For decades, Security Operations Center (SOC) have been at the foundation of organizational security and risk mitigation. SOCs perform critical operations, helping to keep systems updated and handle the day-to-day monitoring of organizational IT.
In recent years, their responsibility and mandate has expanded along with speeding pace of cloud transformation because the SOC isn't only called upon to secure on-prem. Teams must manage IT and business assets dispersed across multiple public clouds and software-as-a-service (SaaS). A recent ESG (Enterprise Strategy Group) study on multi-cloud networking trends highlighted that most organizations are using 3 or more public cloud and over 250 business applications; the territory SOC teams now need to cover is vast.
With on-premises identity and access management controls, it was much easier for the SOC to keep track of who was accessing what, and where. Microsoft Active Directory and similar on-premises systems provided an easy pathway for them to follow access to the on-premises enterprise. On-premises Microsoft Active Directory services have existed since 1999 – the security world has spent multiple decades improving monitoring and response to on-prem incidents and security issues. With on-premises applications, it used to be easier for SOC teams to monitor logs and keep them local for analysis.
But what happens in the cloud when most applications your organization uses don't rely on the on-premises controls the SOC relies on? What happens when the logs you used to have on premises are managed across cloud vendors and app providers?
This current reality sets up five vital things SOC teams are often missing in cloud security:
The Sightline Challenge for SOC Teams with Cloud and SaaS
To be effective, security operations and SOC teams need to have visibility into cloud operations; that is not always easy to get.
Forensic investigations in the cloud involve collecting and analyzing logs to understand attacker activity, including access to files and how they got in. A common challenge is that SOC teams lack complete visibility into cloud activity and don't have access to all the forensic data needed for effective incident response. The volume and variety of cloud data makes it hard for SOC teams to ingest and analyze. Lack of standards across providers means more manual effort is needed to normalize and correlate data. Investigation is telling the story of what happened; imagine telling a story where the plot is black at crucial junctions.
There also has been a focus on prevention rather than detection and response in many SOCs. Teams have long been concerned with vulnerability management and that remains important, but there is more to do.
In the cloud, organizations need more mature detection and response capabilities to identify threats. It's just not possible to prevent every type of risk in the cloud, but what is possible is to narrow down the time to detection and remediation, which serves to dramatically reduce risk. The shared responsibility model makes the vendor responsible for patching and taking care of the core elements and infrastructure, so in some cases prevention isn’t achievable for the security teams.
Every SOC already has a lengthy list of tools to deploy and manage, that include SIEM (Security Information and Event Management), and lately, SOAR (Security Orchestration, Automation, and Response) technologies. Those technologies can ingest logs, but you need to know where to find them, and they need to be collected with the right degree of detail in the first place. Even if the logs exist, SOC teams still often need to configure their own alerts, which can be challenging due to the complexity of cloud and SaaS providers' formats and data. Moving from one SaaS provider to a different one that offers the same service doesn’t mean their logs will be the same, making custom detections useless until modification.
Adding to the challenge, many SOC workflows still depend heavily on manual investigation, which is not scalable in cloud environments. Lack of automation and orchestration creates delays and gaps.
Closing the Cloud Security Gap
To close the cloud security gap, SOC teams need solutions that provide unified visibility, focus on detection and response, automate cloud data ingestion and analysis, and augment staff with cloud security expertise.
The SOC and SecOps teams need tools that should include:
- Giving visibility into user activities across cloud environments
- Ingesting and normalizing data from diverse cloud sources
- Detecting anomalous behavior and threats in real-time
- Automation to accelerate investigations and response
- Providing context to help analysts understand the impact of threats
Simply put, the cloud is different from on-premises and if your organization can treat it as such, you’re already ahead of the game. Modern SOC teams who gain the understanding and tooling to fully manage their organization’s cloud and SaaS security, set themselves up for greater success, and set their enterprises up for a higher level of risk mitigation and resilience.
Interested to apply these learnings to your organization? In this webinar, learn more about how teams operating in the cloud are working to educate and transform their in-house abilities for cloud threat detection, investigation, and response.