WHITE PAPER

Automating the

Security Lifecycle

for the Cloud

WHITE PAPER

3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com

2

Automating the SecurityLifecycle for the Cloud

AbstractEnterprises are rapidly adopting the cloud for agility and improved productivity. However the cloud presents challenges in the areas of threat visibility and compliance. Some IT groups—already constrained by manpower and skills shortages—still use manual approaches to cloud security. But the volume of cloud usage and the relentless efforts by hackers far outpace these efforts. It is becoming increasingly important for enterprises to automate the security lifecycle, from threat detection through remediation, across their entire cloud footprint.

IntroductionThe rapidly evolving threat landscape makes cloud security a full time job that requires specialized professionals in security incident response. These people are tough to come by, and even for them it is very difficult to keep pace using manual approaches. Manual approaches to security involve writing rules to detect and prevent threats. This is difficult and time-consuming to do, and often these methods inundate IT staff with alerts, making it very difficult to distinguish critical issues from less urgent ones.

These challenges are analogous to the credit card fraud detection crisis a decade ago. As credit cards quickly entered the mainstream, fraud was rampant. Financial institutions increased staff and manual detection capabilities. But this approach did not scale, and ultimately it gave way to automated fraud detection systems. Similarly, automated threat detection in the cloud is the only scalable way to address current challenges related to cloud security and future challenges driven by mainstream adoption of the Internet of Things (IoT).

There are three key components to automation of the security lifecycle in the cloud: security configuration management, threat detection and prediction, and incident response. This white paper explores the functionality needed to successfully implement each component and the benefits of automating them.

Security Configuration ManagementThe recent spate of high-profile attacks and breaches has made security a top priority for cloud service providers. A number of security controls have been built into cloud platforms, for example, controls for password length, encryption, and authentication. This is a step in the right direction. However, it can be a challenge for enterprises to consistently apply these

WHITE PAPER

3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com

3

controls, extend them, and audit deviations from them, especially across multiple cloud applications.

For example, an Amazon Web Services (AWS) deployment can include multiple Elastic Cloud Compute (EC2) and Simple Storage Service (S3) components. Each component has its own security configuration, which means that IT staff must understand, configure, and manage hundreds of settings for a single deployment. The problem is amplified if there are multiple cloud applications. Even if an administrator masters configuration for a handful of business-critical cloud services, new configurations and changes to existing configurations inevitably occur, requiring constant vigilance. This does not scale. As the number of cloud services in use increases, so does the need for automation of security configuration management.

Automation of security configuration management eliminates labor-intensive and error-prone manual processes. Automation also frees administrators from manual audits of hundreds of configurations, enabling them to focus on more strategic objectives. In addition, automation allows the organization to define a security compliance posture and configuration once, and then be assured of continuous monitoring and enforcement.

Enterprises must have several capabilities to automatically monitor and enforce security configurations, and to scale these capabilities across hundreds of enterprise cloud services. An asynchronous discovery process must generate a metadata model for each cloud service. The automated security functions must continuously monitor for deviations from an organization’s preferred security configurations. They must first model threats, and identify when there is drift away from a steady compliant state. If threats are identified, or compliance is compromised, then the configurations in the cloud service must immediately be returned to the original compliant state. For automatic security configuration management to be effective, it must take into account the entire range of deployed applications and the full range of functions for each one.

Threat Detection & Prediction Security tools can make use of big data to mine for existing or potential threats. However, the sheer volume of cloud service usage often leads to analysis paralysis or time gaps between breach and response, because of the overwhelming size of the data sets. In addition, manual correlation across large data sets can lead to erroneous conclusions. Finally, more often than not, IT staff is inundated by alerts resulting in missed threats.

WHITE PAPER

3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com

4

Automatic threat detection and predictive analytics reduce the noise in the data, and give IT staff clear information about threats and how to address them. Extraction of meaningful information across multiple large data sets requires advanced data science techniques. The ability to hone in and identify anomalous behaviors or events from the analytics is particularly key. The information can then be presented in the form of actionable analytics within a single pane of glass to provide instant visibility into the security posture across an organization’s entire cloud footprint.

For example, using manual methods it can be hard to differentiate between a single user who has performed consecutive failed logins simply because they lost their credentials, and a user whose consecutive failed logins come from geographically disparate locations within a short time period. In the first case, the failed logins should be ignored, whereas in the second case, the behavior pattern indicates a threat. In practice, detection of definite or possible threats requires analysis across hundreds of threat vectors. The only feasible way to perform reliable forensic analysis at scale is through machine learning algorithms. To ensure efficacy of threat detection and prediction, the entire process—from consolidation and correlation of data to generating a concise summary of actionable threats—necessitates automation.

Incident ResponseA good security solution must provide the ability to track all identified threats and perform incident response, thus closing the loop. For example, if a user’s account is compromised, immediate action must be taken to disable it and prevent a breach. A delay between threat detection and remediation can be detrimental.

To keep pace with the increasing number and frequency of threats, it is also important to automate the incident response process. This includes automatic generation of incident tickets to make sure that all risk events are recorded, tracked, triaged, and resolved automatically. This can be done directly through built-in capabilities of the incident tracking system or by integration with other enterprise applications or change management processes. For example, by integrating with identity and access management systems, compromised user accounts can be locked down automatically. Or, by integration with firewalls that secure the network, automatic triggers can be sent to a firewall to add a new malicious IP address to their existing rule set.

WHITE PAPER

3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com

5

The benefit of built-in incident response capabilities is that the remedy can take effect immediately and provides a complete audit trail from detection to remediation of the threat. The benefit of integrating with third party incident response technologies is that enterprises with existing tools and processes can leverage their investments. Automatic incident response completes the security lifecycle by delivering orchestration and remediation with tamperproof attestation as sought by auditors and compliance officers.

ConclusionAutomation of security in the cloud drives efficiency, velocity, and scalability. An automated security lifecycle also eliminates manual, error-prone query development. It can also dramatically improve cost savings by freeing IT staff to focus on more strategic business objectives. As enterprises migrate to the cloud, they should strongly consider automation of the entire security lifecycle from threat detection to remediation across all cloud services.