For many security operations center analysts, the idea of cloud security often seems murky, unclear and — well, cloudy. The very essence of SOC operations is having an unobstructed and complete visibility of every event that may compromise security. Getting a true 360-degree view is never easy, but at least in legacy on-premises scenarios it has felt achievable.
Cloud has changed everything with requirements for security. Now event visibility must extend into every virtual cloud and cloud service used by an organization. With today’s typical hybrid environments, “cloud” may include the legacy infrastructure, multiple cloud providers, and thousands of function-specific apps served by providers. While the vision for cloud computing trumpets simplicity, piercing its veil and achieving the 360 view of cloud security events has been complex!
Or is it? In preparing a recent Exabeam white paper on cloud security, it struck me how a SOC analyst’s workflow in detecting and responding to cloud events is quite similar — even identical to — what occurs on premises. Generally, their shared process flow is:
- Logs are ingested and centralized into a SIEM.
- An alert fires either from a security tool like FireEye or from a correlation rule in the SIEM itself.
- This triggers an investigation, where analysts gather evidence by querying and pivoting in their SIEM and other applications.
- Evidence is used to create an incident timeline. At this point, an analyst has an idea of what’s going on, what systems and users were impacted, and what they should do about it for remediation.
- Based on the timeline, the analyst can now respond to an attack.
For example, those of you familiar with Exabeam’s modern SIEM may already use it for threat hunting and automated playbook-based incident response. Advanced analytics provide deep enterprise insight and automated control for scenarios related to compromised user credentials, privileged-user compromise, executive assets monitoring, lateral movement detection and many others. Exploits like these are found in on-premises infrastructure —and in cloud assets.
Extending the SIEM’s capabilities for security visibility and control into the cloud requires feeding security event data from an organization’s various cloud providers and apps directly into the SIEM for advanced analytics and incident response.
There are three ways to implement integration of a modern SIEM and the cloud.
Cloud-Direct Integration – Many public cloud services offer well-defined mechanisms for pulling activity logs into third-party systems. For example, salesforce.com offers very powerful logging to its customers. Salesforce Event Log Files (ELF) enable products such as Exabeam to collect and classify activity logs. For other applications, check if your SIEM vendor has a content team developing connectors that are critical for your environment.
Cloud-Proxy Integration – Some organizations also use web proxies as a means of controlling and monitoring cloud and web activity. For example, SonicWALL or Barracuda web gateways might be used to collect activity outside of the corporate data center. A modern SIEM like Exabeam can ingest this data.
Cloud-Broker Integration – A third approach to cloud monitoring is the cloud access security broker, or CASB. Gartner recently recommended CASB as an approach for securing and monitoring cloud activity. A modern SIEM like Exabeam can ingest activity and log data from CASB products. It can also incorporate a combination of approaches described above including dedicated connectors to cloud applications and infrastructure.
Integrations like these enable supplemental use of other security solutions to enhance detection and response capabilities such as CASB or Identity and Access Management (IAM) tools, which use policies to ensure that only authorized people can access specific cloud services.
The processes described above focus on threat detection and response. Naturally, a security team will need to implement other controls for threat prevention. For an enterprise, the task of securing its apps and data in the public cloud starts with ensuring that configurations are properly established and maintained. Currently, misconfiguration of cloud platforms is the single biggest threat to cloud security. Other vulnerabilities are unauthorized access through misuse of employee credentials and improper access controls; and insecure application programming interfaces or APIs.
The importance of enterprises stepping up to do their part for cloud security can not be overstated. According to Gartner, “through 2020, at least 99% of cloud security failures will be the customer’s fault.”
The veil shrouding cloud security will vanish with a modern SIEM and integration of cloud data. Details about extending a modern SIEM into the cloud, including survey results and analyst perspectives are provided in our white paper, Securing the Cloud with Modern SIEM Monitoring and Analytics. Find out how you can begin this essential journey.