of cloud security are very similar across most organizations. The number one issue? It is having the same level of visibility into cloud-based operations as with on-premise operations. Traditional security has, for the most part, mature processes that work with network packets, logs, and other artifacts. Cloud-based security, on the other hand, is mostly a patchwork of immature processes dealing with information coming from a wider variety of sources, managed by a team lacking crucial, cloud-based knowledge and skill sets.
The cloud-based SOC
Moving from a traditional SOC to a cloud-based SOC is a massive effort. As Dave points out, “You can't necessarily take what you've done on-premises and drag it kicking and screaming out into an optimized, cloud-based scenario.”
Many of the traditional vendors that we've relied upon for on-premises security don’t yet offer comparable cloud-based toolsets. When it comes to cloud security, there is a lack of cloud detection and response workflows and a lack of overall visibility. Complicating matters further, many SOC teams don’t yet have the skills and knowledge of cloud-based environments. Security teams need some basic understanding of what people are building and how it's being deployed and used before they can start attempting to defend and protect those types of assets.
The traditional SOC was all within the walls of a data center: servers, closed networks, a SIEM platform, a response team, and technologies that were wholly under the security team’s control. But as everything has moved to the cloud, that picture has been turned upside down. Now, everything is software-based with virtual machines and highly ephemeral assets, as well as cloud-enabled technologies and products that don't necessarily all sit within one environment.
The move to a cloud-based SOC, according to Dave, starts with cooperation and with tearing down siloed work teams. The starting point, Dave says is clear: “Security teams need to work with DevOps, risk management, procurement teams, and so on.” The SOC team needs to work with those teams to assess risks of what’s being built, where it's going, and what the strategy looks like. No longer can the SOC be the last to know when something goes live in the cloud.
Listen to the rest of the discussion…
Listen in as Dave and Girish look at building out a cloud-based SOC, including:
Working with event data to understand what’s going on in the cloud
Skills every cloud-based SOC team needs
The importance of SOC game days
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.