Bridging The Visibility Gap on Cloud

Yogesh Potdar   

It is a fact that most organizations get hacked at some point in time, however, most data breaches go undetected.

From the few which get detected, most of those data breaches go undetected for several months before being detected either by sheer accident or by an external entity, such as a security research organization or in many cases by a partner or a customer.

A given organization is more likely to be notified of a given data breach by an external, well-meaning entity than to discover the same data breach via internal operations, causing much embarrassment.

These statistics are provided by organizations that were “in compliance” at the time of the data breach and do not take into account organizations that do not bother with compliance or data breach investigations.

All things being equal, it’s better to find hacks early using your own people than being informed by your customers.

Visibility – The Gap

Everything depends on visibility, the essential foundation for any cloud security strategy. It doesn’t matter whether your cloud security strategy revolves around compliance assurance, threat hunting, policy governance, or risk remediation.

But visibility presents a hurdle which many organizations never clear. Every year, surveys of cybersecurity professionals show that visibility into infrastructure security is the most prevalent cybersecurity challenge. Before tackling any more advanced security strategy or topic, you need to address the visibility gap.

The problem areas

Security teams face many challenges that work against the maintainability of a centralized and context-rich security operations view of attack behaviour moving laterally within an enterprise.

The visibility gap widens as organizations grow and different groups of people implement an increasingly diverse array of deployment processes and technologies spanning many cloud providers, accounts, geographies, and services.

Self-service deployments have made businesses more efficient at the expense of centrally provisioning and monitoring hardened infrastructure. Cloud technologies have, in various ways, allowed infrastructure deployments to become larger, more distributed, dynamic by nature, and (sometimes) ephemeral, while traditional security tools fail at cloud scale and speed. Over the past decade, cloud deployment automation technologies have also outpaced security automation technologies in aspects such as adoption, features, and maturity. 

Historically, SecOps focused on controls for prevention rather than detection. But prevention eventually fails. Traditional prevention focused on statically defined controls concentrated at the enterprise perimeter. However, in the cloud, the perimeter is dynamic rather than static in nature and logically rather than physically defined.

Legacy security tools (such as physical and virtual firewalls) are poorly suited for blocking and detecting attacks within distributed and dynamic cloud environments. And the rapid pace of change in the cloud, coupled with increasingly distributed and diverse enterprise deployments, makes it difficult to find a single security solution that can provide deep visibility into all deployment environments.

What Controls are needed

Effective solutions to fill the visibility gap must offer comprehensive visibility, that requires broad and deep monitoring of current configurations and historical security events associated with assets. Comprehensive visibility into infrastructure security requires multiple forms of visibility simultaneously, to ensure:

Inventory of all in-scope assets at all times

With no visibility into the complete current and historical inventory of all in-scope assets, compliance audits and security analytics will yield incomplete and/or misleading results.

• Contextual details are searchable for the current state of any and every asset

With no visibility into the current state of all in-scope assets, there is no context. With no context, there is no validity to concepts such as compliance assurance and anomaly detection.

• The complete historical record of in-scope security events for each asset

With no visibility into the actual behaviour of cloud workloads and users, there is no way to confirm that government policies are working and no reason to expect that a given infrastructure is not already owned by some nefarious actor.

• From concept to Realization

A next-generation security analytics platform with SIEM functionalities that has Visibility through Observability baked in can greatly help to meet the visibility gap.

A SIEM can be configured to provide a single pane of glass view of organization-wide security posture with key KPI’s like MTTD & MTTR being displayed on the dashboards including trend analysis of events & threats.

These security analytics platforms can be integrated with vulnerability & compliance management solutions so that an organization-wide risk and compliance dashboard can be created.

SIEM’s can be configured to give SecOps visibility into the cyber kill chain & MITRE so that you exactly know where the threats lie & how security operations can be effective in reducing attacker dwell time or the time to identify the breach.

Simply deriving the asset-inventory and asset-state data from logs is insufficient. Data gaps remain as a result of warmup periods, service disruptions, and other failure scenarios.

If the current configured state of assets is not known directly from the cloud provider APIs associated with the asset or service being discovered, then the inventory of assets cannot be considered complete and it may be possible for attackers to easily evade detection. Logs tell a good story, but APIs do not lie.

Therefore, a true solution must provide comprehensive visibility into complex and distributed deployment environments, including hybrid cloud and multi-cloud deployments that may be massive, transient or serverless. The solution requires comprehensive visibility and must provide a consolidated and searchable view of all forms of the context available for each asset. The visibility solution should allow users to perform ad-hoc queries—via UI or API—against the recorded context of any in-scope assets, through a single interface for performing security analytics and compliance audits across cloud boundaries.

An ideal solution would make it easy for users to convert ad-hoc audit queries into recurring compliance checks to not only close the visibility gap but also start using comprehensive visibility as a foundation for more advanced security practices such as compliance assurance, policy governance, and threat hunting.

Today business stakeholders, regulators, investors expect greater visibility into an organization’s security visibility & risk management program.

Originally Published in