Successfully reported this slideshow.
Your SlideShare is downloading. ×

SOCstock 2021 The Cloud-native SOC

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Why cloud native matters
Why cloud native matters
Loading in …3
×

Check these out next

1 of 26 Ad

More Related Content

Slideshows for you (20)

Similar to SOCstock 2021 The Cloud-native SOC (20)

Advertisement

More from Anton Chuvakin (20)

Recently uploaded (20)

Advertisement

SOCstock 2021 The Cloud-native SOC

  1. 1. A cloud-native SOC? Say what? Dr. Anton Chuvakin https://medium.com/anton-on-security and @anton_chuvakin Chronicle / Google Cloud Security
  2. 2. Inspiration: a hypothesis - if you are a cloud-native, you don’t need a SOC ... True or false?
  3. 3. Outline ● SOC in 2021 - a quick reminder ● Cloud-native … what does it even mean? ● SOC + cloud-native = ??? ● Changes to expect ○ Technology changes ○ Process changes ○ People changes ● What to do? More questions than answers...
  4. 4. SOC?
  5. 5. A security operations center provides centralized and consolidated cybersecurity incident prevention, detection and response capabilities. –Gartner First Things First: A SOC is Still … a SOC :-) SOC is first a TEAM. Next a PROCESS. And it uses TECHNOLOGY too.
  6. 6. Reminder: Modern SOC (SOCstock 2020) Process structures around threats, not alerts Deeper testing and coverage analysis Teams are organized by skill, not rigid level Multiple visibility approaches, not just logs SOC elegantly uses third party services Automation via SOAR works as a force multiplier Threat intelligence is consumed and created Threat hunting covers cases where alerts never appear
  7. 7. Cloud-native?
  8. 8. “Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach. These techniques enable loosely coupled systems that are resilient, manageable, and observable. Combined with robust automation, they allow engineers to make high-impact changes frequently and predictably with minimal toil.” Cloud-native = Born in the Cloud, Lives ...?
  9. 9. SOC + Cloud-native - Impact Assessment?
  10. 10. First … Traditional SOC Monitors Cloud, This Happens! Note: some of this is about CLOUD and some is about CLOUD-NATIVE! ● Uncommon log collection methods ● Telemetry data volumes may be high ● Alien licensing models for security tools ● Alien detection context (!) ● Lack of clarity on cloud detection use cases ● Governance sprawl ● SOC teams lacking cloud skills ● Ill-fitting tools ● Lack of input from SOCs into cloud decisions
  11. 11. TOOLS: Triad of Visibility + Cloud-native = ??? Logs (such as via SIEM) Still works! More logs of different types in the cloud. Network data (such as via NDR) It depends. Not for SaaS, limited for PaaS, and constrained by encryption. Endpoint data (such as via EDR) It depends. Not for SaaS or PaaS. Works for VMs and some containers. NEW: application observability New to cloud, but not fully explored for security use cases Note: Cloud or Cloud- native here?
  12. 12. TOOLS: There is a Lot of Cloud - IaaS, PaaS, SaaS EDR NDR Logs CASB IaaS OK (*) OK (*) OK NO (*) PaaS NO Sort of OK Sort of SaaS NO NO OK OK Fortunately, SOAR works with all of them … Hi SIEMplify :-)
  13. 13. Detour: OK, What if I am “All SaaS”? CASB … one of the nastier Gartner acronyms … that is ... until CNAPP arrived [sorry, former colleagues] :-) “Can CASB be my SIEM?” -- Well, sort of ... “BTW, WTH is CNAPP?” -- Well, look this up, will ya?
  14. 14. PRACTICES: Security Meets Cloud Native Core SOC practices remain: ● Build detections (*) ● Detect threats ● Triage ● Investigate ● Remediate (*) New practices around SOC: ● CI/CD and “C-everything” ● DevOps and friends ● Faster everything ● Automated everything ● Developer-led everything ● Everything as code Note: super-simplistic view of SOC here! Note: development skills in the SOC: to code and to understand!
  15. 15. Some Answers: Cloud Process + Classic SOC Adapt FIRST... … Steal SECOND! CI/CD process Applications change, need good asset coverage and vulnerability context CI/CD for detections IT automation Need to integrate to not be left behind SOAR and friends, security ops automation Everything as code Absorb new context around infrastructure Detection as code
  16. 16. PEOPLE: SOC Skills vs Cloud Skills Classic SOC skills: ● Packet decoding ● Network IDS ● Windows security ● Linux/Unix security ● Threat intelligence ● SIEM/log analysis Cloud skills: ● Containers ● DevOps tools ● Serverless ● Infrastructure as code ● Everything as code Note: development skills in the SOC; “detection as code” means you need to code!
  17. 17. What to Do?
  18. 18. Going SOC-less for Cloud Natives? Insight: SOCless detection … … is a SOC, perhaps a modern SOC, but SOC nonetheless.
  19. 19. Cloud-native SOCless? ● No room full of analysts, so no physical SOC ● No analyst-only roles and so no hard tiers / levels of 1,2,3 ● “Analysts” = detection engineers ● Federated response; the best party responds (!) ● Detection team works closely with teams doing preventative security ● Detection team works closely with developers ● Pipelines from event sources to machines and/or humans, and they work well.
  20. 20. You say “SOCless” I say “modern SOC” SOC = detection team!
  21. 21. Select Lessons for On-premise Immigrants... ● NEW MONITORING SUBJECTS ○ Virtual machines [on a hypervisor you don’t own] ○ Containers ○ Functions and services ○ SaaS services ● NEW MONITORING DATA SOURCES ○ Cloud platform logs (e.g. GCP Cloud Audit Log) ○ Various other logs ○ Observability (in-app telemetry, essentially logs) ● NEW MONITORING CONTEXT ○ Account, resource group, distinguished names (sir? :-))
  22. 22. Select Observations on What to Expect ● Data flows vs wires; no more hardware-based security planning ● More application security monitoring (CASB, SaaS security, observability - all relate to applications) ● More “as code” (both “detection as code” and threat detection in CI/CD environments) ● More automation (SOAR links to IT automation) and higher speed ● Some on-premise approaches are worse-fit than others - and some don’t fit at all (pass hyperscape application access via an appliance on-premise)
  23. 23. Recommendations for Cloud-native SOC Success ● If SOC = detection team, than SOC lives on in the cloud-native world ● Modernize your SOC but preserve the mission: detection and response ● Evolve SOC to more automation to catch up with modern IT ● “DevOps” your detection engineering (Dev = content creator, Ops = analyst) ● Rely on CSP data feeds and tools more; for SaaS, CASB is your friend ● Learn new detection context ● Mercilessly discard tools that don’t fit the cloud practices or fail to support cloud technology

×