rethinking the security operations center for the cloud & mobile … · 2018-02-07 ·...
TRANSCRIPT
WH ITEPAPER
Rethinking the Security Operations Centerfor the Cloud & Mobile Era
Rethinking the Security Operations Center for the Cloud and Mobile Era
The ProblemSecuring and mitigating risks to information assets has been a long-standing concern for IT security teams
in organizations of all sizes. To protect enterprise data centers and information, vendors have developed
an increasing array of technologies, like Firewalls, IDS/IPS, eDiscovery platforms, Anti-Virus/Anti-Malware,
SIEM solutions, and so on. Over time, organizations have set up Security Operations Centers (SOCs) to help
manage these technologies. The evolution of these platforms has been centered on keeping up with the
evolution of the broader threat landscape – so that organizations are best positioned to deal with the latest
techniques crafted by attackers.
While this development has continued with reasonable progress, it has been broadsided by one of the
biggest shifts in the IT industry in the last several decades, namely the rapid migration to cloud applications
and services. The highly centralized, controlled, and infrastructure-laden organizations of yesterday are
now transforming into much more agile, decentralized, and elastic enterprises. As these organizations
adopt cloud services in greater numbers, desirable goals like security and visibility are left behind. (Figure 1)
attractive alternative for enterprise users looking to streamline their work activities, collaborate easily with
colleagues, and be more productive. Instead of requesting IT organizations to deploy new applications (a
process that can take months), cloud applications enable users to be online and productive in days, if not
hours – resulting in Shadow IT. However, migrating data from single-tenant private data centers to loosely
managed multi-tenant 3rd party data centers, where employees can access that data from anywhere,
exposes corporate data to new threats.
One option would simply be to block employees from using cloud applications and services, but that
Figure 1: Cloud services expose a blind spot with traditional security ops centers.
Security Operation Center
Security Solutions
?
On-Premise Applications
IDS/IPS
Firewall
etc...
SIEM
eDiscovery
Cloud Services
Copyright © 2014 Elastica, Inc. | www.elastica.net1
marketplace. More so, they need to accommodate a growing mobile workforce. Employees entering
today’s workforce bring their own devices, along with an increasing degree of technical comfort.
Therefore, we need a new solution that enables organizations to embrace cloud applications and services
without compromising security or compliance policies. This premise led to the formation of Elastica and the
creation of the CloudSOC™ platform.
Rethinking the Traditional Security Operations Center (SOC)As traditional enterprise applications migrate to their cloud-equivalents (file sharing, CRM, etc.), traditional
SOCs lose both visibility and control. To address this new blind spot, Elastica developed the idea of the
CloudSOC™ platform. The CloudSOC™ can provide augmentation for organizations with an existing SOC –
addressing the cloud services used by the organization. Newer organizations that are heavily invested in
cloud infrastructure can use CloudSOC™ as their de-facto SOC.
It is important to understand where the idea of CloudSOC™ fits among incumbent approaches for
safeguarding cloud services. Single sign-on (SSO) solutions and mobile security solutions, like mobile
device management (MDM) and mobile application management (MAM), are certainly key ingredients in
this emerging cloud and mobile era. They form a good starting point, as they conveniently manage user
identities, ensure credentialed access to cloud applications, and control business applications on mobile
devices. However, while usernames and passwords protect the walls of the castle, what happens inside the
kingdom remains a mystery.
What if an individual’s username and password are compromised? Or the user provides appropriate
credentials, but their system is compromised with malicious software (malware) and the connection to
a cloud service is surreptitiously coopted without the users knowledge? Alternatively, what if an insider
knowingly (or even unknowingly) engages in activity that could cause irreparable harm to his employer?
organizations need visibility into the underlying actions associated with cloud services. Without this level of
insight, there is no reliable way to ensure that corporate assets are safe and compliant.
Data Science Powered Cloud SecurityTraditional security methods have led to an arms race of identifying known threats through signatures
and preparing defenses against those attacks. Today’s emerging environment, with assets in an opaque
cloud that can be accessed from anywhere and with any device, requires a modern security approach for
identifying threats in real-time, using advanced data science techniques, regardless of origin.
Security needs to start with visibility across all aspects of your environment, especially blind spots. You
cannot protect what you cannot see. Visibility ultimately involves being able to gather, analyze, visualize,
and glean insights from data. And all of these areas fall under the aegis of data science. Therefore, a core
tenet at Elastica is that security is fundamentally a data science problem.
Copyright © 2014 Elastica, Inc. | www.elastica.net2
Alongside the growing risks organizations face when deploying cloud services, there has fortunately
been commensurate progress in developing techniques from the field of data science that can be used
towards helping organizations understand and manage these newly incurred risks. Recent advances in
corresponding to these capabilities.
Elastica’s CloudSOC™ SolutionElastica has incorporated these advances into an overall data science
platform that forms the basis for CloudSOC™. The platform ingests
data from several sources, including: (1) A transparent gateway that sits
between organizations and the cloud services they employ; (2) Application
Programmer Interfaces (APIs) provided by third-party cloud services; (3) Logs
from common enterprise grade firewalls and next-generation
firewalls; and (4) Data from Mobile Devices via MDM solutions. These data
sources are processed and automatically analyzed. The insights from
that analysis are percolated to the enterprise administrator via an intuitive
graphical user interface (GUI) that not only provides visibility into how cloud
services are used, but also facilitates crafting custom policies and taking
corresponding actions. (Figure 2)
It is important to stress our stance that usability is a crucial design goal for
security technologies. As organizations get more complex, they may find
themselves deploying products from a rapidly growing number of vendors.
On the flip side, the personnel devoted to managing and using new technologies remains relatively fixed.
Therefore, new security technologies simply cannot mandate a steep learning curve. The user interface and
configurations for Elastica’s CloudSOC™ are designed to conveniently summarize complex data. Not only
can customized policies and controls be created, but they also get simultaneously translated across many
applications, which simplifies the task of configuring and administering the system.
we typically refer to the threat landscape as a single uniform monolithic entity, the reality is that each
and extended in a way that optimally suits them, but they need to know that as the threat landscape
evolves, they can augment the platform as needed. Aside from that, new cloud applications and services
are being introduced at a staggering rate. Providing security coverage for these applications becomes
problematic, as traditional methods of creating custom signatures does not scale.
Therefore, extensibility is necessary for securing the elastic enterprise. Elastica’s StreamIQ™ technology
enables support for a large number of cloud services and is designed to enable quick support for new
as well as how they are being used – even for applications that have never been encountered previously.
ElasticaCloudSOC™
API
Real-timeProcessing
Logs
MDM
Firewall
Protect
Investigate
Detect
Audit
ElasticaGateway
Figure 2: Elastica platform
Copyright © 2014 Elastica, Inc. | www.elastica.net3
Elastica’s StreamIQ™ technology is based on advanced machine learning techniques that not only identify
and learn new applications, but also enable rapid security coverage for these new applications.
CloudSOC™ is itself a cloud-based service – figuratively sitting in proximity to the very cloud applications it
is protecting. As organizations supplant traditional enterprise applications with cloud-hosted counterparts, it
Elastica Applications: Audit, Protect, Detect, and Investigate
applications: Audit, Protect, Detect, and Investigate.
AuditWhen it comes to the security of cloud services, organizations typically like to start by determining what
cloud applications and services their employees are utilizing in the first place. Elastica’s CloudSOC™
analyzes customer firewall log data to provide this information. Customers have consistently found
the exercise to be highly illuminating from a discovery standpoint. Typically, they expect a handful of
applications to surface among their users, but what they actually discover is an order of magnitude greater.
In some instances, a well-intentioned employee might be accessing a personal cloud service from a
corporate asset. Other situations might involve Shadow IT. In these cases, groups may be using cloud
services with important business critical data while operating outside the purview (and without the blessing)
of the information security team.
Basic cloud service discovery is relatively straightforward. In and of itself, however, it is of limited value.
What organizations ultimately need to understand is whether the cloud services being employed are
business ready. Elastica’s CloudSOC™ addresses this concern by juxtaposing each discovered cloud
service and SaaS application with a Business Readiness Rating™.
Furthermore, organizations can drill into the rating to understand the
tangible underlying risks. (Figure 3) Elastica determines this rating by
analyzing cloud services using a large number of criteria. For example,
administered? Is data encrypted in motion or at rest? What compliance
certifications does the provider have? Further, the rating criteria are
customizable. For example, perhaps you care about whether the service
provides an administrative audit trail, but you might not care as much
get automated cloud service business readiness ratings in a way that
is specifically tailored to their environment. Some customers use this
functionality to compare current applications with alternatives that provide
analogous functionality (but with less risk). This “comparison shopping”
capability is directly built into Elastica’s CloudSOC™ Audit application.
9 7 7
8 9 98 8 79 4 6
Service 1
Access
Administrative
Business
Service 2 Service 3
Figure 3: Business Readiness Rating™
Copyright © 2014 Elastica, Inc. | www.elastica.net4
Detect
behavior was carried out intentionally by a human or carried out surreptitiously by malware. Beyond
identifying malicious behavior through pattern matching, Elastica employs anomaly detection mechanisms
that are generated via machine learning approaches. These approaches essentially model typical user
behavior with respect to particular applications and actions within those applications. Based on these
models, undesirable behavior can be identified. For example, is a user starting to delete a substantial
number of files from a shared folder associated with a file sharing application? Does the user appear to
be scraping an excessive amount of customer data from a CRM application? Are actions being conducted
by the user or are they being conducted by surreptitious software (e.g., malware) without the user’s
knowledge? Elastica assigns a ThreatScore™ to the activities of each user, which provides immediate insight
into security issues and can be used to trigger real-time actions. These approaches are not only data driven,
but they are largely automated – enabling faster and more comprehensive detection of malicious activity. In
a world where threats are rapidly morphing and highly ephemeral, there is little time to lose when trying to
identify them.
InvestigateThe detection of threats is often just a starting point for IT administrators. When an incident occurs, it is
typically necessary to dig deeper and understand the context around that incident. Because Elastica’s
CloudSOC™ gathers and processes data prior to the identification of threat activity, administrators can go
back and reconstruct precisely what happened – thereby saving organizations many hours of work. This
data is not only collected and analyzed based on cloud activity, but it is presented in human readable form.
This last point is worth emphasizing. Even though one might be able to determine what cloud service is
Because Elastica has gathered tremendous intelligence regarding cloud services, we are able to determine
Elastica provides this visibility even for cloud services that do not have their own inherent logs or APIs.
Investigating and responding to threats takes on extreme importance as the threat landscape evolves.
know what defenses they are up against, and they will try to craft threats that bypass those defenses. In the
face of such attackers, organizations have to put forethought into how they will respond. Typically in the
incident response phase, the goal is to understand the scope, the ramifications, and ideally the root cause
of threats to the environment. Being able to pull up historical data after the fact is invaluable in such cases.
Protect
damage caused, organizations can easily find themselves playing perpetual whack-a-mole. To sidestep
this problem, Elastica’s CloudSOC™ platform enables customers to create and enforce custom policies.
Copyright © 2014 Elastica, Inc. | www.elastica.net5
Moreover, because these policies can be crafted based on the insights gleaned from the other aspects
of CloudSOC™, they yield definitive risk mitigation measures. It is important to note that in the context of
cloud services, it is desirable to have policies that are not simply black or white. For example, an enterprise
administrator might be fine with the use of a particular file sharing application, but they may want to block
a user from sharing a file with someone outside the organization. Because Elastica has visibility into the
actions associated with a given application, we enable customers to create and enforce these types of
more granular policies.
Ultimately, organizations need to take a holistic view of the risks they face when leveraging cloud services.
That view is driven by having visibility into those services and that visibility can be attained via CloudSOC™
applications like Audit, Detect, Protect, and Investigate, all of which are fueled by data science.
Enabling the Elastic EnterpriseEnterprise organizations are generally tackling three critical cybersecurity challenges:
• Rapid proliferation of new technologiesAs concepts like cloud, BYOD, Internet of Things, etc., enter into the IT lexicon, organizations need to
build commensurate expertise in understanding the security implications of these trends.
• The evolving threat landscape
especially in areas they perceive to blind spots. Detecting and blocking every conceivable threat quickly
becomes a war of attrition.
• Managing complexityEnterprises are working with more third-party vendors and partners than ever. This complexity not only
creates more work, but also introduces security risks because of an increased attack surface. Also, it
becomes likely that products and services are not being used in an optimal manner.
Elastica’s driving force is to develop technologies that cut across this set of challenges. Applications like
Audit, Detect, Protect, and Investigate built on top of he CloudSOC™ platform can be used to address all
three areas concurrently. First, the move towards cloud-based applications has been one of the most
vibrant shifts in the evolution of IT infrastructures. Second, because attackers customize their threats, it is
essential to take a holistic view of cloud application usage, involving processing, visualizing, and gleaning
insights into the data associated with these applications (largely in an automated fashion). Threat detection
is both important and necessary, but visibility must be the foundation. Finally, as our customers leverage
more cloud services, they have to manage the resulting complexity, which CloudSOC™ allows you to do.
Copyright © 2014 Elastica, Inc. | www.elastica.net6
Ultimately, the elastic enterprise transcends elasticity in the amount of raw computing power and storage
that organizations leverage. It is also about elasticity in employee productivity. For organizations to thrive
and stay agile in today’s competitive environment, their employees need access to the best resources,
services, and devices.
Historically, security concerns represent a deterrent to such flexibility. In the context of Elastica, however,
we can reverse this paradigm and think of security as an enabler. The move to leveraging cloud services
is an inevitable reality. Despite the plethora of benefits associated with cloud services, the core hurdle for
organizations involves understanding the corresponding risks and managing them. Elastica holistically
addresses critical security concerns and mitigates risk so that organizations can feel confident in embracing
a cloud-enabled world.
Copyright © 2014 Elastica, Inc. | www.elastica.net7