State of Security Monitoring of Public Cloud Shittu O. Shittu Enterprise Security Architect, BP Enterprise Security Architect, trainline.com Director and Principal Consultant, TRAIS Mavens Ltd
Highlights Why integrate Cloud with SIEM tools/services? Emerging integration architectures and Trends
Free Email for Life!
Free Email for Life!
Free Email for Life!
How do you prevent murder?
How do you prevent murder?
SIEM Integration for Public Cloud Security Information and Event Management (SIEM)
SIEM Integration for Public Cloud Security Information and Event Management (SIEM) NOT just logging for compliance and forensics BUT security intelligence technology geared to aid incident response
Cloud Security Alliance Research Approach Cloud Service Provider Events per day: 35 million Unique devices: 62k Survey Participants SIEM Provider Events per second: 10k to 100k Cloud Customer Events per day: (196 to 30k) million Unique devices: 470 to 30k Cloud Customer Cloud Service Provider SIEM/Security Provider Inquiries by email to research@cloudsecurityalliance.org
Key Findings Market Definitions Increasing focus on threat intelligence and security analytics Unmet need of early attack/breach detection SIEM Architectures Vary by service model, Cloud Service Provider and Cloud customer maturity Trend towards proxy-based architectures SecaaS Becoming major market trend Lack of standards/common log formats seen as a major issue
What is the market saying? Collect Analyse Alert
Sensors, Collectors, Parsers What is the market saying? Collect Analyse Alert Logs Systems Correlation and Analytics Strengths Weaknesses Databases Hosts / Operating Systems; Applications and APIs Network appliance Available tools, processes and policies Exploitable vulnerabilities Events Applications Sensors and Taps Database activities Opportunities Security Improvements Indicators of compromise, attack or breach Threats Threat mitigation tools Network appliances Network Flows
Sensors, Collectors, Parsers What is the market saying? Collect Analyse Alert Logs Systems Correlation and Analytics Strengths Weaknesses Databases Threat Intelligence Hosts / Operating Systems; Applications and APIs Network appliance Events Applications Sensors and Taps Database activities Opportunities Available tools, processes and policies Security Improvements Exploitable vulnerabilities Indicators of compromise, attack or breach Threats Threat mitigation tools Network appliances Network Flows
Sensors, Collectors, Parsers What is the market saying? Collect Analyse Alert Logs Systems Correlation and Analytics Strengths Weaknesses Databases Threat Intelligence Hosts / Operating Systems; Applications and APIs Network appliance Events Applications Sensors and Taps Database activities Advanced Analytics Opportunities Available tools, processes and policies Security Improvements Exploitable vulnerabilities Indicators of compromise, attack or breach Threats Threat mitigation tools Network appliances Network Flows
Sensors, Collectors, Parsers What is the market saying? Collect Analyse Alert Logs Systems Correlation and Analytics Strengths Weaknesses Threat Intelligence Databases Hosts / Operating Systems; Applications and APIs Network appliance Events Applications Sensors and Taps Database activities Advanced Analytics Opportunities Available tools, processes and policies Exploitable vulnerabilities Early Indicators Security Improvements Indicators of compromise, attack or breach Threats Threat mitigation tools Network appliances Network Flows
What is the challenge? Traditional Security Past thinking and methods
What is the Public Cloud challenge?
What is the Public Cloud challenge? Scope of Control
What is the Public Cloud challenge? Scope of Control Degrees of freedom
What is the Public Cloud challenge? Scope of Control Degrees of freedom
What is the Public Cloud challenge? + O Scope of Control Blind Spot Degrees of freedom
What are the trends and good practices? Cloud Proxy / Security Gateways SecaaS SIEM as a Service SIEM SIEM Engine SIEM Logger
What are the trends and good practices? Cloud Proxy / Security Gateways SecaaS SIEM as a Service Cloud access security brokers (CASB) Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers
What are the trends and good practices? Cloud Proxy / Security Gateways SecaaS SIEM as a Service Cloud access security brokers (CASB) Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise
What are the trends and good practices? Cloud Proxy / Security Gateways SecaaS SIEM as a Service Cloud access security brokers (CASB) Use CASB / Cloud Security Gateway for SaaS visibility Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise
What are the trends and good practices? Cloud Proxy / Security Gateways Negotiate required levels of log visibility SecaaS SIEM as a Service Cloud access security brokers (CASB) Use CASB / Cloud Security Gateway for SaaS visibility Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise
What are the trends and good practices? Adopt SecaaS Testing the Water Incremental/hybrid approach Cloud Proxy / Security Gateways Negotiate required levels of log visibility SecaaS SIEM as a Service Cloud access security brokers (CASB) Use CASB / Cloud Security Gateway for SaaS visibility Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise
What are the trends and good practices? Adopt SecaaS Testing the Water Incremental/hybrid approach Cloud Proxy / Security Gateways Negotiate required levels of log visibility SecaaS SIEM as a Service Cloud access security brokers (CASB) Use CASB / Cloud Security Gateway for SaaS visibility Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise
What are the trends and good practices? Adopt SecaaS Testing the Water Incremental/hybrid approach Cloud Proxy / Security Gateways Negotiate required levels of log visibility SecaaS SIEM as a Service Cloud access security brokers (CASB) Use CASB / Cloud Security Gateway for SaaS visibility Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise
What are the trends and good practices? Adopt SecaaS Testing the Water Incremental/hybrid approach Cloud Proxy / Security Gateways Negotiate required levels of log visibility SecaaS SIEM as a Service Cloud access security brokers (CASB) Use CASB / Cloud Security Gateway for SaaS visibility Database activity monitoring proxy, Container / App logs SIEM SIEM Engine SIEM Logger Host agent, Virtual appliances, virtual sensors, SIEM Connectors and collectors, SIEM parsers Split SIEM capabilities among Cloud and on-premise E.g. Collector, parser, logger storage and virtual sensor on Cloud E.g. Analysis and correlation on-premise
Final thoughts Security Data (BYOD, IoT and Social) Security Risk Profiling Privacy concern (threat contexts) Cloud-based SIEM versus SecaaS Continuous SecaaS growth
Questions State of Security Monitoring of Public Cloud You can t protect what you can t see You can t respond to what you don t know Shittu O. Shittu