SIEM, SOAR and their role in improving cloud security [Q&A]
It's increasingly common for enterprise systems to be in the cloud rather than in-house, but that throws up a whole range of new challenges when it comes to securing them.
We spoke to Dario Forte, vice president and general manager, security orchestration, at cloud management specialist Sumo Logic to find out more about what's involved in cloud security and how automation can help.
BN: Why is the move to cloud making security more difficult, and what preparation will teams need to make?
DF: To start with, it's important to recognize that the situation today is very different to a few years ago. The world of cloud computing has moved on from just being 'someone else's computer' and today there is so much more that you can achieve using these services. It also depends on the cloud provider or Software as a Service company that you are looking at working with. For the largest providers, their security is better than what many companies can achieve themselves -- they have so many regulations and compliance requirements to meet, so they have to be extremely good at this to be successful.
However, this can lead to some assumptions on the part of companies who think they automatically get that level of security on their own deployments in the cloud by default, and that this absolves them of thinking carefully about their own responsibilities as well. While the big cloud providers cover security extremely well, they are not responsible for the applications that you build on top of that cloud service. While they do their utmost to make sure their infrastructure is secure, you still have to look at what you put in place and follow best practices. This is where getting better data is necessary to help you understand what is taking place and where potential issues might occur.
The real preparation that teams need is around interacting with your vendor partners on an ongoing basis, based on the data coming through. You need to monitor the activity across your cloud systems and applications, and you need to be prepared from a security standpoint to understand if something anomalous is going on.
BN: What are the approaches that teams can make around their security operations center (SOC) deployments?
DF: Today, SOCs are being built with processes as the priority, where you have your processes defined and then use tools and technologies to support those workflows, to orchestrate analytics and people working. That was not always the case, as SOC teams would invest in tools and then have to alter their processes to fit, which would lead to failures or services not working as they should. Teams today are more pragmatic around how they implement, which makes them much more likely to succeed.
BN: Where do technologies like SOAR and SIEM come in -- are they complementary or competitive?
DF: The SOC is based on three areas. The first is the collection of data sources that the team has, so all the information coming into the SOC on business activities. This provides the analysts with all the data they might need to see if there is an incident taking place.
The second is how all that data is aggregated, and that is where Security Incident and Event Management (SIEM) is essential. SIEM correlates all that data coming in and provides the investigative engines that carry out analysis, before then sharing those potential incidents for follow up.
This is where Security Orchestration, Automation and Response or SOAR comes in. This is the last mile of the process after SIEM, and it helps those analysts be more productive in how they investigate potential incidents. Without SOAR, your analysts will have to carry out more manual investigation of anything that gets flagged by the SIEM -- this can be hundreds or thousands of alerts every day, which is not possible for the vast majority of teams to carry out. It's also important to point out that SOAR does not replace people in your team -- instead, it makes staff more productive through using automation and orchestration.
BN: How can you automate processes across security, and what is involved to get things right?
DF: The first thing is to have a clear view of the process that exists today and how it works in practice. Many SOAR providers will have existing workflows and processes that you can make use of to speed up automating your processes, but these may need some modifications to work how you need them to. It’s best to pick two or three of your most common situations, and get them working first, before expanding to other workflows.
Based on this, you can then develop your playbooks, which bring together the workflows and processes that your analysts carry out alongside the tools and technologies that support them. Each playbook can cover specific threats and analysis requirements that you will want to carry out -- for example, you can run playbooks for phishing attacks through to more complex attacks and for IT operations.
This can cross over between the technology world and attacks that are in the physical world too, which can deliver a lot of value quickly. For example, you can use SOAR to help your investigation process around something like fraud in a bank, where otherwise it would be a manual process that was very time consuming and cross over different areas.
Alongside this, it is important to look at what happens before and after your implementation and carry out some return on investment (ROI) calculations. That basically compares how you approached that use case before and after the deployment, so you can see how well your automation approach is doing and whether it is saving you time and money compared to your previous manual process. Alongside providing you with proof of ROI, this provides a Key Performance Indicator (KPI) that you can track to see that you have been successful. With this kind of KPI in place, you can check the results and look at other ways to improve. In that example I quoted earlier, the bank could compare its manual investigation process for credit card fraud, versus the same process automated using SOAR. This can demonstrate how much time has been saved, how much money has been saved, and how productivity has increased.
BN: What other lessons can companies learn around cloud, security and automation?
DF: It's important that we take an open approach to cloud and security. Companies hate lock-in -- they don't want to feel that they are tied to a specific provider, even with the best security products in the world. For IT teams, this means looking at how they can integrate all their tools together in a way that is open, as that supports success and growth.
This helps companies look at security across everything they have, from new cloud applications to existing systems that have been in place for years, even decades. For example, you have to look at getting data from mainframe middleware applications alongside cloud services and modern applications. Companies don't have a single approach to applications in place, so their security strategy has to follow suit. The only way to achieve this is with an open approach to integration, so companies can scale up their processes and use SIEM and SOAR across all their applications.