SecOps is now a core part of IT infrastructure management at large organizations. But while SecOps has become very effective at securing a traditional data center, it does not have the practices, tools, and skills to secure a cloud environment.
As employees transition to remote work, customers transition to digital channels, and organizations move an overwhelming proportion of services to the cloud, a critical imperative for any organization is to create the new, cloud-oriented evolution of SecOps. This is CloudSecOps—an evolution of security operations that no one can afford to ignore.
What is SecOps?
SecOps is the coming together of IT operations and security staff. SecOps creates a highly skilled team that attends to assessing and monitoring risk and safeguarding corporate assets. These teams typically operate from a security operations center (SOC).
Cybersecurity attacks are growing in frequency and complexity against the background of a largely remote workforce, increasing digitization of business operations, and a move to the cloud. Organizations rely on specialized SecOps teams to hunt, detect, stop, and mitigate cybersecurity threats in this complex environment.
SecOps is gradually becoming part of a broader DevSecOps movement, which integrates security and operations with development processes. However, SecOps remains a distinct component of DevSecOps, focused on operating and securing the infrastructure the organization depends on.
The Evolution of SecOps
Security operations need to deal with the transformative impact of evolving attackers, business models, and technology platforms. Managing security in cloud environments can be very different from traditional on-premises data centers, and SecOps teams are adapting their strategies and tools accordingly.
Here are the key factors that drive developments in security operations.
Security operations need to identify and react to attacks across the organization, including cloud systems. SecOps professionals are often unfamiliar with cloud resources, as such platforms are new and quickly evolving. This requires SecOps teams to acquire new skills and gain practical experience with specific third-party operational environments, such as AWS or Azure.
Conventional SecOps heavily depended on network-based tools. Today, SecOps must go beyond network security, integrating endpoint, application, and identity tooling.
This integration is critical because attackers now utilize identity attacks, such as credential theft, phishing, password spray, and more. These types of attacks can evade network-based detection and are invisible to network security tools.
In addition, bring your own device (BYOD) policies, Internet of things (IoT) devices, and other operational systems are outside the network perimeter during some or all of their lifecycle, thus limiting the effectiveness of security measures based on the traditional network perimeter.
Operational Technology (OT) Coverage
OT and IoT systems are increasingly prevalent, and in many cases, were not built with security in mind. Attackers are actively targeting OT and IoT systems as components of their attack chains—either as the ultimate goal of an attack or as an intermediary to traverse or access the environment. SecOps teams must have a solid grasp of their organization’s OT assets, their security weaknesses, and create a strategy to defend them.
Cloud Processing of Telemetry
Organizations need to modernize security operations because of the huge increase in relevant telemetry coming from the cloud. This telemetry is very complex to deal with and analyze using traditional methodologies and tools. This prompts SecOps to use cloud services that offer machine learning, behavior analytics, and massive-scale analytics.
This is a case in point of the cloud helping to defend the cloud. The cloud creates new security challenges, but also offers new tools and technologies SecOps teams can use to their advantage. SecOps teams can use cloud-based automation to rapidly extract value from cloud logs and use them to enhance security operations.
Cloud Security Operations Functions
The central aim of a cloud security operations (SecOps) function is to identify, react to, and recover from attacks on an organization’s assets. As SecOps evolves, security operations must both reactively deal with attacks identified by alerts from security tools and proactively seek out attacks that were missed by regular detection processes.
In a cloud environment, this takes the shape of the following roles and functions:
- Incident management—this discipline coordinates nontechnical elements of events with communications, legal, and more teams. In the cloud, incident management occurs at a higher pace and involves far more moving parts than in an on-premise data center.
- Integration of internal context—prioritizing SOC activities, including relative risk scores of cloud systems, devices, and accounts, the sensitivity of applications and information stored in the cloud, and technology solutions such as virtual private clouds (VPCs) used to create virtual isolation and micro-perimeters.
- Leveraging security technology—SOC technology is changing from a static analysis of logs via security information and event management (SIEM) to sophisticated analytics methods that provide deeper insights and enable higher quality investigations. Both SIEM and new technology solutions like eXtended Detection and Response (XDR) increasingly use machine learning, behavioral intelligence, and integrated threat intelligence to help identify and prioritize abnormal behavior.
- Threat hunting—SOCs use threat hunting, typically triggered by a hypothesis, to proactively discover advanced attackers. Threat hunting requires tooling that can filter out noise in the security environment and enable advanced data exploration.
- Business risk management—the SOC is becoming a core part of managing business risk for an organization by providing insights into the risk inherent in cloud environments.
- Metrics and goals—the role of SecOps includes keeping track of performance indicators such as mean time to detect (MTTD), mean time to acknowledge (MTTA), and mean time to remediate (MTTR).
Updating Incident Response Processes for Cloud
The incident response process should be effective for the entire organization, including cloud platforms, cloud-hosted data, and accounts in cloud-based identity and access management (IAM) or on-premise identity management (IdM).
Updating the incident response process is generally headed by security operations with the backing of other groups, who add their expertise and knowledge. SecOps teams need to modernize processes and ensure they know what to do when they identify an attack:
- Processes and playbooks—adapt current remediations, investigations, and threat hunting methodologies to the cloud native environment and the nuances of specific cloud platforms used by the organization.
- Education—educate security analysts on the cloud transformation, status of cloud migration projects, technical information about cloud platforms, and changes to business processes driven by the cloud.
Here are the core areas to focus your planning and education efforts:
Shared responsibility model and cloud architectures—from the perspective of a security analyst, the cloud platform is a software-defined data center that offers various services, such as VMs (a familiar infrastructure) and new types of infrastructure like containers and serverless functions. The most relevant data is in service logs, or the specialized threat detection resources, rather than in operating system logs. Analysts should learn how to use these new data sources, what normal looks like, and how to detect cloud-based attacks.
- Endpoint data sources—SecOps teams need data and insights into malware and attacks on cloud-hosted servers. This tends to be easier, more accurate, and faster with native cloud detection tools such as cloud-based endpoint detection and response (EDR) solutions, rather than conventional methods of direct disk access. Direct disk forensics should be a last resort but is generally inefficient for identifying and investigating attacks.
- Network and identity data sources—cloud platform functions use identity mainly for access control. Analysts need to understand cloud identity protocols to achieve a complete picture of legitimate behavior, and by comparison, attacker behavior, to support event investigation and remediation. Identity protocols commonly used in a cloud environment include OAuth, OIDC, SAML, and cloud-based user directories, in contrast to Kerberos, LDAP, Active Directory, and NTLM in a traditional data center.
- Cloud security drills—simulated response and attacks can assist organizations with their preparedness. Security analysts, incident managers, threat hunters, and other employees in your organization should participate in organized training exercises to make them technically ready for an attack.
In this article, I defined SecOps and showed four ways it is evolving in the cloud computing era:
- Understanding of cloud platforms—SecOps professionals are learning the dynamics of cloud environments and the nuances of specific cloud platforms.
- Identity-centric security—SecOps is moving from a network security model to an identity-centric detection and response model, combining network events with data from endpoints, identity systems, and cloud services.
- Operational Technology (OT)—SecOps is no longer just about Windows and Linux computers. OT and IoT devices, BYOD devices, and other new systems are entering the SecOps repertoire.
- Cloud processing of telemetry—SecOps are learning not just to secure the cloud, but also to leverage cloud technology to process massive amounts of log data and extract relevant insights quickly.
I hope this is useful as you move your organization closer to a mature, robust cloud security model.
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Oracle, Zend, CheckPoint and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.
The opinions expressed in this blog are those of Gilad David Maayan and do not necessarily represent those of Data center Knowledge, its parent, or affiliated companies.