A cloud-native SOC? Say what?
Dr. Anton Chuvakin
https://medium.com/anton-on-security and @anton_chuvakin
Chronicle / Google Cloud Security
Inspiration: a hypothesis - if you are a
cloud-native, you don’t need a SOC ...
True or false?
● SOC in 2021 - a quick reminder
● Cloud-native … what does it even mean?
● SOC + cloud-native = ???
● Changes to expect
○ Technology changes
○ Process changes
○ People changes
● What to do? More questions than answers...
A security operations center provides
centralized and consolidated
cybersecurity incident prevention,
detection and response capabilities.
First Things First: A SOC is Still … a SOC :-)
SOC is first a TEAM. Next a PROCESS. And it uses TECHNOLOGY too.
Reminder: Modern SOC (SOCstock 2020)
by skill, not
not just logs
works as a
“Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic
environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable
infrastructure, and declarative APIs exemplify this approach.
These techniques enable loosely coupled systems that are resilient, manageable, and observable.
Combined with robust automation, they allow engineers to make high-impact changes frequently and predictably
with minimal toil.”
Cloud-native = Born in the Cloud, Lives ...?
First … Traditional SOC Monitors Cloud, This Happens!
Note: some of this is about
CLOUD and some is about
● Uncommon log collection methods
● Telemetry data volumes may be high
● Alien licensing models for security tools
● Alien detection context (!)
● Lack of clarity on cloud detection use cases
● Governance sprawl
● SOC teams lacking cloud skills
● Ill-fitting tools
● Lack of input from SOCs into cloud decisions
TOOLS: Triad of Visibility + Cloud-native = ???
Logs (such as via
Still works! More logs of different
types in the cloud.
Network data (such
as via NDR)
It depends. Not for SaaS, limited
for PaaS, and constrained by
Endpoint data (such
as via EDR)
It depends. Not for SaaS or
PaaS. Works for VMs and some
New to cloud, but not fully
explored for security use cases
Note: Cloud or Cloud-
TOOLS: There is a Lot of Cloud - IaaS, PaaS, SaaS
EDR NDR Logs CASB
IaaS OK (*) OK (*) OK NO (*)
PaaS NO Sort of OK Sort of
SaaS NO NO OK OK
Fortunately, SOAR works with all of them … Hi SIEMplify :-)
Detour: OK, What if I am “All SaaS”?
CASB … one of the nastier Gartner acronyms … that is ...
until CNAPP arrived [sorry, former colleagues] :-)
“Can CASB be my SIEM?” -- Well, sort of ...
“BTW, WTH is CNAPP?” -- Well, look this up, will ya?
PRACTICES: Security Meets Cloud Native
Core SOC practices remain:
● Build detections (*)
● Detect threats
● Remediate (*)
New practices around SOC:
● CI/CD and “C-everything”
● DevOps and friends
● Faster everything
● Automated everything
● Developer-led everything
● Everything as code
view of SOC here! Note: development skills in the SOC:
to code and to understand!
Some Answers: Cloud Process + Classic SOC
Adapt FIRST... … Steal SECOND!
CI/CD process Applications change, need
good asset coverage and
CI/CD for detections
IT automation Need to integrate to not be
SOAR and friends,
security ops automation
Everything as code Absorb new context around
Detection as code
PEOPLE: SOC Skills vs Cloud Skills
Classic SOC skills:
● Packet decoding
● Network IDS
● Windows security
● Linux/Unix security
● Threat intelligence
● SIEM/log analysis
● DevOps tools
● Infrastructure as code
● Everything as code
Note: development skills in the SOC; “detection as
code” means you need to code!
Going SOC-less for Cloud Natives?
Insight: SOCless detection …
… is a SOC, perhaps a modern SOC, but
● No room full of analysts, so no physical SOC
● No analyst-only roles and so no hard tiers / levels of 1,2,3
● “Analysts” = detection engineers
● Federated response; the best party responds (!)
● Detection team works closely with teams doing preventative
● Detection team works closely with developers
● Pipelines from event sources to machines and/or humans, and
they work well.
You say “SOCless”
I say “modern SOC”
Select Lessons for On-premise Immigrants...
● NEW MONITORING SUBJECTS
○ Virtual machines [on a hypervisor you don’t own]
○ Functions and services
○ SaaS services
● NEW MONITORING DATA SOURCES
○ Cloud platform logs (e.g. GCP Cloud Audit Log)
○ Various other logs
○ Observability (in-app telemetry, essentially logs)
● NEW MONITORING CONTEXT
○ Account, resource group, distinguished names (sir? :-))
Select Observations on What to Expect
● Data flows vs wires; no more hardware-based security planning
● More application security monitoring (CASB, SaaS security,
observability - all relate to applications)
● More “as code” (both “detection as code” and threat detection in
● More automation (SOAR links to IT automation) and higher speed
● Some on-premise approaches are worse-fit than others - and some
don’t fit at all (pass hyperscape application access via an appliance on-premise)
Recommendations for Cloud-native SOC Success
● If SOC = detection team, than SOC lives on in the cloud-native world
● Modernize your SOC but preserve the mission: detection and
● Evolve SOC to more automation to catch up with modern IT
● “DevOps” your detection engineering (Dev = content creator, Ops =
● Rely on CSP data feeds and tools more; for SaaS, CASB is your friend
● Learn new detection context
● Mercilessly discard tools that don’t fit the cloud practices or fail to
support cloud technology