Start by establishing authority for access to the data before access to the data is set up. Authority includes the power to grant access and provide awareness that access has been granted (to whom, when, and to what data). This may include new or adjusted credentials, Identity and Access Management (IAM) roles, sharing keys, adjusting policy, access control list (ACL), or updating rules and roles.
Capability refers to the ability to collect, transport, store, normalize and analyze data. Now and in the future, data is spread out and produced at high volumes. Collecting, storing and analyzing the data can only be done with the assistance of technology. A security team's capability to scale at high speed is dependent on the technical components more than the human skillset.
Repeatable, Fluid Processes
This entire process is repeated for all parts of the enterprise, and, in a perfect world, authority, access, and capability would be the same for all parts of the enterprise. Unfortunately, the world is not perfect because authority, access, and capability can change. Businesses and organizations have fluid environments with dozens of pieces that constantly change.
One of the visibility processes, "continuous monitoring," applies to this concept, as it continuously monitors changes in people who come and go, as well as technology changes and advancements and infrastructure changes (such as moving additional assets to the cloud).
Every addition or subtraction to the businesses' people, processes or technology requires a 'visibility review' into how this new element or change in process impacts visibility into threats and vulnerabilities. Where needed, adjustments to maintain visibility should be made and managed.
After visibility adjustments are made, the SOC will need authority, access, and capability to respond to security events.
Collaboration drives success
Organizations are building connectivity between cloud-based assets and on-premises assets to implement a model of deep, continuous visibility in the cloud. For one thing, security teams can adapt many of these methodologies and apply them to cloud visibility and security.
Architecture planning, security controls, and adaptations are key to supporting a cloud-aware SOC.
- Architecture plans should look at connectivity, tools, deployment and scalability issues, for example.
- Security controls, then, should focus on ID/IAM, control plane hardening, OS hardening and logging, endpoint and network security controls, as well as ongoing vulnerability management.
- Adapting existing processes and functions to changing environments should start with initial events that create the change, followed by triage, validation, investigation, follow-up processes and forensics.
"The SOC team needs to align with cloud architecture and engineering teams that have built the hybrid architecture and maintain it. You need to do this more closely than before," writes SANS analyst Dave Shackleford in this whitepaper.
You can't secure what you don't know you have, and asset management is a challenge for nearly every organization. Through AWS CloudTrail asset management, you will have access to a log of everything that happens and what was created.
"It's all APIs. You turn this on and you know pretty much everything. Within AWS, there's no better description of this than their CloudTrail logging service; it's one of the most innovative things I've seen in recent memory," adds Shackleford.
Authority and access can be achieved quickly because the request is narrowed down to one component: AWS. The ability to collect at scale and speed is simplified with one service. Contrast that with on-premises environments that have over a dozen checkboxes to gain authority, access, and capability.
Where to find help
AWS Security Hub's ability to automatically aggregate findings from software seller solutions offers security teams many options for how they prioritize security operations, and what tools they use to do it. Today, there are 24 software seller integrations for AWS Security Hub spanning categories such as firewalls, endpoint security, security information and event management (SIEM), and more. These vendor solutions collectively address both event and behavioral detection.
You can find out more by checking out this webinar, How to Build a Security Visibility Strategy in the Cloud.