WH ITEPAPER

Rethinking the Security Operations Centerfor the Cloud & Mobile Era

Rethinking the Security Operations Center for the Cloud and Mobile Era

The ProblemSecuring and mitigating risks to information assets has been a long-standing concern for IT security teams

in organizations of all sizes. To protect enterprise data centers and information, vendors have developed

an increasing array of technologies, like Firewalls, IDS/IPS, eDiscovery platforms, Anti-Virus/Anti-Malware,

SIEM solutions, and so on. Over time, organizations have set up Security Operations Centers (SOCs) to help

manage these technologies. The evolution of these platforms has been centered on keeping up with the

evolution of the broader threat landscape – so that organizations are best positioned to deal with the latest

techniques crafted by attackers.

While this development has continued with reasonable progress, it has been broadsided by one of the

biggest shifts in the IT industry in the last several decades, namely the rapid migration to cloud applications

and services. The highly centralized, controlled, and infrastructure-laden organizations of yesterday are

now transforming into much more agile, decentralized, and elastic enterprises. As these organizations

adopt cloud services in greater numbers, desirable goals like security and visibility are left behind. (Figure 1)

attractive alternative for enterprise users looking to streamline their work activities, collaborate easily with

colleagues, and be more productive. Instead of requesting IT organizations to deploy new applications (a

process that can take months), cloud applications enable users to be online and productive in days, if not

hours – resulting in Shadow IT. However, migrating data from single-tenant private data centers to loosely

managed multi-tenant 3rd party data centers, where employees can access that data from anywhere,

exposes corporate data to new threats.

One option would simply be to block employees from using cloud applications and services, but that

Figure 1: Cloud services expose a blind spot with traditional security ops centers.

Security Operation Center

Security Solutions

?

On-Premise Applications

IDS/IPS

Firewall

etc...

SIEM

eDiscovery

Cloud Services

Copyright © 2014 Elastica, Inc. | www.elastica.net1

marketplace. More so, they need to accommodate a growing mobile workforce. Employees entering

today’s workforce bring their own devices, along with an increasing degree of technical comfort.

Therefore, we need a new solution that enables organizations to embrace cloud applications and services

without compromising security or compliance policies. This premise led to the formation of Elastica and the

creation of the CloudSOC™ platform.

Rethinking the Traditional Security Operations Center (SOC)As traditional enterprise applications migrate to their cloud-equivalents (file sharing, CRM, etc.), traditional

SOCs lose both visibility and control. To address this new blind spot, Elastica developed the idea of the

CloudSOC™ platform. The CloudSOC™ can provide augmentation for organizations with an existing SOC –

addressing the cloud services used by the organization. Newer organizations that are heavily invested in

cloud infrastructure can use CloudSOC™ as their de-facto SOC.

It is important to understand where the idea of CloudSOC™ fits among incumbent approaches for

safeguarding cloud services. Single sign-on (SSO) solutions and mobile security solutions, like mobile

device management (MDM) and mobile application management (MAM), are certainly key ingredients in

this emerging cloud and mobile era. They form a good starting point, as they conveniently manage user

identities, ensure credentialed access to cloud applications, and control business applications on mobile

devices. However, while usernames and passwords protect the walls of the castle, what happens inside the

kingdom remains a mystery.

What if an individual’s username and password are compromised? Or the user provides appropriate

credentials, but their system is compromised with malicious software (malware) and the connection to

a cloud service is surreptitiously coopted without the users knowledge? Alternatively, what if an insider

knowingly (or even unknowingly) engages in activity that could cause irreparable harm to his employer?

organizations need visibility into the underlying actions associated with cloud services. Without this level of

insight, there is no reliable way to ensure that corporate assets are safe and compliant.

Data Science Powered Cloud SecurityTraditional security methods have led to an arms race of identifying known threats through signatures

and preparing defenses against those attacks. Today’s emerging environment, with assets in an opaque

cloud that can be accessed from anywhere and with any device, requires a modern security approach for

identifying threats in real-time, using advanced data science techniques, regardless of origin.

Security needs to start with visibility across all aspects of your environment, especially blind spots. You

cannot protect what you cannot see. Visibility ultimately involves being able to gather, analyze, visualize,

and glean insights from data. And all of these areas fall under the aegis of data science. Therefore, a core

tenet at Elastica is that security is fundamentally a data science problem.

Copyright © 2014 Elastica, Inc. | www.elastica.net2

Alongside the growing risks organizations face when deploying cloud services, there has fortunately

been commensurate progress in developing techniques from the field of data science that can be used

towards helping organizations understand and manage these newly incurred risks. Recent advances in

corresponding to these capabilities.

Elastica’s CloudSOC™ SolutionElastica has incorporated these advances into an overall data science

platform that forms the basis for CloudSOC™. The platform ingests

data from several sources, including: (1) A transparent gateway that sits

between organizations and the cloud services they employ; (2) Application

Programmer Interfaces (APIs) provided by third-party cloud services; (3) Logs

from common enterprise grade firewalls and next-generation

firewalls; and (4) Data from Mobile Devices via MDM solutions. These data

sources are processed and automatically analyzed. The insights from

that analysis are percolated to the enterprise administrator via an intuitive

graphical user interface (GUI) that not only provides visibility into how cloud

services are used, but also facilitates crafting custom policies and taking

corresponding actions. (Figure 2)

It is important to stress our stance that usability is a crucial design goal for

security technologies. As organizations get more complex, they may find

themselves deploying products from a rapidly growing number of vendors.

On the flip side, the personnel devoted to managing and using new technologies remains relatively fixed.

Therefore, new security technologies simply cannot mandate a steep learning curve. The user interface and

configurations for Elastica’s CloudSOC™ are designed to conveniently summarize complex data. Not only

can customized policies and controls be created, but they also get simultaneously translated across many

applications, which simplifies the task of configuring and administering the system.

we typically refer to the threat landscape as a single uniform monolithic entity, the reality is that each

and extended in a way that optimally suits them, but they need to know that as the threat landscape

evolves, they can augment the platform as needed. Aside from that, new cloud applications and services

are being introduced at a staggering rate. Providing security coverage for these applications becomes

problematic, as traditional methods of creating custom signatures does not scale.

Therefore, extensibility is necessary for securing the elastic enterprise. Elastica’s StreamIQ™ technology

enables support for a large number of cloud services and is designed to enable quick support for new

as well as how they are being used – even for applications that have never been encountered previously.

ElasticaCloudSOC™

API

Real-timeProcessing

Logs

MDM

Firewall

Protect

Investigate

Detect

Audit

ElasticaGateway

Figure 2: Elastica platform

Copyright © 2014 Elastica, Inc. | www.elastica.net3

Elastica’s StreamIQ™ technology is based on advanced machine learning techniques that not only identify

and learn new applications, but also enable rapid security coverage for these new applications.

CloudSOC™ is itself a cloud-based service – figuratively sitting in proximity to the very cloud applications it

is protecting. As organizations supplant traditional enterprise applications with cloud-hosted counterparts, it

Elastica Applications: Audit, Protect, Detect, and Investigate

applications: Audit, Protect, Detect, and Investigate.

AuditWhen it comes to the security of cloud services, organizations typically like to start by determining what

cloud applications and services their employees are utilizing in the first place. Elastica’s CloudSOC™

analyzes customer firewall log data to provide this information. Customers have consistently found

the exercise to be highly illuminating from a discovery standpoint. Typically, they expect a handful of

applications to surface among their users, but what they actually discover is an order of magnitude greater.

In some instances, a well-intentioned employee might be accessing a personal cloud service from a

corporate asset. Other situations might involve Shadow IT. In these cases, groups may be using cloud

services with important business critical data while operating outside the purview (and without the blessing)

of the information security team.

Basic cloud service discovery is relatively straightforward. In and of itself, however, it is of limited value.

What organizations ultimately need to understand is whether the cloud services being employed are

business ready. Elastica’s CloudSOC™ addresses this concern by juxtaposing each discovered cloud

service and SaaS application with a Business Readiness Rating™.

Furthermore, organizations can drill into the rating to understand the

tangible underlying risks. (Figure 3) Elastica determines this rating by

analyzing cloud services using a large number of criteria. For example,

administered? Is data encrypted in motion or at rest? What compliance

certifications does the provider have? Further, the rating criteria are

customizable. For example, perhaps you care about whether the service

provides an administrative audit trail, but you might not care as much

get automated cloud service business readiness ratings in a way that

is specifically tailored to their environment. Some customers use this

functionality to compare current applications with alternatives that provide

analogous functionality (but with less risk). This “comparison shopping”

capability is directly built into Elastica’s CloudSOC™ Audit application.

9 7 7

8 9 98 8 79 4 6

Service 1

Access

Administrative

Business

Service 2 Service 3

Figure 3: Business Readiness Rating™

Copyright © 2014 Elastica, Inc. | www.elastica.net4

Detect

behavior was carried out intentionally by a human or carried out surreptitiously by malware. Beyond

identifying malicious behavior through pattern matching, Elastica employs anomaly detection mechanisms

that are generated via machine learning approaches. These approaches essentially model typical user

behavior with respect to particular applications and actions within those applications. Based on these

models, undesirable behavior can be identified. For example, is a user starting to delete a substantial

number of files from a shared folder associated with a file sharing application? Does the user appear to

be scraping an excessive amount of customer data from a CRM application? Are actions being conducted

by the user or are they being conducted by surreptitious software (e.g., malware) without the user’s

knowledge? Elastica assigns a ThreatScore™ to the activities of each user, which provides immediate insight

into security issues and can be used to trigger real-time actions. These approaches are not only data driven,

but they are largely automated – enabling faster and more comprehensive detection of malicious activity. In

a world where threats are rapidly morphing and highly ephemeral, there is little time to lose when trying to

identify them.

InvestigateThe detection of threats is often just a starting point for IT administrators. When an incident occurs, it is

typically necessary to dig deeper and understand the context around that incident. Because Elastica’s

CloudSOC™ gathers and processes data prior to the identification of threat activity, administrators can go

back and reconstruct precisely what happened – thereby saving organizations many hours of work. This

data is not only collected and analyzed based on cloud activity, but it is presented in human readable form.

This last point is worth emphasizing. Even though one might be able to determine what cloud service is

Because Elastica has gathered tremendous intelligence regarding cloud services, we are able to determine

Elastica provides this visibility even for cloud services that do not have their own inherent logs or APIs.

Investigating and responding to threats takes on extreme importance as the threat landscape evolves.

know what defenses they are up against, and they will try to craft threats that bypass those defenses. In the

face of such attackers, organizations have to put forethought into how they will respond. Typically in the

incident response phase, the goal is to understand the scope, the ramifications, and ideally the root cause

of threats to the environment. Being able to pull up historical data after the fact is invaluable in such cases.

Protect

damage caused, organizations can easily find themselves playing perpetual whack-a-mole. To sidestep

this problem, Elastica’s CloudSOC™ platform enables customers to create and enforce custom policies.

Copyright © 2014 Elastica, Inc. | www.elastica.net5

Moreover, because these policies can be crafted based on the insights gleaned from the other aspects

of CloudSOC™, they yield definitive risk mitigation measures. It is important to note that in the context of

cloud services, it is desirable to have policies that are not simply black or white. For example, an enterprise

administrator might be fine with the use of a particular file sharing application, but they may want to block

a user from sharing a file with someone outside the organization. Because Elastica has visibility into the

actions associated with a given application, we enable customers to create and enforce these types of

more granular policies.

Ultimately, organizations need to take a holistic view of the risks they face when leveraging cloud services.

That view is driven by having visibility into those services and that visibility can be attained via CloudSOC™

applications like Audit, Detect, Protect, and Investigate, all of which are fueled by data science.

Enabling the Elastic EnterpriseEnterprise organizations are generally tackling three critical cybersecurity challenges:

• Rapid proliferation of new technologiesAs concepts like cloud, BYOD, Internet of Things, etc., enter into the IT lexicon, organizations need to

build commensurate expertise in understanding the security implications of these trends.

• The evolving threat landscape

especially in areas they perceive to blind spots. Detecting and blocking every conceivable threat quickly

becomes a war of attrition.

• Managing complexityEnterprises are working with more third-party vendors and partners than ever. This complexity not only

creates more work, but also introduces security risks because of an increased attack surface. Also, it

becomes likely that products and services are not being used in an optimal manner.

Elastica’s driving force is to develop technologies that cut across this set of challenges. Applications like

Audit, Detect, Protect, and Investigate built on top of he CloudSOC™ platform can be used to address all

three areas concurrently. First, the move towards cloud-based applications has been one of the most

vibrant shifts in the evolution of IT infrastructures. Second, because attackers customize their threats, it is

essential to take a holistic view of cloud application usage, involving processing, visualizing, and gleaning

insights into the data associated with these applications (largely in an automated fashion). Threat detection

is both important and necessary, but visibility must be the foundation. Finally, as our customers leverage

more cloud services, they have to manage the resulting complexity, which CloudSOC™ allows you to do.

Copyright © 2014 Elastica, Inc. | www.elastica.net6

Ultimately, the elastic enterprise transcends elasticity in the amount of raw computing power and storage

that organizations leverage. It is also about elasticity in employee productivity. For organizations to thrive

and stay agile in today’s competitive environment, their employees need access to the best resources,

services, and devices.

Historically, security concerns represent a deterrent to such flexibility. In the context of Elastica, however,

we can reverse this paradigm and think of security as an enabler. The move to leveraging cloud services

is an inevitable reality. Despite the plethora of benefits associated with cloud services, the core hurdle for

organizations involves understanding the corresponding risks and managing them. Elastica holistically

addresses critical security concerns and mitigates risk so that organizations can feel confident in embracing

a cloud-enabled world.

Copyright © 2014 Elastica, Inc. | www.elastica.net7