25 November 2020
Migrating to the cloud brings new risks; data is now exposed directly to the internet. Part of the security remains with a third party, the cloud service provider (CSP). This makes the segregation between private and public spaces more porous than ever before. Thus, we are facing new technical challenges.
The first is linked to the constant evolution of cloud environments and their interfaces, particularly in integrated security functions.
We also have to juggle with a certain opacity of the CSPs on the nature and completeness of the audit trails collected – in this case, logs. The provision of the complete records to a third party, be it the customer or its Managed Security Service Provider (MSSP), is still complex to date.
Also, the collection of security events has to go through the Internet, via a public network, which requires a contradictory approach to SIEM tools based on secure architectures, particularly about issues of integrity and confidentiality of the data collected. Finally, the multi-cloud dimension makes the collection and standardization of security events a little more complicated.
We had to define new ones. Some of the existing use-cases had to be transformed because the information collected is now heterogeneous or even incomplete compared to the previous situation. Simultaneously, new attack methods, directly linked to the risks of the cloud, forced us to complete our use-case catalogs.
Also, we are facing a new RACI (Responsible, Accountable, Consulted and Informed). Each stakeholder’s responsibilities are to be established for each client case. They have different obligations of means and results, depending on the situation. For the analysts, especially those at level N3, specific and sharp skills had to be acquired.
For SOCs, level 1 actions and decisions must be automated to the maximum extent possible. This involves handling incidents, qualifying them, and directing them to higher-level analyst teams. Our vocation is also to automate the orchestration of security incidents in an ecosystem populated by “micro-SIEMs”. In this way, we would work from alerts and not from logs. All CSPs today provide SOC or SIEM bricks such as Microsoft’s Azure Sentinel, for example. This means that our experts have to learn new tools and adapt their analysis processes to use the consoles made available by the CSPs.
This shows that detection based on static detection rules meets its limits in the cloud: we need to consider more dynamic means of detection based on the exploitation of AI engines and the learning machine.