How security operations centers are adapting to the cloud era

Moving data and processes to the cloud presents challenges for enterprise SOCs. Here's how the industry and business are finding new ways to collect, monitor and analyze cloud-based security data.

10 cloud security breach virtualization wireless
Getty Images

As more and more critical business functions depart the on-premises environment for the cloud, security operations centers (SOCs) face tough challenges in keeping up with the changes and monitoring the new environments. Some rely on vendor-provided management and security tools, some use third-party services to pull in data from their SaaS, PaaS and IaaS providers, and others build their own security portals.

INAP, a provider of data center, cloud and colocation services, faces this problem in spades. Not only does it have to manage and secure its infrastructure, but it also has to provide management and security data feeds to its customers. Since the company also manages multi-cloud instances for customers -- in addition to its 600,000 square feet of data center space -- it also has to manage infrastructure provided by all the major cloud vendors.

"The traditional monitoring tools don't work in these environments," says Jennifer Curry, INAP's senior vice president of global cloud services. "You don't have access to the network. You don't have access to the underlying infrastructure."

The cloud vendors, including Amazon, Google and Microsoft, provide data feeds. INAP uses its APIs to pull logs and other data into its system, but it's not as straightforward as it sounds. "The scale and velocity at which we see changes when you're utilizing APIs -- it can be challenging to keep up with that," Curry says. "It's the nature of where we are, and of working in the cloud space. It's evolving very rapidly. It's constant upkeep."

When feasible, INAP uses commercially available tools to do this, Curry says. "We'll write a solution when we know it's going to be changing rapidly, and we'll want to customize it." Right now, there's no single platform that does everything the company needs. "We do have customizations that are a value-add for our customer base," she says. "And a single platform won't allow us to pull things in and out if we find something that's more efficient."

Of course, for INAP, managing cloud environments is part of its core business proposition, and the company needs to be able to do it well and dedicate adequate staff to the issue. Other companies that are not in the business of managing multiple cloud environments and services might not have the same kind of resources available.

Identifying the cloud services problem

To start with, many security teams aren't even aware of how many cloud services their companies are using. BetterCloud helps companies manage and secure their SaaS applications. Shreyas Sadalgi, the company's chief business strategy officer, says that the typical company uses their service to handle seven SaaS applications.

BetterCloud offers support for Google's G Suite, Okta, Dropbox, Slack, Box, Salesforce, Zendesk, Namely and Office 365, with ten more planned for next year on its new community exchange platform. Other cloud services can be connected at customer request, if an API is available.

The company currently has 2,500 customers, and Sadalgi says that its security teams care mostly about mission-critical, sanctioned applications. "These are the ones they want to protect," he says. "The long-tail list of SaaS applications doesn't really matter because all the mission-critical work is being done in one of the sanctioned applications."

Focusing on just a handful of sanctioned cloud services might be a mistake, though. "When we ask customers, 'How many cloud services do you use?' they say five, ten maybe 20," says Gautam Kanaparthi, director of product management at Netskope, a cloud security vendor. "And when we do a review, we find hundreds of cloud applications, in some cases, thousands."

According to Netskope's most recent cloud security report, the average enterprise now uses 1,246 different cloud services -- up 22 percent from 1,022 services a year ago. That includes an average of 175 different HR-related services, 170 related to marketing, 110 in collaboration, and 76 each in finance and CRM.  Any of them could potentially be handing sensitive business data -- and the vast majority, according to Netskope, aren't enterprise-ready.

The biggest problem area is identity and access management (IAM), followed by monitoring, networking and logging. "It is absolutely a massive challenge for modern security teams," says Kanaparthi. "The primary challenge is that security is no longer under the control of corporate IT departments. In the past, everything was built for an environment where all the traffic is going through your corporate data center. But now I can access Salesforce from home, I can access my AWS account from anywhere. It's a brand new challenge for security teams."

Platform-specific security and management tools

Most enterprise-focused cloud vendors offer some management and security tools, either through a dashboard, an API, or both. Using the dashboards, however, requires that security teams switch among different systems. That can be a headache, since they have to learn how to navigate all the disparate tools. That’s a potential security problem in that it becomes harder to detect attacks that hit multiple platforms at once.

The cloud vendors don't always have access to all the information a security team would need. Say, for example, a company wants to ensure that employees log into their SaaS services from secure devices -- protected with passwords and antivirus. "Typically, the SaaS provider is looking at the users themselves," says Dan Dearing, director of product management at Pulse Secure, a cloud access security vendor. "Is the user authorized to have access? But they wouldn't know if they were logging in from a home computer that's not secured. When we talk to customers, that's the biggest challenge they currently have."

To address some of these issues, enterprises are using cloud access security brokers (CASBs) or single sign-on solutions. Pulse, for example, sells a software client that sits on user devices and watches out for security policy violations. An organization's security team would then log into a cloud-based dashboard to watch for problems.

While Pulse Secure address the visibility gaps that arise when a mobile workforce logs into cloud applications, it also creates another challenge for security teams: they now have yet another cloud dashboard to log into--a dashboard that isn't integrated with those for other cloud services or for a company's own SIEM.

Customers are asking for a data feed that they can pull into their SIEM, Dearing says, but Pulse doesn't have one yet. "That's an integration that's being provided later in 2019."

The use of an API is the best way to get log data out of a cloud application into a SIEM or other centralized security platform, says Mike Mason, senior product marketing manager at FairWarning, a cloud security firm. This is done using a script to pull in the logs via HTTPS, he says. "The process is getting simpler. You just must be clear on what data you want to have eyes on and tune accordingly."

Cloud data feed aggregators

To get a handle on the problem of managing security at multiple cloud providers, some vendors build connectors to all the different cloud platforms, then bring it all together into a single dashboard or data feed. "We have API hooks into all these applications, relationships with all the vendors, and provide one pane of glass," says Netskope's Kanaparthi.

Netskope also provides additional granular controls. For example, it can track the users who are sharing the most documents with people outside the company, or how many personal accounts are being used instead of official enterprise accounts for file sharing services like Box and Dropbox. "But we also understand that people have an SIEM and want to feed into that. So, we have an application in the Splunk store, and we have an API so we can plug into any other SIEM application as well."

Pulling cloud data into your own SIEM

Most large companies already use an SIEM or similar platform as the heart of their SOC. If a cloud service offers an API data feed, then the log data can be pulled into the SIEM so that security analysts will have a single view of all their systems.

Enterprise-focused vendors typically have an API, says Landon Lewis, CEO at Pondurance, an Indianapolis-based cybersecurity services firm. "But in some cases, it might not be available in the first release or two of a SaaS application," he says.

Sometimes, the data is available, but the customer hasn't set up the access to it. For example, Lewis says, Microsoft has a couple of different license versions of Office 365, but the lower-cost one doesn't offer the needed data. "The cheapest one is the E3 license," he says. "Organizations are moving from an on-premise Microsoft Exchange environment and are saying, 'Look, we can move to Office 365 in the cloud and save money.' But they're not buying an adequate license that provides logging capabilities. E3 comes with very limited security logging and auditing. It's not at the same level as your prior on-premise Exchange environment. And it's not as robust as the E5 license or the Advanced Security license."

When an attack happens, the company wants to look at the logs, and they're not available. "You have to make a request to Microsoft, and you're waiting and crossing your fingers that they can supply something," Lewis says.

The problems don't end when the API is set up and the feed is funneled into the SIEM. Many SaaS vendors are still evolving their products and security functionality, and the API changes, Lewis says. "You build operations around this data, but it's a rapidly moving target," he says. "It becomes challenging because you have to pivot very rapidly."

If the fields in the data feed change, it can break the feed. Or the SaaS vendor can add new functionality, and the feed would miss it. For example, last year, Amazon launched GuardDuty. "It's a great security service," says Chris Noell, senior vice president of engineering at Alert Logic, a cloud security vendor. "Then, this year, they launched Security Hub, which is an aggregation of GuardDuty and other services. It takes a step into the direction of simplifying services into a single feed -- but now it's in your interest to change your integration to integrate with the new service, because it's richer than the previous capabilities."

That takes work, Noell says. This is a big pain point for customers, especially in the aggregate. "Nobody is consuming just one of these things," he says. "It's daunting to say the least to keep up with all the changes. It can quickly become a torrent of data for mid-sized organizations, and most security budgets aren't calibrated to support that."

Established organizations like Salesforce have a release cycle, with documentation and ability to test ahead of time, says. Someone still has to monitor the service and understand it, and that takes time. "There are a lot of reasons you want to hand that stuff over to someone else," Noell says.

Pondurance is one of the companies that would rather not have to do it all manually. "A lot of managed security service providers, like ourselves, are doing it themselves," says Pondurance's Lewis. His company hasn't yet been able to find a good, reliable service that collects all the data feeds from cloud services providers and keeps them up to date. "There's definitely a need for such a thing," he says.

Meanwhile, some older SIEM platforms might run into problems when trying to collect log data from cloud sources, says Robert Johnston, CEO at Adlumin, an SIEM vendor, because they were originally designed to handle feeds from on-premises systems. "They have architectural issues with doing it," he says. "They were designed to be on a server, and be on prem, while the services you're trying to access are in the cloud."

Companies are starting to catch on, he adds. Splunk, for example, has a cloud option. Gartner released a Magic Quadrant report this month, and several of its featured SIEM vendors now offer cloud delivery. In addition to Splunk, they include IBM, AlienVault, BlackStratus, ManageEngine and Rapid7.

Cloud-based SOCs

For many companies, it makes sense to put their SIEMs where their security data is -- in the cloud. "Legacy systems can't bring in this data," says Adlumin's Johnston. "You have to have it come in through your firewall, and it's hard to do and requires a configuration change. If your SIEM is in the cloud, it's very easy -- it takes minutes."

It's not just SaaS vendors and cloud computing platforms that generate feeds either, says Johnston. "More and more of the services you traditionally bring into the SIEM are moving to the cloud. Take next-gen antivirus companies. The AV data is absolutely critical to have come into the SIEM, but some of the most popular AV technologies are in the cloud, like CrowdStrike and Cylance."

Data loss prevention technologies are moving to the cloud, Johnston says. Intrusion prevention is moving to the cloud. According to Gartner, by 2020, 25 percent of all new SIEM implementations will be delivered as a service, up from 5 percent in 2017. According to Gartner analyst Augusto Barros, staff shortages -- and the fast-changing threat landscape drive -- are motivating many organizations to look at SaaS SIEMs and co-managed SIEMs.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!