I have a confession…I have never been able to successfully see an autostereogram clearly. An autostereogram is one of those images that look like a blurry mess, but if you stare at it and change your focal perspective, it reveals a crystal clear, often 3D image. For those of us that have been around long enough, these were the main feature in the very popular the “Magic Eye” book series.
For Security and Network Operations Center (SOC/NOC) personnel, it feels like the public cloud has a similar effect. Their critical role to the organization can seem murky at best within an infrastructure that is consumed rather than operated. Add to that the differences across cloud service providers (CSP), and the problem begins to look more and more like my inability to see the image above.
In this series, we’ve examined Cloud Native Application Protection Platforms (CNAPP) from the lens of different teams within the enterprise. This post explores roles in the SOC and NOC and how CNAPP can help demystify these roles in the public cloud. Let’s start with outlining just a couple of the critical functions provided by these teams.
- Threat Hunting
- Incident Investigation & Response
- Hardening Assets, Applications and Services
- Vulnerability Management
The public cloud environment presents opportunities for bad actors and challenges for application operators. The same global reach that benefits the enterprise also dissolves any traditional notion of a perimeter. The thousands of signals, metrics, telemetry sources, and events quickly become noise and contribute to alert fatigue. In the wake of those overwhelming signals, a SOC/NOC team needs three critical capabilities at their fingertips.
Critical SOC/NOC Capabilities in Public Cloud
First, the team needs to ensure that the collection of the appropriate events, logs, and signals is happening at scale. Since the public cloud is a consumed set of resources, teams need to ensure that they are able to pull data at the foundational level from the cloud service provider (CSP). Reliance upon OS-level agents to provide complete or derived insights into the underlying infrastructure cannot compete with direct access to the CSP API substrate.
It is important to note that SOC/NOC teams need to be able to extend the types of data points beyond the traditional Cloud Security Posture Management (CSPM) solutions of the past few years. Pulling data from the CSP on configuration, deployments, etc. is simply the starting point. These teams also need to ingest data concerning vulnerabilities, risky flows, and even data loss prevention signals to truly get a unified insight into the current state of the cloud estate.
Specifically, vulnerabilities can be a source of blind spots in the public cloud. Many vulnerability management systems were designed for traditional on-prem environments, depending on the use of agents to gain visibility to the workload. Since deployment in a traditional data center was usually controlled by Central IT, there were often process gates or ticketing flows to ensure those agents were installed. In the public cloud, deployments are often initiated by the Line of Business (LOB), fully automated, and done outside of a centralized control framework. Assets are often temporary or ephemeral in nature, with a lifespan of minutes or even only seconds for some assets. Agent deployments representing tool sets not germane to the application owner/operator could be left out creating blindspots in the public cloud environment.
How are SOC teams supposed to see if their tool is dependent on these traditional agent-based requirements?
Leveraging CNAPP for SOC/NOC Operations
CNAPP platforms leverage agentless technologies to evaluate vulnerabilities, providing maximum coverage for cloud workloads. Not only does this have the benefit of reduced performance concerns for the workloads in question, but it also reduces operational complexities around upgrading, health checks, and deployment blind spots.
Vulnerability data represents one input into a correlation engine that consumes several different types of security-relevant signals. This engine should be able to take configuration, provisioning, identity, flow, and vulnerability information to provide quick and meaningful alerts that take into account all dimensions. Architecturally, stitching together separate domain-specific back-ends with a brittle front-end UI will limit correlation and potentially miss interesting patterns that represent important threat vectors.
Third, operators need effective and actionable classification to reduce the time to response. Understanding insights from various threat categories (e.g. Authentication Configurations, Over Exposed Assets with Power Identities, Data at risk from Ransomware) reduces identification times. Classification also allows SOC teams to quickly route specific threat types to the appropriate sub-teams either natively or through existing IT Service Management (ITSM) solutions preserving existing operational investments and processes.
Finally, since enterprises cannot solely rely upon vendors to have pre-built every relevant threat condition, any engine requires customization. New threats, vulnerabilities and identity-based threats happen every single day, within an increasing number of threats that are targeted to specific enterprises. SOC/NOC teams require a CNAPP platform that can create custom investigations and queries of the environment in minutes. Since requiring SOC/NOC teams to learn cloud-specific query languages is not feasible or desirable, these operations must be abstracted across multiple CSPs. A single intuitive process to interrogate all cloud accounts for new and specific signals is a fundamental need in today’s public cloud environment.
Making Threat Hunting Intuitive
Similar to the example in Part 2 of this series, consider an example where we need to quickly look across the dimensions of configuration, identity, and vulnerability management to pinpoint the high risks that should be prioritized.
At times, the standard canned policies that are resident within a platform do not meet the current need. Teams need to pivot their search based on new threats and vulnerabilities. The data is resident within the CSPs, but how to get it out can become an exercise in API consumption. Every CSP has a different set of calls, terms, etc. and for multi-cloud organizations, this heterogeneity gives way to delay in identifying the threat.
Consider the example in the figures below. The search is to locate assets that meet the following parameters:
- Determine what compute instances are Internet Facing
- With power identities (e.g. Administrator or Power User)
- And critical vulnerability of a particular severity
- Where the CVE actually has an available fix
- And the compute instance has access to cloud storage
Performing these searches using native or complex API interactions requires deep knowledge of each CSPs API. While a native search will ultimately work, abstracting the details of the underlying CSP API into human-readable drag-and-drop approach investigations, teams can quickly and effectively query multiple cloud environments with little to know required knowledge of the underlying CSP API structure.
This directly equates to speed of search and remediation and reduces the knowledge set required to create and use custom queries. In addition, these investigations should be able to be saved or converted into durable policies that will provide the trigger for future alerts.
Empowering SOC & NOC Teams Efficiently
SOC/NOC teams require a myriad of toolsets to effectively protect the organization against the myriad of modern threats facing enterprises today. The public cloud environment represents a complex yet critical set of applications and services for today’s digital enterprise. The ability to provide some of those critical capabilities in a unified platform reduces costs, and operational complexities while at the same time increasing effectiveness.
CNAPPs, including Zscaler’s Posture Control platform, are designed from the ground up to ingest data across control domains. The collection, correlation, classification, and customization engine is what enables our customers’ SOC/NOC teams to protect their assets in the public cloud world.