Rethinking Security for SaaS and Cloud Apps The Problem Securing and mitigating risks to information assets has been a long-standing concern for IT security teams in organizations of all sizes. To protect enterprise data centers and information, vendors have developed an increasing array of technologies, like Firewalls, IDS/IPS, ediscovery platforms, Anti-Virus/Anti-Malware, SIEM solutions, and so on. Over time, organizations have set up Security Operations Centers (SOCs) to help manage these technologies. The evolution of these platforms has been centered on keeping up with the evolution of the broader threat landscape so that organizations are best positioned to deal with the latest techniques crafted by attackers. While this development has continued with reasonable progress, it has been broadsided by one of the biggest shifts in the IT industry in the last several decades, namely the rapid migration to cloud applications and services. The highly centralized, controlled, and infrastructure-laden organizations of yesterday are now transforming into much more agile, decentralized, and elastic enterprises. As these organizations adopt cloud services in greater numbers, desirable goals like security and visibility are left behind. (Figure 1)? Security Operation Center Cloud Services On-Premise Applications Firewall ediscovery IDS/IPS SIEM etc... Security Solutions Figure 1: Cloud services expose a blind spot with traditional security ops centers. It is not hard to see why SaaS applications are so popular. These subscription-based services offer an attractive alternative for enterprise users looking to streamline their work activities, collaborate easily with colleagues, and be more productive. Instead of requesting IT organizations to deploy new applications (a process that can take months), cloud applications enable users to be online and productive in days, if not hours resulting in Shadow IT. However, migrating data from single-tenant private data centers to loosely managed multi-tenant 3rd party data centers, where employees can access that data from anywhere, exposes corporate data to new threats. 1 One option would simply be to block employees from using cloud applications and services, but that strategy is unsustainable. Organizations need to be more agile and cost effective in today s competitive marketplace. More so, they need to accommodate a growing mobile workforce. Employees entering today s workforce bring their own devices, along with an increasing degree of technical comfort.
Therefore, we need a new solution that enables organizations to embrace cloud applications and services without compromising security or compliance policies. This premise led to the formation of Elastica and the creation of the CloudSOC platform. Rethinking the Traditional Security Operations Center (SOC) As traditional enterprise applications migrate to their cloud-equivalents (file sharing, CRM, etc.), traditional SOCs lose both visibility and control. To address this new blind spot, Elastica developed the idea of the CloudSOC platform. The CloudSOC can provide augmentation for organizations with an existing SOC addressing the cloud services used by the organization. Newer organizations that are heavily invested in cloud infrastructure can use CloudSOC as their de-facto SOC. It is important to understand where the idea of CloudSOC fits among incumbent approaches for safeguarding cloud services. Single sign-on (SSO) solutions and mobile security solutions, like mobile device management (MDM) and mobile application management (MAM), are certainly key ingredients in this emerging cloud and mobile era. They form a good starting point, as they conveniently manage user identities, ensure credentialed access to cloud applications, and control business applications on mobile devices. However, while usernames and passwords protect the walls of the castle, what happens inside the kingdom remains a mystery. What if an individual s username and password are compromised? Or the user provides appropriate credentials, but their system is compromised with malicious software (malware) and the connection to a cloud service is surreptitiously coopted without the users knowledge? Alternatively, what if an insider knowingly (or even unknowingly) engages in activity that could cause irreparable harm to his employer? What these scenarios highlight is that awareness and control at the application level is insufficient. Instead, organizations need visibility into the underlying actions associated with cloud services. Without this level of insight, there is no reliable way to ensure that corporate assets are safe and compliant. Data Science Powered Cloud Security Traditional security methods have led to an arms race of identifying known threats through signatures and preparing defenses against those attacks. Today s emerging environment, with assets in an opaque cloud that can be accessed from anywhere and with any device, requires a modern security approach for identifying threats in real-time, using advanced data science techniques, regardless of origin. Security needs to start with visibility across all aspects of your environment, especially blind spots. You cannot protect what you cannot see. Visibility ultimately involves being able to gather, analyze, visualize, and glean insights from data. And all of these areas fall under the aegis of data science. Therefore, a core tenet at Elastica is that security is fundamentally a data science problem. 2 Alongside the growing risks organizations face when deploying cloud services, there has fortunately been commensurate progress in developing techniques from the field of data science that can be used
towards helping organizations understand and manage these newly incurred risks. Recent advances in the field involve real-time traffic analysis, machine learning/data analytics, data visualization, and controls corresponding to these capabilities. Elastica Gateway Firewall Figure 2: Elastica platform Elastica s CloudSOC Solution Real-time Processing Logs MDM API Elastica CloudSOC Audit Detect Investigate Protect Elastica has incorporated these advances into an overall data science platform that forms the basis for CloudSOC. The platform ingests data from several sources, including: (1) A transparent gateway that sits between organizations and the cloud services they employ; (2) Application Programmer Interfaces (APIs) provided by third-party cloud services; (3) Logs from common enterprise grade firewalls and next-generation firewalls; and (4) Data from Mobile Devices via MDM solutions. These data sources are processed and automatically analyzed. The insights from that analysis are percolated to the enterprise administrator via an intuitive graphical user interface (GUI) that not only provides visibility into how cloud services are used, but also facilitates crafting custom policies and taking corresponding actions. (Figure 2) It is important to stress our stance that usability is a crucial design goal for security technologies. As organizations get more complex, they may find themselves deploying products from a rapidly growing number of vendors. On the flip side, the personnel devoted to managing and using new technologies remains relatively fixed. Therefore, new security technologies simply cannot mandate a steep learning curve. The user interface and configurations for Elastica s CloudSOC are designed to conveniently summarize complex data. Not only can customized policies and controls be created, but they also get simultaneously translated across many applications, which simplifies the task of configuring and administering the system. That brings us to another important design goal for security offerings, namely customizability. While we typically refer to the threat landscape as a single uniform monolithic entity, the reality is that each organization has unique threats that affect it. Organizations not only need a platform that can be tailored and extended in a way that optimally suits them, but they need to know that as the threat landscape evolves, they can augment the platform as needed. Aside from that, new cloud applications and services are being introduced at a staggering rate. Providing security coverage for these applications becomes problematic, as traditional methods of creating custom signatures does not scale. 3 Therefore, extensibility is necessary for securing the elastic enterprise. Elastica s StreamIQ technology enables support for a large number of cloud services and is designed to enable quick support for new applications. StreamIQ examines real-time traffic flows and identifies what cloud services are being used as well as how they are being used even for applications that have never been encountered previously. Elastica s StreamIQ technology is based on advanced machine learning techniques that not only identify
and learn new applications, but also enable rapid security coverage for these new applications. CloudSOC is itself a cloud-based service figuratively sitting in proximity to the very cloud applications it is protecting. As organizations supplant traditional enterprise applications with cloud-hosted counterparts, it seems appropriate to eschew an offering predicated on a traditional on-premises appliance. Elastica Applications: Audit, Protect, Detect, and Investigate On top of this modular data sciences platform, Elastica s CloudSOC currently offers customers four main applications: Audit, Protect, Detect, and Investigate. Access Administrative Business 4 Service 1 Audit When it comes to the security of cloud services, organizations typically like to start by determining what cloud applications and services their employees are utilizing in the first place. Elastica s CloudSOC analyzes customer firewall log data to provide this information. Customers have consistently found the exercise to be highly illuminating from a discovery standpoint. Typically, they expect a handful of applications to surface among their users, but what they actually discover is an order of magnitude greater. In some instances, a well-intentioned employee might be accessing a personal cloud service from a corporate asset. Other situations might involve Shadow IT. In these cases, groups may be using cloud services with important business critical data while operating outside the purview (and without the blessing) of the information security team. Service 2 Service 3 9 7 7 8 9 9 8 8 7 9 4 6 Figure 3: Business Readiness Rating Basic cloud service discovery is relatively straightforward. In and of itself, however, it is of limited value. What organizations ultimately need to understand is whether the cloud services being employed are business ready. Elastica s CloudSOC addresses this concern by juxtaposing each discovered cloud service and SaaS application with a Business Readiness Rating. Furthermore, organizations can drill into the rating to understand the tangible underlying risks. (Figure 3) Elastica determines this rating by analyzing cloud services using a large number of criteria. For example, does the service offer two-factor authentication? Can it be centrally administered? Is data encrypted in motion or at rest? What compliance certifications does the provider have? Further, the rating criteria are customizable. For example, perhaps you care about whether the service provides an administrative audit trail, but you might not care as much about whether it offers role-based authentication. Because customers can adjust the weighting of the factors going into the score, they effectively get automated cloud service business readiness ratings in a way that is specifically tailored to their environment. Some customers use this functionality to compare current applications with alternatives that provide analogous functionality (but with less risk). This comparison shopping capability is directly built into Elastica s CloudSOC Audit application.
Detect The next goal is to identify traffic to cloud services that is rooted in malicious behavior, whether that behavior was carried out intentionally by a human or carried out surreptitiously by malware. Beyond identifying malicious behavior through pattern matching, Elastica employs anomaly detection mechanisms that are generated via machine learning approaches. These approaches essentially model typical user behavior with respect to particular applications and actions within those applications. Based on these models, undesirable behavior can be identified. For example, is a user starting to delete a substantial number of files from a shared folder associated with a file sharing application? Does the user appear to be scraping an excessive amount of customer data from a CRM application? Are actions being conducted by the user or are they being conducted by surreptitious software (e.g., malware) without the user s knowledge? Elastica assigns a ThreatScore to the activities of each user, which provides immediate insight into security issues and can be used to trigger real-time actions. These approaches are not only data driven, but they are largely automated enabling faster and more comprehensive detection of malicious activity. In a world where threats are rapidly morphing and highly ephemeral, there is little time to lose when trying to identify them. Investigate The detection of threats is often just a starting point for IT administrators. When an incident occurs, it is typically necessary to dig deeper and understand the context around that incident. Because Elastica s CloudSOC gathers and processes data prior to the identification of threat activity, administrators can go back and reconstruct precisely what happened thereby saving organizations many hours of work. This data is not only collected and analyzed based on cloud activity, but it is presented in human readable form. This last point is worth emphasizing. Even though one might be able to determine what cloud service is associated with a particular traffic stream, it is not as simple to identify the action associated with that cloud service. For example, traffic might indicate that the user is connecting to a file sharing service; however, it might not be immediately clear from that traffic whether the user is uploading, copying, or deleting a file. Because Elastica has gathered tremendous intelligence regarding cloud services, we are able to determine the actual actions from traffic and we provide this deeper level of visibility to our customers. More so, Elastica provides this visibility even for cloud services that do not have their own inherent logs or APIs. Investigating and responding to threats takes on extreme importance as the threat landscape evolves. Despite best efforts, well-crafted threats can infiltrate and compromise an organization. Motivated attackers know what defenses they are up against, and they will try to craft threats that bypass those defenses. In the face of such attackers, organizations have to put forethought into how they will respond. Typically in the incident response phase, the goal is to understand the scope, the ramifications, and ideally the root cause of threats to the environment. Being able to pull up historical data after the fact is invaluable in such cases. Protect 5 While being able to identify and investigate threats is sufficient in the near-term for stemming the tide of damage caused, organizations can easily find themselves playing perpetual whack-a-mole. To sidestep this problem, Elastica s CloudSOC platform enables customers to create and enforce custom policies.
Moreover, because these policies can be crafted based on the insights gleaned from the other aspects of CloudSOC, they yield definitive risk mitigation measures. It is important to note that in the context of cloud services, it is desirable to have policies that are not simply black or white. For example, an enterprise administrator might be fine with the use of a particular file sharing application, but they may want to block a user from sharing a file with someone outside the organization. Because Elastica has visibility into the actions associated with a given application, we enable customers to create and enforce these types of more granular policies. Ultimately, organizations need to take a holistic view of the risks they face when leveraging cloud services. That view is driven by having visibility into those services and that visibility can be attained via CloudSOC applications like Audit, Detect, Protect, and Investigate, all of which are fueled by data science. Enabling the Elastic Enterprise Enterprise organizations are generally tackling three critical cybersecurity challenges: Rapid proliferation of new technologies As concepts like cloud, BYOD, Internet of Things, etc., enter into the IT lexicon, organizations need to build commensurate expertise in understanding the security implications of these trends. The evolving threat landscape Attackers are constantly morphing techniques in an effort to bypass existing enterprise defenses, especially in areas they perceive to blind spots. Detecting and blocking every conceivable threat quickly becomes a war of attrition. Managing complexity Enterprises are working with more third-party vendors and partners than ever. This complexity not only creates more work, but also introduces security risks because of an increased attack surface. Also, it becomes likely that products and services are not being used in an optimal manner. Elastica s driving force is to develop technologies that cut across this set of challenges. Applications like Audit, Detect, Protect, and Investigate built on top of he CloudSOC platform can be used to address all three areas concurrently. First, the move towards cloud-based applications has been one of the most vibrant shifts in the evolution of IT infrastructures. Second, because attackers customize their threats, it is essential to take a holistic view of cloud application usage, involving processing, visualizing, and gleaning insights into the data associated with these applications (largely in an automated fashion). Threat detection is both important and necessary, but visibility must be the foundation. Finally, as our customers leverage more cloud services, they have to manage the resulting complexity, which CloudSOC allows you to do. 6
Ultimately, the elastic enterprise transcends elasticity in the amount of raw computing power and storage that organizations leverage. It is also about elasticity in employee productivity. For organizations to thrive and stay agile in today s competitive environment, their employees need access to the best resources, services, and devices. Historically, security concerns represent a deterrent to such flexibility. In the context of Elastica, however, we can reverse this paradigm and think of security as an enabler. The move to leveraging cloud services is an inevitable reality. Despite the plethora of benefits associated with cloud services, the core hurdle for organizations involves understanding the corresponding risks and managing them. Elastica holistically addresses critical security concerns and mitigates risk so that organizations can feel confident in embracing a cloud-enabled world. 7