Cloud detection and response is, and will stay, a team sport – TechTarget

3 minutes, 1 second Read

Who owns cloud threat detection and response? Like many other cybersecurity responsibilities, the answer depends on individual organizations’ skill sets, staffing and organizational structures.

Research from TechTarget’s Enterprise Strategy Group indicated security pros believe there are many of ways to manage CDR:

Note that the responses go way beyond 100%, meaning multiple responses were accepted. This indicates many large organizations manage different cloud applications and their associated security — including CDR — in different ways. One team developing applications in AWS might lean on Amazon GuardDuty, Amazon Inspector and Amazon Detective, while another team building on top of Azure might aggregate logs and develop detection rules using a traditional SIEM. Like I said, it depends.

Coordinating CDR management

This decentralized model might not be the most efficient CDR methodology, so will organizations then establish cloud SOCs, formalize processes, consolidate CDR technologies and purchase CDR platforms? Some will, but most won’t. Cloud application development and threats move quickly, demanding focused security skills on individual applications, APIs, log sources, identities and underlying CSP services. Consolidation looks good on paper, but given cloud specialization, it might result in a jack-of-all-trades/master-of-none situation.

Security teams still need coordination across disparate environments, but they should think loosely — not tightly — coupled. This reality has the following ramifications:

  1. Threat intelligence programs must anchor CDR. Cloud developers, DevOps personnel and cloud security teams should work with their threat intelligence groups to ensure they receive continual updates on known threats to their cloud applications and CSP services. This helps them establish a threat-informed defense, focusing on addressing real threats targeting their organization, industry and region.
  2. The Mitre ATT&CK framework must act as a common foundation. Established SOCs and cloud security groups should do all they can to operationalize the Mitre ATT&CK framework to bolster defenses, triage alerts and aid in investigations. Aside from the traditional framework, cloud security engineers, analysts and incident responders should emphasize the Mitre cloud matrix.
  3. Processes and communications are critical. While some threat detection and response activities are localized, organizations still need strong coordination across domains. This includes collaborating on necessary log sources, monitoring user activities and understanding normal behavior. CISOs should weave together independent activities by layering in common processes and formalized communications requirements.
  4. Standards such as Sigma for detection engineering must gain momentum. Open source Sigma rule sets can be a force multiplier because they provide cross-platform detections, as well as a repository populated by global contributors. This can help support internal teams focused on multiple independent cloud applications and CSPs.
  5. Cloud security architects are in high demand. Along with specialization, organizations still have to bring everything together at some level. This will create a sellers’ market for cloud security architects with knowledge across Amazon, Google and Microsoft. CISOs should be willing to provide advanced cloud security training for smart, motivated and loyal individuals on the security team.

To arm different teams with security monitoring, threat detection and incident tools, security teams need to work closely with application developers and DevOps teams. CISOs should develop product requirements but give other teams the flexibility to choose cloud-friendly security tools that address security needs and integrate into their skill sets and CI/CD pipelines.

To support the security federation, security vendors should eschew proprietary agendas and develop CDR tools built for integration.

Jon Oltsik is a distinguished analyst, fellow and the founder of TechTarget’s Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.

This post was originally published on the 3rd party site mentioned in the title of this this site

Similar Posts