The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

Similar documents
Best Practices in Securing a Multicloud World

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

Cloud Computing: Making the Right Choice for Your Organization

locuz.com SOC Services

BUILDING AND MAINTAINING SOC

SIEMLESS THREAT DETECTION FOR AWS

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

One Hospital s Cybersecurity Journey

Transforming Security from Defense in Depth to Comprehensive Security Assurance

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Infrastructure Blind Spots Continue to Fuel Personal Data Breaches. Sanjay Raja Lumeta Corporation Lumeta Corporation

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

NEXT GENERATION SECURITY OPERATIONS CENTER

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

Securing Your Amazon Web Services Virtual Networks

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

CASE STUDY: USING THE HYBRID CLOUD TO INCREASE CORPORATE VALUE AND ADAPT TO COMPETITIVE WORLD TRENDS

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

AKAMAI CLOUD SECURITY SOLUTIONS

CLOUD WORKLOAD SECURITY

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Protecting organisations from the ever evolving Cyber Threat

WHITEPAPER HEALTHCARE S KEY TO DEFEATING CYBERATTACKS

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

align security instill confidence

Popular SIEM vs aisiem

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

Data center interconnect for the enterprise hybrid cloud

Designated Cyber Security Protection Solution for Medical Devices

AT&T Endpoint Security

Total Security Management PCI DSS Compliance Guide

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

The Value of Automated Penetration Testing White Paper

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Background FAST FACTS

Unlocking the Power of the Cloud

A Risk Management Platform

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Device Discovery for Vulnerability Assessment: Automating the Handoff

Business Strategy Theatre

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Securing Digital Transformation

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

CHALLENGES GOVERNANCE INTEGRATION SECURITY

MEETING ISO STANDARDS

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Embracing a Secure Cloud. Cloud & Network Virtualisation India 2017

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

ORACLE MANAGED CLOUD SECURITY SERVICES - SERVICE DESCRIPTIONS. December 1, 2017

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

Title: Planning AWS Platform Security Assessment?

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cisco Secure Ops Solution

ForeScout Extended Module for Splunk

PALANTIR CYBERMESH INTRODUCTION

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Securing Your Cloud Introduction Presentation

Securing Your Microsoft Azure Virtual Networks

Reducing the Cost of Incident Response

Vulnerability Management Policy

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Managed Endpoint Defense

Deploy Symantec Cloud Workload Protection for Storage

TRUE SECURITY-AS-A-SERVICE

Pedal to the Metal: Mitigating New Threats Faster with Rapid Intel and Automation

SIEMLESS THREAT MANAGEMENT

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

White Paper. How to Write an MSSP RFP

NETWORK AND SD-VPN. Meshing legacy and Cloud Service Providers

Checklist for Evaluating Deception Platforms

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Modern Database Architectures Demand Modern Data Security Measures

Carbon Black PCI Compliance Mapping Checklist

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

McAfee Public Cloud Server Security Suite

Move, manage, and run SAP applications in the cloud. SAP-Certified Infrastructure from IBM Cloud

Tips for Effective Patch Management. A Wanstor Guide

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

A CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management

RSA NetWitness Suite Respond in Minutes, Not Months

Securing Your Digital Transformation

IT Security: Managing a New Reality

WHITE PAPER. Applying Software-Defined Security to the Branch Office

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Transcription:

The New Normal Unique Challenges When Monitoring Hybrid Cloud Environments

The Evolving Cybersecurity Landscape Every day, the cybersecurity landscape is expanding around us. Each new device connected to the network presents a new attack surface for those with malicious intent. With so many companies migrating to the cloud, the security landscape is only becoming more complex. In recent studies 1, 91% of modern enterprises have already begun scaling to the cloud. However, 60% of those organizations will likely never transition their entire IT services to the cloud - making hybrid IT environments the most common architecture for today and into the foreseeable future. Hybrid architectures consist of applications, network, and server components that exist both on-premises and with cloud-providers. In some cases, bandwidth consumption can prohibit migrating some servers, such as consistently utilized applications with minimal scaling or data intensive client / server models, and require companies to maintain both on-premises and cloud environments. These hybrid architectures enable businesses to expand their infrastructure quickly and effectively. They allow for rapid scalability, more predictable costs and significant decrease in budget needs for large expenses like upfront hardware costs, server storage, and maintenance. While this evolution is great for business ROI, it is very difficult for an organization s cyber capability, including its Security Operation Center (SOC) to keep up with a dynamic threat surface. Cloud migration can be a more effective method of outsourcing IT overhead costs to 3rd party vendors because it offers a more systematic and repeatable model. Rather than interfacing with people in a traditional outsourced IT model, Amazon Web Services (AWS) has created automated and abstracted methods to make outsourcing IT a virtually seamless digital experience. The Gartner graphic below [figure 1] depicts the varying levels of management tasks that IT will need to perform, and highlights the tradeoff of each in the areas of control and choice. This ever-evolving landscape requires SOCs to adapt from a traditional style of monitoring to a more dynamic system of always-on analysis in order to maintain visibility into the network and effectively protect against threats. Understanding On-Premises and Cloud Behavior Traditional on-premises SOCs often utilize a centrally managed logging platform known as a Security Information and Event Management (SIEM) tool. In addition to the SIEM, analysts also utilize several other security components such as firewalls, Intrusion Prevention Systems (IPS), Anti-virus (A/V), and various Threat Intelligence sources. These security tools are the eyes and ears of any SOC. However, in a hybrid environment, many of these tools are either not deployed or cannot be deployed to the cloud portion of the environment due to the inherent abstraction model Figure 1 Architectural Comparison of Ownership by Cloud Dedicated IT Center Colocation Center Hosting Provider Center Public IaaS Center Public PaaS Center Public SaaS Center Organization Has Control Organization Shares Control With Service Provider Service Provider Has Control Source: Gartner (October 2016) https://www.gartner.com/binavries/content/assets/events/keywords/catalyst/catus8/2017_planning_guide_for_cloud.pdf 2 1. SolarWinds IT Trends Report 2016: The Hybrid IT Evolution http://it-trends.solarwinds.com/reports/2016/the-hybrid-it-evolution/north-america.pdf

of the cloud. For example, certain layers of the Open Systems Interconnection (OSI) model are hidden from the end consumer in such a way that traditional data elements like network traffic may not be available for organizations (and their SOCs) to monitor. The key to gaining visibility into cloud environments without the traditional processes and tools lies in effective training and situational awareness for the SOC team. Cloud architecture training will allow the staff to understand the nuances and capabilities of the cloud, including serverless computing, API security, security groups, and establishing an organization s overall security policy configuration requirements. Training on the new cloud toolset is equally important in educating analysts not just on the architecture, but on the additional functionality that is now available through these tools. Engineers who are responsible for securing both onpremises and cloud environments must understand the types of activity and threats unique to each environment. Normal behavior in an on-premises environment may not be normal behavior for cloud environments, and vice versa. One example of this distinct difference in network behavior is interactive logins (i.e., users logging into a server via a Graphical User Interface (GUI)). Onpremises servers typically have many logins by various administrators, however, this behavior becomes atypical in a cloud environment. Most cloud production systems are constructed from build scripts and have no need for interactive logins -- if a change is needed to a cloud system, the build scripts are modified and the system is rebuilt from a clean image. A SOC analyst must be able to understand the difference between on-premises and cloud behaviors and the context around an event in either environment in order to react accordingly. This variance, although small, could be the difference between a full compromise and blocking an attacker. The main lifeblood of any SOC function is environmental data, specifically event logs. Comprehensive logging is one capability imperative to a SOC in order to track network activity, gain deeper operational context, and maintain accountability of users and resources. However, this basic service does not translate cleanly from an on-premises log to a cloud log. An onpremises logging solution collects logs centrally from all devices for correlation based alerting on predefined use cases. This is typically not the A SOC analyst must be able to understand the difference between on-premises and cloud behaviors and the context around an event in either environment in order to react accordingly. 3

case for cloud environments since log data may not be readily available. If logging is available, it is generally stored in a cloud storage system. Two options to reconcile this issue are to push cloud logs back into the on-premises logging solution (i.e., an authoritative log), or to extend your traditional logging infrastructure into the cloud. Both approaches have potential drawback, which could include increased data transfer costs for your company or sluggish performance while searching for logs. These issues represent a real security management challenge. How can a SOC provide the same monitoring capabilities for on-premises and cloud systems? Use Case Variances Simply taking on-premises use cases from your SIEM tool and applying them to a cloud based environment can lead to false positives, or worse, false negatives. SOC functions must create and manage two separate use case libraries which address threats in both environments, maintain an up-to-date asset management inventory, and know where the boundaries of on-premises and cloud exist for their unique hybrid environments. Misconfigurations - AWS S3 buckets (data storage container) utilize security groups or roles to restrict access and protect data. A SOC function must know how to build a use case to alert on unencrypted and publicly accessible buckets. Misconfigurations of S3 buckets can result in public disclosure of sensitive information and have been the root cause of several recent data breaches. Visibility - Basic firewall alerting is another problematic issue when logging cloud events. In traditional on-premises monitoring, clients own the networking infrastructure and are thus able to configure monitoring of logs. In most cloud environments, the cloud provider typically owns the infrastructure which enables them to manage the physical components of cloud services. By outsourcing these management responsibilities, corporations sacrifice absolute visibility into network traffic, but are able to operate more economically and with shared risk responsibility. and anomaly based alerting, in turn removing false positives that require significant analyst time to evaluate. These capabilities not only improve the average response time of alerts, but also allows SOC analysts to focus on triage rather than detection. Managing Assets A cloud-based system s ability to autoscale based on demand has led to new methods of managing assets. s are often treated as disposable assets and may spin up or down with unique hostnames and IP addresses as needed to scale for demand. When you take this logical resource approach along with physical on-premises asset management, you ve created a rather complex puzzle for Hybrid SOCs. To tackle this issue, SOCs must develop new tool sets which use APIs to see to it that cloud systems are discovered and properly configured. On-premises vulnerability scanning, for example, will utilize a port scan to map a network and host environment, and compares this against a library based on known vulnerabilities. This capability does not operate in the same manner in cloud Machine Learning - Correlation engines, an integral part of traditional on-prem SIEMs, rely on complex rules that trigger alerts based on a sequence of events across more than one log source or device type. While correlation rules are often more advanced than simple pattern matching use cases, they often require significant resource overhead (expensive, powerful servers) and expert tuning skills to build appropriate use cases and alerts. With the transition to hybrid environments, the introduction of scalable machine learning services to such complex use cases can enable automated responses 4

environments. Scanning externally accessible IP ranges and systems theoretically can be done the same way, but scanning entire Virtual Private Clouds (VPCs) cannot. Port scanning is typically against the terms of services for cloud providers, forcing vulnerability tools to use APIs to pull this information. Information which had been readily collectable must now be collected in API calls, and in this case, vulnerability checks. These are generally conducted at system build time, rather than an ongoing vulnerability scanning procedure. While patch management is not a SOC function, monitoring systems via vulnerability management for missing patches is part of understanding the weaknesses in a network that can allow attackers to exploit bugs and gain unauthorized access to an organization s network. On-premises systems often plan monthly downtime in order to implement key patches. In the cloud, companies can roll the systems, which builds a new fully patched system at build time. The system is then run against vulnerability and configuration checks. Once a system passes all security checks it is then promoted to production. This process occurs daily or weekly, allowing code to move to production quicker and more effectively, while also eliminating downtime for the business. The cloud approach to patching is extremely useful and efficient when it comes to tackling zero day vulnerabilities like heartbleed and eternal blue (WannaCry). Improving Protection with Tools, Training and Next Generation Security Mindset Forward thinking SOC functions must realize they are not just first responders, but also cloud security analysts and architects. They must be able to perform log analysis across a wide variety of tools and platforms, as well as understand how to collect and run cloud based tools to obtain the information they are looking for through scripts and APIs. They must also have knowledge on how to recreate instances in the cloud, what a build script looks like, what services a company subscribes to and the context around each alert to accurately determine the threat level. SOC staff must also have knowledge on how to script, which is typically lacking in today s Tier 1 SOC personnel. The end result and business impact is that qualified SOC talent will become harder to find and ongoing training will be required in order to perform their job functions appropriately. For more information about AT&T Cybersecurity Solutions and Threat Manager, visit here. Share this with your peers 5 11982-121117

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback