Modernizing SecOps for Cloud: Part One
This is part one of a series.
Security operations, or SecOps for short, has been one of the more difficult security domains to modernize for cloud. It requires a combination of new subject matter expertise, new technologies, process updates, and even a slightly different mindset. Cloud impacts SecOps in ways both obvious and subtle, and since most organizations still have data centers and offices, teams need to add new skills and update operations while still supporting everything already on their plate. It’s a daunting challenge, but one that is a lot easier to tackle by distilling down the core of how cloud changes things and taking lessons from the successes of early adopters.
In this series, we will detail the impact of the cloud on SecOps, review the core technical capabilities needed to respond, and highlight techniques for successfully modernizing security operations to support cloud operations. We will finish up with example processes you can use as a template for your own operations.
Defining SecOps for Cloud
There isn’t one universal definition of SecOps, but it typically refers to detecting and responding to potential security issues like exposures or attacks, which bridge security into IT operations. In some organizations, the SecOps team is a different name for an incident response team, but others take a broader view and may include any activities where security affects and integrates with IT operations. For our purposes, we will limit ourselves to a cycle of monitoring, detecting and analyzing, communicating and responding and remediation.
We’ve based this on a combination of the NIST Cybersecurity Framework (CSF) and the NIST incident response cycle. NIST CSF includes identify, protect, detect, respond and recover. NIST CSF is meant to cover the entirety of information security domains and is thus broader than our focus. The NIST incident response lifecycle includes preparation, detection and analysis, containment, eradication and recovery and post-incident activity.
We aren’t proposing some new definition of SecOps, but we have cherry-picked phases that work well to explain the key areas we need to adapt for the cloud. We also aren’t focused exclusively on responding to attacks but include managing incidents, vulnerabilities and misconfigurations due to how these tend to overlap more in the cloud, as we will explain.
How Cloud Impacts SecOps
At a high level, there are three key ways the cloud impacts the entire range of security operations:
- Cloud operations and management are decentralized. Different teams not only manage their own applications stacks, but their own infrastructure stacks. These are spread across multiple cloud deployments or even providers. A lot of security operations historically relied on centralized management and consolidated infrastructure that doesn’t exist in the cloud.
- Admin functions are consolidated into unified consoles that run on the internet. While individual deployments will operate in their own decentralized cloud environments, all the administrative functions to manage those are consolidated into a single unified management plane for each provider. This management plane is on the internet and controls all infrastructure down to the literal virtual wiring of the virtual networks, and we access it with a username, password and maybe MFA. The management plane is a ripe target for attackers, and they don’t need to break Amazon, Microsoft or Google; all they need to do is steal the right credentials from one of your admins.
- Most resources can be configured to be on the Internet. It’s called “public cloud” for a reason, and nearly any resource you can create in every provider can be configured to access or be accessed via the internet. This is a radical departure from building and deploying resources in a data center.
This combination of decentralized operations and a central management plane that’s on the internet capable of potentially exposing any assets to the internet, forces a shift in SecOps focus and priorities. The situation isn’t worse than SecOps in a data center, we gain advantages like better-centralized visibility and more agile response capabilities, but it is different. Attackers are more likely to use stolen cloud credentials and API calls to expose data directly via the management plane without ever creating a malicious packet on a monitored network.
Understanding and Embracing SecOps for Cloud
In this series, we will dig deeper into some of the technical aspects of the cloud that affect SecOps, how to expand core capabilities to ensure proper coverage, and then how to adapt SecOps processes across the cycle. Key questions we will address include:
- Monitor: What telemetry sources does the cloud add, and what are the best ways to collect and manage them?
- Detect and Analyze: What new kinds of detectors and activities are needed to identify cloud security issues? How do the analysis process and priorities change for the cloud?
- Communicate: How do we organize and communicate issues and further responses?
- Respond and Remediate: Who handles response in the cloud? How do we ensure access and coordination? Who decides and implements remediation?
Our focus will be on practical approaches that don’t require you to suddenly become a cloud unicorn. They can be integrated over time and don’t require a sudden radical re-engineering of operations. Existing processes and skills are still completely relevant since cloud incidents easily spill into traditional areas of SecOps. We will show you how to modernize, expand and integrate SecOps to improve your processes for the cloud.
