enterprisesecuritymag

Security Operations and Incident Response in Hybrid Cloud and Legacy On-Premise Environments

By Devon Bryan, Executive Vice President, and Chief Information Security Officer at Federal Reserve System

Devon Bryan, Executive Vice President, and Chief Information Security Officer at Federal Reserve System

Organizations seek to harness the power of cloud technologies to accelerate their go-to-market strategies, drive innovation, and transform legacy business processes. In this scenario, those within these organizations are charged with the frontline cyber defense of this expanded threat surface. They are increasingly faced with the challenge of scaling their traditional on-premises security operations and incident response technologies, tactics and procedures to support business operations in these new domains all while ensuring the up-skilling and re-skilling of their practitioners.

"Anecdotal evidence to date suggests that keeping cloud data in the cloud, while providing a seamless and integrated experience to analysts for all data sets, can be quite a game-changer for cyber defenders"

Easiest vs. Optimal

The traditional approach to premises-based security incident and event management (SIEM) involves the deployment of log-collection platforms that collect, normalize, and centralize data for subsequent fusion and analysis. That model certainly has been proven to work with variable degrees of success despite the alarming year-over-year trend in the “dwell time” of bad actors as widely reported in various industry publications. This is all very dependent, of course, on the cyber maturity of the organizations involved, the skillset of their cyber defenders and their abilities to deal with “alert fatigue.”

It is understandable that conventional wisdom would lead cyber defenders, in their initial foray into the cyber defense of their organization’s cloud expansion, to the practice of trying to backhaul cloud events, logs, and data back to their on-premises SIEM platforms, where they have extensive investment and familiarity. That model, however, is fraught with problems related not only to the cost of the data transfers but also to the challenges with proactive and real-time automation and orchestration of detection and response playbooks.

Tomorrow’s Cloud Analytics 

Arguably, a more refined approach should pivot around the foundational decision of whether to backhaul cloud data on-premises vs. “leaving cloud data in the cloud.” Much can be said for the advantages of “bringing the analytics to data” vs. bringing the data to the analysis. Anecdotal evidence to date suggests that keeping cloud data in the cloud, while providing a seamless and integrated experience to analysts for all data sets, can be quite a game-changer for cyber defenders. As appealing as that model sounds, great care has to be taken to reduce “swivel chairing” for the cyber analyst between cloud SIEM console(s) and premise-based SIEM console(s).

Future Outlook

Looking ahead ever so slightly, we should expect to see a continual phased shift and build-out of security operations and incident response platforms supporting not just multi-cloud deployments but also hybrid cloud configurations. Cyber defenders should also expect to be able to leverage advanced cloud service capabilities to support not just multi-cloud detection but also automated response.

Additional Considerations

In addition to the purely technical challenges of multi-cloud cyber defense, there are also managerial and operational challenges that need to be resolved well in advance of the first could workload being enabled. These include but are not limited to:

• Development of roles and responsibilities for incident response and administrative configurations/safeguards/controls (cloud shared responsibility model)
• Re-evaluating governance structure (understanding how DevSecOps is implemented)
• Leverage new governance patterns to gate/inform appropriate levels of monitoring.
• Refreshed Playbooks - Adapted to cloud technology stack and threat scenarios; business-line engagement for tabletops.
• Upskilling/Reskilling of incident response personnel
• Interoperability with existing on-premise security stacks for timely response efforts
• Cost considerations of data volume based on the availability of rapid capacity expansion

Weekly Brief

Read Also

Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA
In a Crisis: Cold Talent Automation versus Warm Talent Key Success Factors

In a Crisis: Cold Talent Automation versus Warm Talent Key Success...

Rob Hornbuckle, CISSP - ISSMP, CISM, CRISC, CISO and VP, Allegiant Travel Company