Upload
ibm-security
View
403
Download
0
Tags:
Embed Size (px)
Citation preview
Presents
Mike Rothman, President
Twitter: @securityincite
Monitoring the Hybrid CloudEvolving to the “CloudSOC”
What We’ll Cover
• Disruption Ahead
• Emerging SOC Use Cases
• Solution Architectures
• Technical Considerations
• Migration
• Q&A
Cloud Computing
• Cloud computing
disrupts security
• Loss of physical
control via
abstraction
• New emphasis
on automation
MobilityMobile computing
disrupts security by
distributing access
while reducing
control over devices
and networks.
DevOps
DevOps disrupts security by
requiring trustable automation
and an operational model to
support it.
Monitoring Needs to Change
• Lack of Visibility in the Cloud
• Co-existence: 5 - 7 year
migration to the cloud (if not
longer)
• Continued focus on analytics
• Common view across both
cloud and traditional
infrastructure?
• Compliance in the cloud?
https://flic.kr/p/dcZaG7
Monitoring IaaS
• Reduced visibility (you don’t
control the stack)
• Depth and granularity of
available logs is improving
• No packet capture (impacts
forensics)
• Choke point for inspection
and/or capture?
• Where to collect & aggregate?
https://flic.kr/p/5XwydV
Monitoring SaaS
• At the mercy of what
SaaS provider
exposes
• Typical access is user
related (logons,
activity) and admin-
related
Monitoring the Private Cloud
• Access to the physical
layer
• Still need access to
cloud console to track
virtualized compute,
storage, networks, etc.
• Leverage cloud
infrastructure APIs
• Can route traffic
through inspection
point(s)
https://flic.kr/p/9Excac
https://flic.kr/p/abCSpq
SLAs Are Your Friend
• Exercise leverage
during procurement to
get access to
logs/events
• Very hard to go back
and ask for more
access once the deal is
done.
The CloudSOC Use Case
• Migrating to a CloudSOC is a multi-year process. Some
will get there faster than others.
• Why? It doesn’t make sense to have a bulk of compute
and storage in the cloud and monitor on-prem
• What about latency and cost?
• Decision points:
• Collection/Storage
• Analysis
• Presentation
Collecting from the Cloud
• APIs
• Cloud Gateways
• Cloud 2 Cloud
• App Telemetry
• Agents
• External Data/TI
https://flic.kr/p/fdyzm7
https://flic.kr/p/oqEb3u
Hybrid Cloud Deployment
• Some analysis performed on-
prem (likely for on-prem
devices)
• Some analysis performed in
the cloud (for cloud-based
resources)
• Aggregate data for a view of
entire infrastructure
• Service providers are an option
(especially for cloud stuff)
https://flic.kr/p/6cfULx
Exclusively Cloud
Deployment
• Remote SOC
• Outsourced or managed
service
• How to get on-prem
events/logs to cloud?
• Collectors
Third Party
Management/Outsourcing
• Help address skills gap
• Where is the service
provider finding staff?
• Can use services for either:
• Stuff you can’t do
• Stuff you don’t want to do
• Complimentary to strengths of
in-house team
https://flic.kr/p/oqZ2QC
Managing Vendor
Lock-In
• Consciously use APIs and other
vendor-specific services
• Maintain flexibility (where
possible)
Data Security
• Data in motion (easy) vs. data
at rest (hard)
• Many service providers use
other service providers for
storage, compute, etc.
• Understand how the service
provider is protecting the data
• SLAs are still your friend
https://flic.kr/p/8A2pt4
Data Privacy and Jurisdiction
• PII may have limitations as to
where it can be stored
• Where is the cloud data
stored? Are you sure?
• Data subject to regional
laws
• Tokenization and masking are
also your friends…
https://flic.kr/p/9XXUrB
Automation and Scalability
• Automate deployment of
collectors, agents, etc.
• Embed into instances and
scaling templates
• Verification and discovery of
services via APIs
• (Almost) everything can be
scripted.
https://flic.kr/p/4JgVz2
Other Considerations• Management Plane
• Lose control of management, lose everything
• Pay attention to entitlements and IAM roles
• Analytics
• Cloud-based analytics plentiful
• “Data scientists” to set up and analyze? Less so.
• Pricing Model
• Cloud pricing is usage based. Makes budgeting harder.
• Need controls in place to monitor cloud spending
Migration Plan
• Phase 1: Deploy Collectors
• Phase 2: Integrate and Monitor
Cloud Resources
• Push vs. Pull collection
• Aggregation and Correlation
• Policy Development and Testing
• Phase 4: Automation and
Orchestration
• Phase 5: Migrate SOC
Infrastructure to the Cloud
Summary
• There is no right or wrong in
monitoring the hybrid cloud.
• You will (likely) have both traditional
and cloud infrastructure for a while.
• Where collection happens will evolve.
Same goes for aggregation and
analytics.
• Choose a flexible architecture to allow
you to move to the cloud when it
makes sense
https://flic.kr/p/5vKanE
Read our stuff• Blog
• http://securosis.com/blog
• Research
• http://securosis.com/research
• We publish (almost) everything for free
• Contribute. Make it better.
Mike RothmanSecurosis LLC
http://securosis.com/blog
Twitter: @securityincite