It’s increasingly common for business systems to be in the cloud rather than in-house, but this poses a whole host of new challenges when it comes to securing them.
We spoke to Dario Forte, Vice President and General Manager, Security Orchestration, at Cloud Management Specialist Sumo Logic, to learn more about what is involved in cloud security and how automation can. to help.
BN: Why is the move to the cloud making security more difficult, and what preparation will teams need to do?
DF: To begin with, it is important to recognize that the situation today is very different from that of a few years ago. The world of cloud computing is no longer just “someone else’s computer” and today there is so much more you can accomplish using these services. It also depends on the cloud provider or Software as a Service company you plan to work with. For larger vendors, their security is better than what many companies can achieve on their own – they have so many regulations and compliance requirements to meet, so they have to be extremely good at it to be successful.
However, this can lead to some assumptions on the part of companies that think they automatically get this level of security on their own cloud deployments by default, and that relieves them of thinking about their own responsibilities as well. While the large cloud providers cover security extremely well, they are not responsible for the applications you create on this cloud service. If they are going out of their way to make sure their infrastructure is secure, you should always look at what you are putting in place and follow best practices. This is where better data is needed to help you understand what’s going on and where potential issues may arise.
The real preparation that teams need is to interact continuously with your supplier partners, based on the data transmitted. You need to monitor the activity of your cloud systems and applications, and you need to be prepared from a security standpoint to understand if anything abnormal is going on.
BN: What approaches can teams take around their Security Operations Center (SOC) deployments?
DF: SOCs today are built with processes as a priority, where you define your processes and then use tools and technologies to support those workflows, to orchestrate the analytics and the people who work. This wasn’t always the case, as SOC teams would invest in tools and then have to modify their processes to make them fit, resulting in failures or services not performing as they should. Today’s teams are more pragmatic in their implementation, which makes them much more likely to be successful.
BN: Where do technologies like SOAR and SIEM come in, are they complementary or competitive?
DF: The SOC is structured around three axes. The first is the collection of data sources available to the team, so all the information entering the SOC on business activities. This provides analysts with all the data they might need to see if there is an ongoing incident.
The second is how all of that data is aggregated, and this is where Security Incident and Event Management (SIEM) is essential. SIEM correlates all of this incoming data and provides the investigation engines that perform the analysis, before sharing these potential incidents for follow-up.
This is where Security Orchestration, Automation and Response, or SOAR comes in. It’s the last mile of the process after SIEM, and it helps these analysts be more productive in the way they investigate potential incidents. Without SOAR, your analysts will have to perform more manual investigations into anything reported by SIEM – this can add up to hundreds or thousands of alerts every day, which is not possible for the vast majority of teams. It’s also important to note that SOAR does not replace your team members. Instead, it makes staff more productive through automation and orchestration.
BN: How can you automate security processes and what is needed to make things work properly?
DF: The first thing is to have a clear vision of the process that exists today and how it works in practice. Many SOAR providers have existing workflows and processes that you can use to speed up the automation of your processes, but these might require a few modifications to function as you need them to. It’s best to pick two or three of your most common situations and make them work first, before moving on to other workflows.
Based on that, you can then develop your playbooks, which bring together the workflows and processes that your analysts perform with the tools and technologies that support them. Each playbook can cover the specific threats and scan requirements you want to perform. For example, you can run playbooks for phishing attacks up to more complex attacks and for IT operations.
It can shift between the tech world and attacks that are also in the physical world, which can quickly generate a lot of value. For example, you can use SOAR to make your investigative process easier on something like bank fraud, where otherwise it would be a manual process that takes a long time and cuts across different areas.
Along with that, it’s important to look at what’s going on before and after your implementation and perform ROI calculations. This basically compares how you approached this use case before and after deployment, so you can see how well your automation approach is working and if it saves you time and money compared to your previous manual process. In addition to providing you with proof of return on your investment, it provides a Key Performance Indicator (KPI) that you can track to see if you’ve been successful. With this type of KPI in place, you can check the results and look for other ways to improve. In this example I cited earlier, the bank could compare their manual credit card fraud investigation process with the same automated process using SOAR. It can demonstrate how much time was saved, how much money was saved, and how productivity increased.
BN: What other lessons can businesses learn from cloud, security and automation?
DF: It’s important to take an open approach to cloud and security. Businesses hate lockdown – they don’t want to feel tied to a specific vendor, even with the best security products in the world. For IT teams, this means looking at how they can integrate all of their tools in an open way, as it drives success and growth.
It helps businesses look at security in everything they have, from new cloud applications to legacy systems that have been in place for years, if not decades. For example, you should be looking to get data from mainframe middleware applications alongside cloud services and modern applications. Organizations don’t have a one-size-fits-all approach to apps, so their security strategy needs to follow suit. The only way to do this is to take an open approach to integration, so businesses can evolve their processes and use SIEM and SOAR in all their applications.
Image credit: jirsak / depositphotos.com