Security professionals never complain about boredom. Our lives are full of surprises caused by an ever-changing threat landscape and curveballs thrown by our business colleagues. Few, if any, of those surprises compare to the impact the COVID-19 pandemic has had on the technology environments we struggle to protect.
Visibility has become a particular weak point as workforces have adapted to a new virtual reality. To detect and respond to threats, we need visibility into the multiple environments and technology layers our organizations are using. Traditionally, security operations centers (SOC) used tools such as endpoint detection and response (EDR), network detection and response (NDR), and security information and event management (SIEM), a combination of technologies commonly referred to as the "SOC triad," to address this need. Due to the current climate, organizations have rushed processes to deploy technologies to enable remote work. As a result, many security teams found traditional tools are now blind to many new and emerging threats that have resulted from this scenario.
Organizations using NDR tools to monitor traffic between office workstations and the internet, for example, are still unable to monitor laptops connected to employees’ home networks. EDR tools can compensate by providing visibility into those managed devices. However, some organizations also enable access to corporate resources from personal devices, including mobile devices such as smartphones and tablets, which are unfriendly territory for tools requiring the deployment of agents.
Traditional SIEM tools have also suffered from these changes. The need to quickly adapt and scale to the new reality provided the perfect opportunity to accelerate the push to the cloud. Many organizations adopted new cloud services, from software as a service (SaaS) applications such as Office365 to infrastructure as a service (IaaS) and platform as a service (PaaS) resources. Many capabilities provided from a traditional data center, such as virtual private network (VPN) termination and web content filtering, are now being offered straight from the cloud. Collecting the logs from all the new solutions has proven to be the Achilles’ heel of the traditional on-premise SIEM. It is too much data, with many collection challenges, and requires new content to address a new group of threats.
Technology challenges are not the only issue caused by this sudden shift to remote work and cloud environments. Many organizations rely on service providers to support them in their threat detection and response efforts. Adoption of managed detection and response (MDR) services was on the rise before the pandemic hit, with many offerings based on EDR technology, which provides the required telemetry for detection, and the capabilities required for more active incident response. The organizations adopting this model considered the primary channel for security incidents in their environments to be endpoints, so relying on services based on endpoint technology made sense for them. With the sudden surge in adoption of SaaS and the use of personal devices, both customers and service providers are now struggling to adapt that service model to this new scenario. Even those using more traditional managed security services (MSS), based primarily on log-based solutions, are experiencing difficulties in integrating these services into their cloud environments. Many managed security service providers (MSSP) use traditional SIEM technology with capacity limitations to handle the high volume of data coming from cloud services. But this can be too expensive to be viable as a service.
Native Security as a Service (SaaS) solutions are being developed to handle the high volume and velocity of data flowing from the cloud environments. They include modern SIEM solutions, cloud focused tools such as cloud access security broker (CASB) and cloud security posture management (CSPM) and modern consolidated network and security services such as secure access service edge (SASE). They are enablers of modern security architecture approaches, such as Zero Trust models.
Native cloud SIEMs come with special-purpose threat detection content focused on the new threat vectors related to the cloud. The solutions are built on scalable architectures and are offered with license models not based on the volume of data ingested but other variables, such as number of users being monitored. Users can adopt additional policy enforcement practices by leveraging solutions such as CSPM and CASB. This can help organizations navigate complex configurations of security settings and services from public cloud providers. In addition, emerging SASE offerings can help transition controls such as secure web gateways to a cloud-based model, particularly helpful where users may be using personal devices and accessing corporate resources from anywhere in the world.
And what about those MSS and MDR providers? They are also evolving to adapt to a new reality. Many of those relying primarily on EDR are expanding their technology stack to cover the blind spots brought by the new technology use models. Some of these service providers are adding modern cloud SIEM solutions to their backends, where they can aggregate data from the existing EDR solution with data from other sources such as cloud service providers and SaaS applications. These SIEM platforms are also offering additional capabilities such as user and entity behavior analytics (UEBA) and advanced analytics, as well as tools to help streamline the triage of alerts and response to incidents, such as security orchestration, automation and response (SOAR).
Adapting to this "new normal" is not easy for any security operations team. But knowing there are solutions out there to support us in this effort is comforting. As unique as the cybersecurity challenges are, they fall into the same scenario as all the other changes we had to go through due to the COVID-19 pandemic. Trying to fit the old practices to the new reality is not only difficult but ineffective. This is the time to seize the moment and use it to deliver the security practices that will support your entire enterprise in this remote work, cloud-based era of digital business.