As a security operations center (SOC) leader faced with supporting your organization’s digital transformation initiatives and migration to a cloud operating model, you might ask yourself: What does our transition to the cloud mean for my SecOps team? Will I need to overhaul my security stack and change all our processes? And how do I manage the hidden costs and complexity that might spring up? Michael Mumcuoglu, CEO & co-founder of CardinalOps, explores such questions and others that SecOps teams should be pondering.
The hesitancy is understandable. According to Google’s State of Cloud Threat Detection and ResponseOpens a new window report, four of every ten organizations shifted even more computing to the cloud over the past year. On average, organizations report maintaining sixty-five percent of their infrastructure in the cloud, with seventy-two percent using multi-cloud environments, meaning they use multiple public cloud computing and storage services from different vendors, such as AWS, Azure and GCP, in a single heterogeneous architecture.
And although the cloud does introduce new risks â€“ and will require a new mindset due to the differences in the way the cloud is designed â€“ there is a practical way to evolve your current detection posture while continuing to use your existing Security Information and Event Management (SIEM), without requiring drastic changes in your existing SOC teams and processes.
Here’s what stays the same, what changes, and what layers of the security stack you’ll need to prioritize and continue to learn about in order to maintain a safe detection posture in the cloud.
Native Cloud Security Benefits
The cloud is built on a software-defined architecture, making it theoretically easier to secure by default. In fact, the cloud is essentially a series of abstraction layers that enable you to centrally configure connectivity, permissions, and other parameters for tighter security. That means the cloud can potentially be easier to secure than an on-premises environment.
Additionally, the cloud enables an ongoing stream of security updates that are constantly informed by new threats, vulnerabilities, or attack techniques that other organizations have experienced, creating an accelerated feedback loop that benefits everyone in the defender community.
The Cloud Requires Increased but Simple Automation
A consistent themeOpens a new window among security professionals is the need for more automation to handle rapid and constant change in the cloud.
In fact, according to the State of Cloud Threat Detection and Response report mentioned above, ninety-one percent of cloud-heavy organizations â€“ those who have at least seventy percent of their computing in the cloud (vs. on-prem) say that â€œWe have to automate more if we want to keep up with the evolution of security threats,â€ compared to only eighty percent of other organizations.
Source: Google â€œState of Cloud Threat Detection and Responseâ€ Report
Add Cloud Monitoring Data Sources to Your Existing SIEM
Thankfully, robust competition among cloud providers has led to a diverse set of automated tools to secure your cloud infrastructure. As a result, many elements of threat monitoring are already built into their platforms.Â
For example (not a comprehensive list):
- AWS offers GuardDuty, AWS Security Hub, AWS Detective, and CloudTrail.
- Google offers Security Command Center and Chronicle SIEM.
- Microsoft provides Defender for Cloud, Identity and Access Management (IAM) monitoring via Azure Active Directory; and Microsoft Sentinel (SIEM).
But whatever cloud monitoring tools you choose, your existing SIEM will continue to be the heart of your SOC.Â
That means that your SIEM should ingest all cloud-related security alerts and log sources. You’ll also need to ensure your SIEM rule set includes all relevant detection rules to continuously analyze this data for any unauthorized or suspicious behavior in your cloud infrastructure. Some organizations have also implemented a multi-SIEM strategy that supplements their on-premises SIEM with a cloud-native SIEM from which they can derive cost savings benefits and longer retention periods.
Use Mitre ATT&CK To Identify and Prioritize Coverage Gaps
According to ESG researchOpens a new window , eighty-nine percent of organizations currently use MITRE ATT&CK. In fact, MITRE ATT&CK is now the universal language of security operations. It’s a global knowledge base of adversary behaviors and playbooks that goes far beyond the traditional focus on static IOCs (like malicious IP addresses) that can easily be changed by attackers.Â
Over 500 adversary techniques and sub-techniques used by cybercriminal groups such as APT28, the Lazarus Group, FIN7, and LAPSUS$ make up the MITRE ATT&CK framework, which empowers security teams to create a defense strategy informed by the latest threats and the threats most relevant to their organization.Â
One of the primary ATT&CK use cases for SecOps is tracking your current detection coverage and eliminating gaps over time â€“ and this applies equally to cloud detection coverage.Â
Accordingly, SOC teams should constantly familiarize themselves with the latest cloud-related techniques and vulnerabilities to build the right detections for their SIEM. In fact, MITRE has developed the ATT&CK Cloud Matrix, a subset of the ATT&CK Enterprise Matrix, which covers cloud-based tactics for SaaS platforms such as O365 and Google Workspace, as well as IaaS platforms.Â
In our experience, however, we’ve found that many organizations struggle with operationalizing MITRE ATT&CK in the SOC due to limited resources and expertise (beyond just using it as a reference source).Â
Some are still using manual approaches like spreadsheets and open source tools to track their MITRE ATT&CK coverage, but due to constant changes in the threat landscape and your attack surface, this can be a tedious, time-consuming, and error-prone approach for detection engineers.
Accordingly, look for automated solutions that continuously analyze your SIEM to identify and remediate gaps due to missing, broken, and noisy detections based on the adversary techniques and security layers most important to you (SaaS, IaaS, PaaS and containers, as well as traditional on-prem layers such as endpoint, network, email, IAM, etc.)
Deepen Your Team’s Understanding of Identity & Access Management (IAM)
The attack vectors for cloud environments â€“ including compromised credentials, misconfigurations, vulnerabilities, and supply chain attacks â€“ are similar to those targeting on-premise environments.
And although identity and access management (IAM) matters in both on-prem and the cloud, it matters a whole lot more in the cloud. That means your SOC team should be learning more about IAM admin console logs and authentication logs, which are your non-negotiable telemetry sources in the cloud.Â
At its most stripped-down level, IAM is the management of who has access to what at any given time, including access to projects and resources such as storage buckets and containers. A key element of a zero-trust security strategy is hyper-focused on identities and processes, prioritizing creating a least-privileged state within your infrastructure.Â
However, according to a data-driven analysis of production SIEMsOpens a new window conducted by CardinalOps â€“ including Splunk, Microsoft Sentinel, and IBM QRadar â€“ only twenty-five percent of security operations teams that forward identity logs (ex: Active Directory or Okta to their SIEM) use them in their detection rules. This is a major gap between the tools in place and actual detection coverage, and it results in organizations being exposed due to identity-based compromises.Â
Additionally, according to Google’s Threat Horizons ReportOpens a new window :
- Weak passwords are the most common attack vector in the cloud, resulting in forty-one percent of observed compromises.
- The relationship between identity and trust will become even more complex this year, presenting a roadblock to security operations teams’ visibility. With limited visibility, cybercriminals will have a much deeper threat to organizations.Â
- Threat actors are recognizing the immense value of attacking identities over endpoints. For example, Google predicts an increase in threat actors targeting identities that allow them to enact cross-platform authentication.Â
- There are plenty of examples of nation-state threat actors abusing identity for their malicious purposes. One example is APT10, a Chinese Government threat group, which launched their Cloud Hopper campaign. This campaign shifted from exploiting MSP access to VPN technology. Another example is APT29, a Russian Government threat group, which has been seen compromising M365 and other workspaces in the cloud.Â
- Google predicts that there will likely be an incident this year of a cybercriminal manipulating its way into a customer environment through a CSP. They will then use that access to break into different CSPs, either because there was a lack of proper IAM controls or a lax trust architecture.Â
Keep a Close Eye on Your SAAS Applications and Containers
Another thing to keep in mind when securing your cloud infrastructure is the need to monitor SaaS applications and containers.
In the case of SaaS applications such as Office 365, you’ll need to monitor its administrative logs for suspicious activity such as broad permissions being assigned to new users, account hijacking, disabling of audit logging, and virtual directory enumeration, which was used by APT 29 in the SUNBURST attack during the reconnaissance stage.
Another piece of this puzzle is containerized applications and microservices, which are seeing rapid growth in the cloud-native world. In fact, sixty-eight percent of organizations are running containers, according to Red Hat research. Due to the dynamic nature of microservices-based application environments, monitoring them can be a hefty challenge, and they are likely to bring a significant volume of data to your SIEM platform.
Managing additional data sources isn’t the only challenge. It’s also about ensuring your team has the up-to-date knowledge and skills to monitor application-layer log sources for Kubernetes environments. Traditional monitoring tools for on-prem often fail at this since they struggle with the distributed nature of microservices. Cloud-native container monitoring tools pick up the activity that may otherwise fall through the cracks.
A recent cloud breach example that highlights the risk of insufficient cloud monitoring is one involving a major SaaS provider. In this attack, the malicious actor targeted a DevOps engineer’s home computer in order to access the company’s development environment. They subsequently used that access to perform reconnaissance, enumeration, and exfiltration activities related to the cloud storage environment â€“ all without being detected by any monitoring tools over a period of several months.
After obtaining the decryption keys needed to access AWS S3 production backups, the threat actor copied information from the backup that contained basic customer account information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing their service.
The attack was eventually discovered when a cloud monitoring tool alerted the SOC that the threat actor was attempting to use Cloud IAM roles to perform an unauthorized activity.
Tackling Blind Spots in Cloud Environments
The multi-layered attack described above highlights some of the blind spots that can arise in cloud environments.Â
As we’ve seen, however, you can be better prepared to defend your cloud infrastructure by following a few key principles, including:
- Leverage automation wherever possible
- Add cloud infrastructure monitoring and cloud security data sources to your existing SIEM
- Use MITRE ATT&CK to identify and prioritize coverage gaps
- Deepen your team’s understanding of identity & access management (IAM)
- Keep a close eye on your SaaS applications and containers
How are you managing the challenges of cloud migration for your SOC? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!
MORE ON SOC (SECURITY OPERATIONS CENTER)
- The Journey to Autonomous SOC: The Current State of Automation and What’s Next
- How Intelligent Automation and AI Address Key Problems Facing the SOC
- How to Tackle the Four Most Common SecOps Challenges
- How to Start Modernizing Your Security Operations
- Security Operations Centers (SOCs) May Be the Key as Companies Look To Improve Their Cyber Defenses