State of Security Monitoring of Public Cloud

Transcription

1 State of Security Monitoring of Public Cloud Shittu O. Shittu Enterprise Security Architect, BP Enterprise Security Architect, trainline.com Director and Principal Consultant, TRAIS Mavens Ltd

2 Highlights Why integrate Cloud with SIEM tools/services? Emerging integration architectures and Trends

3 Free for Life!

4 Free for Life!

5 Free for Life!

6 How do you prevent murder?

7 How do you prevent murder?

8 SIEM Integration for Public Cloud Security Information and Event Management (SIEM)

9 SIEM Integration for Public Cloud Security Information and Event Management (SIEM) NOT just logging for compliance and forensics BUT security intelligence technology geared to aid incident response

10 Cloud Security Alliance Research Approach Cloud Service Provider Events per day: 35 million Unique devices: 62k Survey Participants SIEM Provider Events per second: 10k to 100k Cloud Customer Events per day: (196 to 30k) million Unique devices: 470 to 30k Cloud Customer Cloud Service Provider SIEM/Security Provider Inquiries by to

11 Key Findings Market Definitions Increasing focus on threat intelligence and security analytics Unmet need of early attack/breach detection SIEM Architectures Vary by service model, Cloud Service Provider and Cloud customer maturity Trend towards proxy-based architectures SecaaS Becoming major market trend Lack of standards/common log formats seen as a major issue

12 What is the market saying? Collect Analyse Alert

13 Sensors, Collectors, Parsers What is the market saying? Collect Analyse Alert Logs Systems Correlation and Analytics Strengths Weaknesses Databases Hosts / Operating Systems; Applications and APIs Network appliance Available tools, processes and policies Exploitable vulnerabilities Events Applications Sensors and Taps Database activities Opportunities Security Improvements Indicators of compromise, attack or breach Threats Threat mitigation tools Network appliances Network Flows

14 Sensors, Collectors, Parsers What is the market saying? Collect Analyse Alert Logs Systems Correlation and Analytics Strengths Weaknesses Databases Threat Intelligence Hosts / Operating Systems; Applications and APIs Network appliance Events Applications Sensors and Taps Database activities Opportunities Available tools, processes and policies Security Improvements Exploitable vulnerabilities Indicators of compromise, attack or breach Threats Threat mitigation tools Network appliances Network Flows

15 Sensors, Collectors, Parsers What is the market saying? Collect Analyse Alert Logs Systems Correlation and Analytics Strengths Weaknesses Databases Threat Intelligence Hosts / Operating Systems; Applications and APIs Network appliance Events Applications Sensors and Taps Database activities Advanced Analytics Opportunities Available tools, processes and policies Security Improvements Exploitable vulnerabilities Indicators of compromise, attack or breach Threats Threat mitigation tools Network appliances Network Flows

16 Sensors, Collectors, Parsers What is the market saying? Collect Analyse Alert Logs Systems Correlation and Analytics Strengths Weaknesses Threat Intelligence Databases Hosts / Operating Systems; Applications and APIs Network appliance Events Applications Sensors and Taps Database activities Advanced Analytics Opportunities Available tools, processes and policies Exploitable vulnerabilities Early Indicators Security Improvements Indicators of compromise, attack or breach Threats Threat mitigation tools Network appliances Network Flows

17 What is the challenge? Traditional Security Past thinking and methods

18 What is the Public Cloud challenge?

19 What is the Public Cloud challenge? Scope of Control

20 What is the Public Cloud challenge? Scope of Control Degrees of freedom

21 What is the Public Cloud challenge? Scope of Control Degrees of freedom

22 What is the Public Cloud challenge? + O Scope of Control Blind Spot Degrees of freedom

23 What are the trends and good practices? Cloud Proxy / Security Gateways SecaaS SIEM as a Service SIEM SIEM Engine SIEM Logger

24 What are the trends and good practices? Cloud Proxy / Security Gateways SecaaS SIEM as a Service Cloud access security brokers (CASB) Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers

25 What are the trends and good practices? Cloud Proxy / Security Gateways SecaaS SIEM as a Service Cloud access security brokers (CASB) Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise

26 What are the trends and good practices? Cloud Proxy / Security Gateways SecaaS SIEM as a Service Cloud access security brokers (CASB) Use CASB / Cloud Security Gateway for SaaS visibility Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise

27 What are the trends and good practices? Cloud Proxy / Security Gateways Negotiate required levels of log visibility SecaaS SIEM as a Service Cloud access security brokers (CASB) Use CASB / Cloud Security Gateway for SaaS visibility Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise

28 What are the trends and good practices? Adopt SecaaS Testing the Water Incremental/hybrid approach Cloud Proxy / Security Gateways Negotiate required levels of log visibility SecaaS SIEM as a Service Cloud access security brokers (CASB) Use CASB / Cloud Security Gateway for SaaS visibility Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise

29 What are the trends and good practices? Adopt SecaaS Testing the Water Incremental/hybrid approach Cloud Proxy / Security Gateways Negotiate required levels of log visibility SecaaS SIEM as a Service Cloud access security brokers (CASB) Use CASB / Cloud Security Gateway for SaaS visibility Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise

30 What are the trends and good practices? Adopt SecaaS Testing the Water Incremental/hybrid approach Cloud Proxy / Security Gateways Negotiate required levels of log visibility SecaaS SIEM as a Service Cloud access security brokers (CASB) Use CASB / Cloud Security Gateway for SaaS visibility Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise

31 What are the trends and good practices? Adopt SecaaS Testing the Water Incremental/hybrid approach Cloud Proxy / Security Gateways Negotiate required levels of log visibility SecaaS SIEM as a Service Cloud access security brokers (CASB) Use CASB / Cloud Security Gateway for SaaS visibility Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise

32 Final thoughts Security Data (BYOD, IoT and Social) Security Risk Profiling Privacy concern (threat contexts) Cloud-based SIEM versus SecaaS Continuous SecaaS growth

33 Questions State of Security Monitoring of Public Cloud You can t protect what you can t see You can t respond to what you don t know Shittu O. Shittu