We're proud to be named a 2024 Publisher's Choice winner!

We're an RSA Conference 2024 Innovation Sandbox Finalist!

For decades, Security Operations Center (SOC) have been at the foundation of organizational security and risk mitigation. SOCs perform critical operations, helping to keep systems updated and handle the day-to-day monitoring of organizational IT.

In recent years, their responsibility and mandate has expanded along with speeding pace of cloud transformation because the SOC isn't only called upon to secure on-prem. Teams must manage IT and business assets dispersed across multiple public clouds and software-as-a-service (SaaS). A recent ESG (Enterprise Strategy Group) study on multi-cloud networking trends highlighted that most organizations are using 3 or more public cloud and over 250 business applications; the territory SOC teams now need to cover is vast.

With on-premises identity and access management controls, it was much easier for the SOC to keep track of who was accessing what, and where. Microsoft Active Directory and similar on-premises systems provided an easy pathway for them to follow access to the on-premises enterprise. On-premises Microsoft Active Directory services have existed since 1999 – the security world has spent multiple decades improving monitoring and response to on-prem incidents and security issues. With on-premises applications, it used to be easier for SOC teams to monitor logs and keep them local for analysis.

But what happens in the cloud when most applications your organization uses don't rely on the on-premises controls the SOC relies on? What happens when the logs you used to have on premises are managed across cloud vendors and app providers?

This current reality sets up five vital things SOC teams are often missing in cloud security:

  1. Lack of visibility into cloud forensics and logs. There is limited visibility into cloud infrastructure compared to on-premises environments. Critical logs like s3 bucket access logs aren’t enabled by default, and often aren’t collected and even if they are, they aren’t kept for long enough periods.
  2. Integration challenges across fragmented logging. Logs come from different cloud providers and SaaS platforms in different formats. Integrating and normalizing this data is difficult.
  3. Limited detection capabilities for cloud threats. Many security tools are focused on prevention and lack real-time detection and response capabilities tailored for cloud environments where log recording and streaming is limited.
  4. Identity management challenges. With the move to cloud, identity has become the new perimeter, attackers moved from “breaking into” to “logging into.” However, many SOC teams lack visibility that on-premises Active Directory provides. Different identity providers offer different log coverage, different events. On-premises identity was mostly Microsoft Active Directory, but the cloud identity realm offers multiple vendors with various solutions.
  5. Gaps in cloud security skills and experience. Many teams lack experience responding to cloud attacks and analyzing logs from various cloud services. If today professionals have decades of materials and experiences about on-prem technology to learn from, cloud technology is still in its infancy compared to on prem. This will slow down incident response.

The Sightline Challenge for SOC Teams with Cloud and SaaS

To be effective, security operations and SOC teams need to have visibility into cloud operations; that is not always easy to get.

Forensic investigations in the cloud involve collecting and analyzing logs to understand attacker activity, including access to files and how they got in. A common challenge is that SOC teams lack complete visibility into cloud activity and don't have access to all the forensic data needed for effective incident response. The volume and variety of cloud data makes it hard for SOC teams to ingest and analyze. Lack of standards across providers means more manual effort is needed to normalize and correlate data. Investigation is telling the story of what happened; imagine telling a story where the plot is black at crucial junctions.

There also has been a focus on prevention rather than detection and response in many SOCs. Teams have long been concerned with vulnerability management and that remains important, but there is more to do.

In the cloud, organizations need more mature detection and response capabilities to identify threats. It's just not possible to prevent every type of risk in the cloud, but what is possible is to narrow down the time to detection and remediation, which serves to dramatically reduce risk. The shared responsibility model makes the vendor responsible for patching and taking care of the core elements and infrastructure, so in some cases prevention isn’t achievable for the security teams.

Every SOC already has a lengthy list of tools to deploy and manage, that include SIEM (Security Information and Event Management), and lately, SOAR (Security Orchestration, Automation, and Response) technologies. Those technologies can ingest logs, but you need to know where to find them, and they need to be collected with the right degree of detail in the first place. Even if the logs exist, SOC teams still often need to configure their own alerts, which can be challenging due to the complexity of cloud and SaaS providers' formats and data. Moving from one SaaS provider to a different one that offers the same service doesn’t mean their logs will be the same, making custom detections useless until modification.

Adding to the challenge, many SOC workflows still depend heavily on manual investigation, which is not scalable in cloud environments. Lack of automation and orchestration creates delays and gaps.

Closing the Cloud Security Gap

To close the cloud security gap, SOC teams need solutions that provide unified visibility, focus on detection and response, automate cloud data ingestion and analysis, and augment staff with cloud security expertise.

The SOC and SecOps teams need tools that should include:

  • Giving visibility into user activities across cloud environments
  • Ingesting and normalizing data from diverse cloud sources
  • Detecting anomalous behavior and threats in real-time
  • Automation to accelerate investigations and response
  • Providing context to help analysts understand the impact of threats

Simply put, the cloud is different from on-premises and if your organization can treat it as such, you’re already ahead of the game. Modern SOC teams who gain the understanding and tooling to fully manage their organization’s cloud and SaaS security, set themselves up for greater success, and set their enterprises up for a higher level of risk mitigation and resilience.


April 23, 2024

Don't miss these stories:

Mitiga Wins Global InfoSec Award for Cloud Threat Detection Investigation & Response (TDIR)

We’re proud to report that at the open of today’s RSAC24, Mitiga was awarded the Publisher's Choice Cloud Threat Detection Investigation & Response (TDIR) from Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine.

Here's Why Traditional Incident Response Doesn’t Work in the Cloud

Traditional incident response (IR) learned from on-premises investigations doesn’t work in the cloud. Today's threat actors are finding misconfigurations and vulnerabilities to allow them to penetrate cloud environments.

Why Did AWS Replace My Role’s ARN with a Unique ID in My Policy?

After several years of working with AWS, IAM remains one of the most frequently used services in my daily routine. Yet, despite my familiarity with it, a recent production incident taught me that there’s always more to learn.