4. Outline
● SOC in 2021 - a quick reminder
● Cloud-native … what does it even mean?
● SOC + cloud-native = ???
● Changes to expect
○ Technology changes
○ Process changes
○ People changes
● What to do? More questions than answers...
6. A security operations center provides
centralized and consolidated
cybersecurity incident prevention,
detection and response capabilities.
–Gartner
First Things First: A SOC is Still … a SOC :-)
SOC is first a TEAM. Next a PROCESS. And it uses TECHNOLOGY too.
7. Reminder: Modern SOC (SOCstock 2020)
Process
structures
around threats,
not alerts
Deeper testing
and coverage
analysis
Teams are
organized
by skill, not
rigid level
Multiple
visibility
approaches,
not just logs
SOC elegantly
uses third
party services
Automation
via SOAR
works as a
force
multiplier
Threat
intelligence
is consumed
and created
Threat hunting
covers cases
where alerts
never appear
9. “Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic
environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable
infrastructure, and declarative APIs exemplify this approach.
These techniques enable loosely coupled systems that are resilient, manageable, and observable.
Combined with robust automation, they allow engineers to make high-impact changes frequently and predictably
with minimal toil.”
Cloud-native = Born in the Cloud, Lives ...?
13. First … Traditional SOC Monitors Cloud, This Happens!
Note: some of this is about
CLOUD and some is about
CLOUD-NATIVE!
● Uncommon log collection methods
● Telemetry data volumes may be high
● Alien licensing models for security tools
● Alien detection context (!)
● Lack of clarity on cloud detection use cases
● Governance sprawl
● SOC teams lacking cloud skills
● Ill-fitting tools
● Lack of input from SOCs into cloud decisions
14. TOOLS: Triad of Visibility + Cloud-native = ???
Logs (such as via
SIEM)
Still works! More logs of different
types in the cloud.
Network data (such
as via NDR)
It depends. Not for SaaS, limited
for PaaS, and constrained by
encryption.
Endpoint data (such
as via EDR)
It depends. Not for SaaS or
PaaS. Works for VMs and some
containers.
NEW: application
observability
New to cloud, but not fully
explored for security use cases
Note: Cloud or Cloud-
native here?
15. TOOLS: There is a Lot of Cloud - IaaS, PaaS, SaaS
EDR NDR Logs CASB
IaaS OK (*) OK (*) OK NO (*)
PaaS NO Sort of OK Sort of
SaaS NO NO OK OK
Fortunately, SOAR works with all of them … Hi SIEMplify :-)
16. Detour: OK, What if I am “All SaaS”?
CASB … one of the nastier Gartner acronyms … that is ...
until CNAPP arrived [sorry, former colleagues] :-)
“Can CASB be my SIEM?” -- Well, sort of ...
“BTW, WTH is CNAPP?” -- Well, look this up, will ya?
17. PRACTICES: Security Meets Cloud Native
Core SOC practices remain:
● Build detections (*)
● Detect threats
● Triage
● Investigate
● Remediate (*)
New practices around SOC:
● CI/CD and “C-everything”
● DevOps and friends
● Faster everything
● Automated everything
● Developer-led everything
● Everything as code
Note: super-simplistic
view of SOC here! Note: development skills in the SOC:
to code and to understand!
18. Some Answers: Cloud Process + Classic SOC
Adapt FIRST... … Steal SECOND!
CI/CD process Applications change, need
good asset coverage and
vulnerability context
CI/CD for detections
IT automation Need to integrate to not be
left behind
SOAR and friends,
security ops automation
Everything as code Absorb new context around
infrastructure
Detection as code
19. PEOPLE: SOC Skills vs Cloud Skills
Classic SOC skills:
● Packet decoding
● Network IDS
● Windows security
● Linux/Unix security
● Threat intelligence
● SIEM/log analysis
Cloud skills:
● Containers
● DevOps tools
● Serverless
● Infrastructure as code
● Everything as code
Note: development skills in the SOC; “detection as
code” means you need to code!
21. Going SOC-less for Cloud Natives?
Insight: SOCless detection …
… is a SOC, perhaps a modern SOC, but
SOC nonetheless.
22. Cloud-native SOCless?
● No room full of analysts, so no physical SOC
● No analyst-only roles and so no hard tiers / levels of 1,2,3
● “Analysts” = detection engineers
● Federated response; the best party responds (!)
● Detection team works closely with teams doing preventative
security
● Detection team works closely with developers
● Pipelines from event sources to machines and/or humans, and
they work well.
24. Select Lessons for On-premise Immigrants...
● NEW MONITORING SUBJECTS
○ Virtual machines [on a hypervisor you don’t own]
○ Containers
○ Functions and services
○ SaaS services
● NEW MONITORING DATA SOURCES
○ Cloud platform logs (e.g. GCP Cloud Audit Log)
○ Various other logs
○ Observability (in-app telemetry, essentially logs)
● NEW MONITORING CONTEXT
○ Account, resource group, distinguished names (sir? :-))
25. Select Observations on What to Expect
● Data flows vs wires; no more hardware-based security planning
● More application security monitoring (CASB, SaaS security,
observability - all relate to applications)
● More “as code” (both “detection as code” and threat detection in
CI/CD environments)
● More automation (SOAR links to IT automation) and higher speed
● Some on-premise approaches are worse-fit than others - and some
don’t fit at all (pass hyperscape application access via an appliance on-premise)
26. Recommendations for Cloud-native SOC Success
● If SOC = detection team, than SOC lives on in the cloud-native world
● Modernize your SOC but preserve the mission: detection and
response
● Evolve SOC to more automation to catch up with modern IT
● “DevOps” your detection engineering (Dev = content creator, Ops =
analyst)
● Rely on CSP data feeds and tools more; for SaaS, CASB is your friend
● Learn new detection context
● Mercilessly discard tools that don’t fit the cloud practices or fail to
support cloud technology