SOC Meets Cloud: What Breaks, What Changes, What to Do?
originally presented at Mandiant mWise 2023 by Dr Anton Chuvakin of Google Cloud Office of the CISO
Cloud changes everything (does it though?), including how we do threat detection and incident response in the SOC. As we continue to transform our attack surfaces, how do we make sure our detection and response are done "the cloud way"? There were also cases where both business and IT migrated to the cloud, but security was left behind and had to approach cloud challenges with on-premise tools and practices. How should a SOC born before cloud deal with cloud? What to watch for? What changes? What breaks? What stays the same?
4. Inspiration: you have a SOC or a Detection and
Response team, and suddenly
your organization embraces public cloud.
What do you do? First? Next?
What should you plan for?
What should you fear?
What should you strive for?
What is your endgame?
Was security consulted about cloud migration?
Involved in planning?
Informed in advance?
5. A security operations center provides
centralized and consolidated
cybersecurity incident prevention,
detection and response capabilities.
–Gartner
First Things First: A SOC is Still … a SOC :-)
SOC is first a TEAM. Next a PROCESS. And it uses TECHNOLOGY too.
11. Mostly Stay the Same
SOC value
Detection and
response still as
important
SOC broad
approaches
We collect telemetry,
analyze, detect,
triage, respond. Yes,
this is true even for a
very “shift-lefty”
environments!
Threats
Mostly the same, but
YMMV
Security
fundamentals
Attackers attack, we
defend / detect and
respond
12. A Big One: Threat Assessment / Threat Models
● A curiously hard question!
● Cloud threats are on-premise threats … but against cloud
assets
● Cloud threats are the same … but the ranking is different!
● Cloud threats are unique and different … but my cloud is just
VMs?
● Cloud provider takes care of threats :-)
13. Google Threat Horizons Report #7 (2023)
Compromise, direct evidence
of threat activities
A mix of old threats
in the cloud (many) and
New cloud threats (few)
15. Base: Total Participants (n=400)
Q305. First, think about what’s required to protect on-prem environments vs. cloud environments. Which would you say is more difficult for your organization?
Q314. Below are some ways cloud and on-prem security could differ for your org. For each, which type of environment is greater?
Level of
Difficulty
Level of
Risk
The average security pro
says cloud security is
slightly more difficult than
on-prem and involves a
higher level of risk.
Is it because most of them
don’t know cloud?
Greater on
Cloud
Greater
On-prem
37%
30%
48%
35%
Cloud vs. On-Prem Security Perceptions
Similar
Greater on
Cloud
Greater
On-prem
Similar
16. Mostly Break / Disappear
Manual IT
processes
Deployment, changes,
updates to
infrastructure;
“Everything as Code”
Ops - Dev
Clear separation
between Dev and
Ops, no more “just
call the sysadmin”;
more dealing with
developers
Hardware
Duh! This is a bit
obvious, but it does
affect architecting
D&R
Asset model
No more “what is this
IP”? Where is this
server located?
17. Traditional SOC Monitors Cloud, This Happens!
● Teams lacking cloud skills
● Uncommon telemetry collection methods
● Log data volumes may be high
● Ill-fitting tools, alien licensing models
● Alien detection context (!)
● Lack of clarity on cloud detection use cases
● Governance sprawl
● Lack of input from security into cloud decisions
● Cloud vulnerabilities are … different.
19. Challenges with D&R in the Cloud
Joint nature
Many (but not all) cloud incidents will involve a CSP,
and many will involve a client, a cloud provider and one
or more security service providers
Skills Cloud D&R requires both solid security detection and
response skills and equally solid cloud native
technologies skills
Data In many cases, telemetry, logs, traces data won’t be
available or won’t be available via familiar mechanisms
20. Change in Interesting Ways
Automation
SOAR works better, IT
is ahead in
automation
Analyst skills
From Windows and
packets to containers,
CI/CD and cloud IAM;
knowledge of how IT
works now
Applications
Less infrastructure
security, more
application security
(also see:
developers!)
Data Sources
Logs, EDR, network
traffic rebalance,
observability arrives.
Logs still lead!
21. Tools Change: Learn IAM. Really, That’s The Message :-)
“Manage access to projects, folders, and
organizations”
“How to grant, change, and revoke a
principal's access to a single service account.”
“Custom roles: Roles that you create to tailor
permissions to the needs of your organization
when predefined roles don't meet your needs.”
22. “Our org has to grow its public
cloud skills and knowledge to
succeed long-term”
Base: Total Participants (n=400)
“Agree” % = Agree + strongly agree, 5-pt. scale
Q410: How much do you agree or disagree with the following?
Cloud Skills for On-premise SOC Immigrants...
83%
“Our security team's cloud-
specific knowledge is limited
and needs to grow”
“Professionals with cloud-
specific security skills are
scarce and difficult to find”
75% 72%
Agree: Agree: Agree:
23. Data Sources for On-premise SOC Immigrants...
● NEW MONITORING SUBJECTS
○ Virtual machines [on a hypervisor you don’t own]
○ Containers
○ Functions and services
○ SaaS services
● NEW MONITORING DATA SOURCES
○ Cloud platform logs (e.g. GCP Cloud Audit Log)
○ Various other logs
○ Observability (in-app telemetry, essentially logs)
● NEW MONITORING ASSET CONTEXT
○ Account, resource group, distinguished names (sir? :-))
24. Investigation
Triage
Collection Detection
Incident
Response
Without logs it’s impossible to trace or detect a potential threat.
● Identify data sources and determine what to collect
● Configure logging and other data sources
● Develop processes for ingesting and normalizing data from various sources
● Implement data quality checks and data validation processes
● Implement data retention policies to cover security and compliance
Side note: Classic SOC Wisdom: Collection …
25. Shared D&R for On-premise SOC Immigrants...
● “CSP does this, client does that”
● Easy huh? Well, no…
● Example: detection and shared responsibility
26. See a Modern IT Practice? Steal it for Your SOC!
Adapt to this FIRST... … Steal SECOND!
CI/CD process Applications change, need
good asset coverage and
vulnerability context
CI/CD for detections
IT automation Need to integrate to not be
left behind
SOAR and friends,
security ops automation
Everything as code Absorb new context around
infrastructure
Detection as code
28. TOOLS: There is a Lot of Cloud - IaaS, PaaS, SaaS
EDR NDR Logs CASB
IaaS OK (*) OK (*) OK NO (*)
PaaS NO Sort of OK Sort of
SaaS NO NO OK OK
Fortunately, SOAR works with all of them...
29. Cloud: Good News for Your SOC!
● Much easier, less expensive, more scalable
SIEM
● Easier SOAR, improved EDR
● Robust (*) API for log and telemetry access
● Some threat detection is done for you (e.g.
VMTD)
● Security will get better fast all around you.
31. SOC: Lessons from Ops or from Dev?
“The joke is an ops is 10 years behind dev, and I would say
security is 10 years behind ops, if I had to estimate.”
-- Kelly Shortridge (source: Kelly on Cloud Security Podcast)
“You can’t “ops” your way to SOC success, but you can “dev” your
way there”
-- Anton Chuvakin (source: “Kill SOC Toil, Do SOC Eng” blog)
33. Recommendations
● Cloud is hard, especially if you don’t understand it? Learn cloud before complaining about it. Focus
on IAM, learn new detection context
● If your cloud use is similar to on-premise, then your threats are similar. Assess your cloud threats!
● Create/refine your cloud detection use cases
● Evolve SOC to more automation to catch up with modern cloud IT; evolve to integrated D&R
content
● Rely more on CSP data feeds and tools; link them to SOC tools
● Focus on cloud hygiene and posture: this helps your D&R. Cloud calls for more automation, and
also makes automation easier. Kill toil, automate!
● Start with what you know, but evolve to the cloud native way! Evolve to Autonomic Security
Operations, engineering-led D&R (how?!)