Cloud detection and response is, and will stay, a team sport
CISOs should push for federated technologies, common processes and formal communications between teams to ensure cloud detection and response is effective and efficient.
Who owns cloud threat detection and response? Like many other cybersecurity responsibilities, the answer depends on individual organizations' skill sets, staffing and organizational structures.
Research from TechTarget's Enterprise Strategy Group indicated security pros believe there are many of ways to manage CDR:
- 45% of security professionals said their security operations center (SOC), cloud engineering and security teams share CDR responsibilities evenly. This points to a cooperative relationship, which is probably indicative of a large organization with a strong CISO and mature security program.
- 45% of security professionals said their cloud engineering and security teams manage CDR with some help from the SOC team. This could indicate a cloud center of excellence that includes cloud security engineering or strong DevOps processes that accommodate security requirements such as threat detection and response. "Born in the cloud" organizations tend to fit this model.
- 39% of security professionals said their SOC team takes the lead on CDR with some help from cloud engineering and security teams. This points to a strong SOC with a well-established SIEM, detection engineering and incident response processes in place.
- 33% of security professionals said CDR is managed by cloud application owners. In this case, the cloud team might rely on cloud service provider (CSP) security tools or might have their own independent SIEM or CDR tools.
- 27% of security professionals said CDR is owned by their SOC team. In other words, they own the whole threat detection and response process -- on premises and in the cloud.
Note that the responses go way beyond 100%, meaning multiple responses were accepted. This indicates many large organizations manage different cloud applications and their associated security -- including CDR -- in different ways. One team developing applications in AWS might lean on Amazon GuardDuty, Amazon Inspector and Amazon Detective, while another team building on top of Azure might aggregate logs and develop detection rules using a traditional SIEM. Like I said, it depends.
Coordinating CDR management
This decentralized model might not be the most efficient CDR methodology, so will organizations then establish cloud SOCs, formalize processes, consolidate CDR technologies and purchase CDR platforms? Some will, but most won't. Cloud application development and threats move quickly, demanding focused security skills on individual applications, APIs, log sources, identities and underlying CSP services. Consolidation looks good on paper, but given cloud specialization, it might result in a jack-of-all-trades/master-of-none situation.
Security teams still need coordination across disparate environments, but they should think loosely -- not tightly -- coupled. This reality has the following ramifications:
- Threat intelligence programs must anchor CDR. Cloud developers, DevOps personnel and cloud security teams should work with their threat intelligence groups to ensure they receive continual updates on known threats to their cloud applications and CSP services. This helps them establish a threat-informed defense, focusing on addressing real threats targeting their organization, industry and region.
- The Mitre ATT&CK framework must act as a common foundation. Established SOCs and cloud security groups should do all they can to operationalize the Mitre ATT&CK framework to bolster defenses, triage alerts and aid in investigations. Aside from the traditional framework, cloud security engineers, analysts and incident responders should emphasize the Mitre cloud matrix.
- Processes and communications are critical. While some threat detection and response activities are localized, organizations still need strong coordination across domains. This includes collaborating on necessary log sources, monitoring user activities and understanding normal behavior. CISOs should weave together independent activities by layering in common processes and formalized communications requirements.
- Standards such as Sigma for detection engineering must gain momentum. Open source Sigma rule sets can be a force multiplier because they provide cross-platform detections, as well as a repository populated by global contributors. This can help support internal teams focused on multiple independent cloud applications and CSPs.
- Cloud security architects are in high demand. Along with specialization, organizations still have to bring everything together at some level. This will create a sellers' market for cloud security architects with knowledge across Amazon, Google and Microsoft. CISOs should be willing to provide advanced cloud security training for smart, motivated and loyal individuals on the security team.
To arm different teams with security monitoring, threat detection and incident tools, security teams need to work closely with application developers and DevOps teams. CISOs should develop product requirements but give other teams the flexibility to choose cloud-friendly security tools that address security needs and integrate into their skill sets and CI/CD pipelines.
To support the security federation, security vendors should eschew proprietary agendas and develop CDR tools built for integration.
Jon Oltsik is a distinguished analyst, fellow and the founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.