Going Native: A Cloud-Shift Strategy for Your Security Operations Team

The shift to the cloud has greatly accelerated during the past year, and with that shift most cybersecurity incidents now involve cloud infrastructure. According to the 2021 Verizon Data Breach Investigations Report, 73% of cybersecurity incidents involved cloud assets — a 27% increase from last year. The 2021 IBM Security X-Force Cloud Threat Landscape Report also found there are 30,000 cloud accounts potentially for sale on dark web marketplaces.

As cloud shift continues and hybrid cloud environments become more common, adopting cloud-native security technologies is critical for transforming security operations.

Challenges that Security Teams Face as They Shift to the Cloud
As cloud-computing applications and workloads proliferate, many organizations have experienced increases in IT and security complexity. From a security perspective, cloud-computing adoption requires new security skills, more security telemetry, and exposes organizations to new types of security threats.

With growing volumes of cloud data, organizations have had to make choices about the types of data they collect and log because of the associated storage costs. Many have decided to collect less data, leaving attack surfaces exposed because the security team lacks the needed context to identify potential indicators of compromise. Security analysts are essentially flying blind because they lack the necessary visibility to follow the full threat story.

SOC analysts are frustrated by these inefficiencies and the lack of data and context. Many organizations try to address the problem by throwing more technology and tools at it, but a more strategic and holistic approach is needed to solve this security conundrum.

How to Achieve Security Visibility
Your security team should adhere to the NIST Cybersecurity Framework, which includes five continuous functions — identify, protect, detect, respond and recover. These functions provide an overview of how the organization is managing its cybersecurity risks and serve as a guide for incident response. Further, the functions — except for the recovery step — totally depend on having the right security visibility at scale.

That said, the first step in any investigation is to collect and enrich evidence to build a case. SOC analysts must draw enterprise-wide insights — including everything from data on business applications to end-user behavior — so they can dig into the data and build on it with threat intelligence feeds to establish a full threat story.

So (it almost goes without saying), it will be challenging for your security team to identify and respond to cyberthreats if they haven’t made certain they can see everything within your infrastructure. To close visibility gaps, your security team first needs to figure out where the holes are. They should ask themselves: Do we have visibility into CDN logs and transactions? Is data being collected from our cloud and SaaS applications? And do we have both real-time and historical data available to us for investigations? If the answer to any of these questions is no, your security team needs to take immediate action.

By implementing a cloud-native security operations stack, your security team can start to take the proper steps to close any visibility gaps they may identify. With a cloud-native logging and security analytics solution, your security team will no longer have to spend their time optimizing storage use or managing infrastructure, replication factors, or old-school indexes. Instead, they can spend their time on what matters most — asking questions of their log data.

The Devo Platform, for example, addresses visibility challenges by enabling your security team to collect, store and analyze all your data at scale. It brings together data from all sources so your security team can enrich it and have the real-time context they need to combat cyberthreats successfully. Devo can ingest hundreds of terabytes of data per day, store that data always-hot for at least 400 days and deliver analytics and visualizations that analysts can use to dig right into that information. They won’t have to compromise on query performance to do this level of analysis, either. Combined with the Devo Security Operations application — a true next-gen security analytics platform — your security team will have the tools they need to implement a wide range of security use cases.

With growing data volumes and increased needs for telemetry, it’s critical to arm your security operations team with the right tools and resources so they always have complete context during investigations. Without the ability to see every aspect of their cloud environments, it will be extremely challenging to keep your business and its data safe from increasingly sophisticated, relentless cybercriminals.