Organizations seek to harness the power of cloud technologies to accelerate their go-to-market strategies, drive innovation, and transform legacy business processes. In this scenario, those within these organizations are charged with the frontline cyber defense of this expanded threat surface. They are increasingly faced with the challenge of scaling their traditional on-premises security operations and incident response technologies, tactics and procedures to support business operations in these new domains all while ensuring the up-skilling and re-skilling of their practitioners.
"Anecdotal evidence to date suggests that keeping cloud data in the cloud, while providing a seamless and integrated experience to analysts for all data sets, can be quite a game-changer for cyber defenders"
Easiest vs. Optimal
The traditional approach to premises-based security incident and event management (SIEM) involves the deployment of log-collection platforms that collect, normalize, and centralize data for subsequent fusion and analysis. That model certainly has been proven to work with variable degrees of success despite the alarming year-over-year trend in the “dwell time” of bad actors as widely reported in various industry publications. This is all very dependent, of course, on the cyber maturity of the organizations involved, the skillset of their cyber defenders and their abilities to deal with “alert fatigue.”
It is understandable that conventional wisdom would lead cyber defenders, in their initial foray into the cyber defense of their organization’s cloud expansion, to the practice of trying to backhaul cloud events, logs, and data back to their on-premises SIEM platforms, where they have extensive investment and familiarity. That model, however, is fraught with problems related not only to the cost of the data transfers but also to the challenges with proactive and real-time automation and orchestration of detection and response playbooks.
Tomorrow’s Cloud Analytics
Arguably, a more refined approach should pivot around the foundational decision of whether to backhaul cloud data on-premises vs. “leaving cloud data in the cloud.” Much can be said for the advantages of “bringing the analytics to data” vs. bringing the data to the analysis. Anecdotal evidence to date suggests that keeping cloud data in the cloud, while providing a seamless and integrated experience to analysts for all data sets, can be quite a game-changer for cyber defenders. As appealing as that model sounds, great care has to be taken to reduce “swivel chairing” for the cyber analyst between cloud SIEM console(s) and premise-based SIEM console(s).
Looking ahead ever so slightly, we should expect to see a continual phased shift and build-out of security operations and incident response platforms supporting not just multi-cloud deployments but also hybrid cloud configurations. Cyber defenders should also expect to be able to leverage advanced cloud service capabilities to support not just multi-cloud detection but also automated response.
In addition to the purely technical challenges of multi-cloud cyber defense, there are also managerial and operational challenges that need to be resolved well in advance of the first could workload being enabled. These include but are not limited to:
• Development of roles and responsibilities for incident response and administrative configurations/safeguards/controls (cloud shared responsibility model)
• Re-evaluating governance structure (understanding how DevSecOps is implemented)
• Leverage new governance patterns to gate/inform appropriate levels of monitoring.
• Refreshed Playbooks - Adapted to cloud technology stack and threat scenarios; business-line engagement for tabletops.
• Upskilling/Reskilling of incident response personnel
• Interoperability with existing on-premise security stacks for timely response efforts
• Cost considerations of data volume based on the availability of rapid capacity expansion