Presents

Mike Rothman, President

mrothman@securosis.com

Twitter: @securityincite

Monitoring the Hybrid CloudEvolving to the “CloudSOC”

What We’ll Cover

• Disruption Ahead

• Emerging SOC Use Cases

• Solution Architectures

• Technical Considerations

• Migration

• Q&A

A Disruptive Collision

Cloud Computing

• Cloud computing

disrupts security

• Loss of physical

control via

abstraction

• New emphasis

on automation

MobilityMobile computing

disrupts security by

distributing access

while reducing

control over devices

and networks.

DevOps

DevOps disrupts security by

requiring trustable automation

and an operational model to

support it.

Monitoring Needs to Change

• Lack of Visibility in the Cloud

• Co-existence: 5 - 7 year

migration to the cloud (if not

longer)

• Continued focus on analytics

• Common view across both

cloud and traditional

infrastructure?

• Compliance in the cloud?

https://flic.kr/p/dcZaG7

Emerging SOC Use Cases

Monitoring IaaS

• Reduced visibility (you don’t

control the stack)

• Depth and granularity of

available logs is improving

• No packet capture (impacts

forensics)

• Choke point for inspection

and/or capture?

• Where to collect & aggregate?

https://flic.kr/p/5XwydV

Monitoring SaaS

• At the mercy of what

SaaS provider

exposes

• Typical access is user

related (logons,

activity) and admin-

related

Monitoring the Private Cloud

• Access to the physical

layer

• Still need access to

cloud console to track

virtualized compute,

storage, networks, etc.

• Leverage cloud

infrastructure APIs

• Can route traffic

through inspection

point(s)

https://flic.kr/p/9Excac

https://flic.kr/p/abCSpq

SLAs Are Your Friend

• Exercise leverage

during procurement to

get access to

logs/events

• Very hard to go back

and ask for more

access once the deal is

done.

Evolving to the CloudSOC

The CloudSOC Use Case

• Migrating to a CloudSOC is a multi-year process. Some

will get there faster than others.

• Why? It doesn’t make sense to have a bulk of compute

and storage in the cloud and monitor on-prem

• What about latency and cost?

• Decision points:

• Collection/Storage

• Analysis

• Presentation

Collecting from the Cloud

• APIs

• Cloud Gateways

• Cloud 2 Cloud

• App Telemetry

• Agents

• External Data/TI

https://flic.kr/p/fdyzm7

https://flic.kr/p/oqEb3u

On-Prem Deployment

• Traditional SIEM

• Need to include data

collected from the cloud

Hybrid Cloud Deployment

• Some analysis performed on-

prem (likely for on-prem

devices)

• Some analysis performed in

the cloud (for cloud-based

resources)

• Aggregate data for a view of

entire infrastructure

• Service providers are an option

(especially for cloud stuff)

https://flic.kr/p/6cfULx

Exclusively Cloud

Deployment

• Remote SOC

• Outsourced or managed

service

• How to get on-prem

events/logs to cloud?

• Collectors

Third Party

Management/Outsourcing

• Help address skills gap

• Where is the service

provider finding staff?

• Can use services for either:

• Stuff you can’t do

• Stuff you don’t want to do

• Complimentary to strengths of

in-house team

https://flic.kr/p/oqZ2QC

Managing Vendor

Lock-In

• Consciously use APIs and other

vendor-specific services

• Maintain flexibility (where

possible)

Technical

Considerations

Data Security

• Data in motion (easy) vs. data

at rest (hard)

• Many service providers use

other service providers for

storage, compute, etc.

• Understand how the service

provider is protecting the data

• SLAs are still your friend

https://flic.kr/p/8A2pt4

Data Privacy and Jurisdiction

• PII may have limitations as to

where it can be stored

• Where is the cloud data

stored? Are you sure?

• Data subject to regional

laws

• Tokenization and masking are

also your friends…

https://flic.kr/p/9XXUrB

Automation and Scalability

• Automate deployment of

collectors, agents, etc.

• Embed into instances and

scaling templates

• Verification and discovery of

services via APIs

• (Almost) everything can be

scripted.

https://flic.kr/p/4JgVz2

Other Considerations• Management Plane

• Lose control of management, lose everything

• Pay attention to entitlements and IAM roles

• Analytics

• Cloud-based analytics plentiful

• “Data scientists” to set up and analyze? Less so.

• Pricing Model

• Cloud pricing is usage based. Makes budgeting harder.

• Need controls in place to monitor cloud spending

Migration Plan

• Phase 1: Deploy Collectors

• Phase 2: Integrate and Monitor

Cloud Resources

• Push vs. Pull collection

• Aggregation and Correlation

• Policy Development and Testing

• Phase 4: Automation and

Orchestration

• Phase 5: Migrate SOC

Infrastructure to the Cloud

Summary

• There is no right or wrong in

monitoring the hybrid cloud.

• You will (likely) have both traditional

and cloud infrastructure for a while.

• Where collection happens will evolve.

Same goes for aggregation and

analytics.

• Choose a flexible architecture to allow

you to move to the cloud when it

makes sense

https://flic.kr/p/5vKanE

Read our stuff• Blog

• http://securosis.com/blog

• Research

• http://securosis.com/research

• We publish (almost) everything for free

• Contribute. Make it better.

Mike RothmanSecurosis LLC

mrothman@securosis.com

http://securosis.com/blog

Twitter: @securityincite