Visibility and Vision
Once upon a time, data centers were a revolution. An air-conditioned environment full of servers, a team of engineers ready to react to the slightest problem, the highest possible bandwidth of connections, power redundancy… Today it is similar – except that we are talking about a colossal center of another provider – the cloud.
As organizations lose direct control over their applications, services and infrastructure, a shift in the “protect and prevent” mindset is required. It is not enough to focus on prevention alone; effective detection and response capabilities must remain the best investment for any organization that wants both effective visibility and risk mitigation.
Building effective detection and response requires having a plan for both known and unknown threats.
- Known threats are the easiest to defeat because detection is easy when adversaries take actions that are obviously malicious. Today, adversaries increasingly believe that such overt actions are unnecessary when they can simply co-opt and abuse existing services and access. This is especially true in the cloud context, where direct access to the control plane and administrative APIs provides adversaries with a well-defined, scalable, and scriptable set of options to access from initial access to their ultimate goals.
- Unknown threats, where adversaries attempt to blend into the background noise of the enterprise. Attacks in the “gray zone” intersect between the types of actions an adversary would need to take to achieve their goals and the behaviors routinely taken by authorized users across the enterprise. Where these behaviors intersect, the important factors that distinguish an adversary and insider threat from a benign user are intent, context, and authorization.
Conceptually, it comes down to an organization that has both vision and visibility. Organizations must have:
- The vision to define authorized use, the associated risks, and the resources necessary to sustain and enable authorized use while managing those risks.
- The visibility necessary to monitor and measure deviations from that vision and the ability to turn that visibility into action.
VISION
Without a clear expectation of the boundaries of what is authorized and expected, security defenders will struggle to do anything but address the obvious risks. Therefore, organizations must have a vision of what authorized use looks like when it comes to the cloud services. Low-tier organizations achieve this through documented policies that may not go beyond a periodic audit and annual review from both general staff and security teams, while high-tier organizations use these measures to create a robust security culture.
A company’s vision for authorized use of cloud services should include:
- What services and internal behaviors are authorized and in what context should they be used?
- Are there special cases that require policy exceptions or not?
- What expectations are associated with the use, storage, sharing and retrieval of data?
- When are cloud storage solutions acceptable for applications ranging from individual end users to application architecture?
- What risk expectations have been established for outsourced services that strike an acceptable balance between overprovisioning shadow IT and limiting flexibility and productivity?
- What operational parameters and safeguards are expected to accompany the behavior associated with these external services?
EVIDENCE
For something to work, it must be mmonitored and measured – just like deviations from the vision. Solving this challenge requires understanding the behaviors that adversaries are motivated to perform, and intentionally collecting and aggregating data that reveals those behaviors in a way that the security team can operationalize.
Here’s the checklist security teams need for visibility:
Services:
- Are defenders able to detect malicious attacks that move into, through or out of corporate cloud services?
- Are advanced tools such as Microsoft 365 (O365) PowerAutomate vulnerable to command and control (C2) abuse beyond the security team’s observation?
- Can attackers co-opt or abuse electronic evidence collection tools without detection?
Management:
- Is there sufficient insight into the misuse and abuse of administrative and management functions? For example, if adversaries or insiders are performing risky operations in O365 Exchange to collect or exfiltrate sensitive information, can the security team detect them?
Supply chain:
- Do defenders have a blind spot when trusted vendors or service providers have been compromised?
- If an adversary can gain a foothold into the environment through the supply chain, is it game over or game on?
Visibility requires a combination of breadth and depth of coverage and fidelity of signal generation – the ability to focus on safety-relevant events to create information that enables the organization to take action to mitigate risk. Once the team achieves this goal, it can combine these events to tell the whole story – turning this data into information and intelligence.
Too often, effective visibility has been confused with data overload, turning visibility goals into exercises in data over-collection. And even a concentrated data set can require speed, variety, and volume of data at scale, meaning that achieving this goal requires understanding how to best leverage both machine and human capabilities.
Operationalizing this intelligence against all but the least sophisticated adversaries will almost certainly require some level of machine intelligence to tame the flood of activity into something that can be managed by human security personnel. Fortunately, SOCs now have access to machine intelligence. The best performing organizations understand how to deploy machines to do what machines do best – namely, sift through large amounts of data – while supporting humans to do what they do better. They used creativity, intuition, reasoning, proper contextualization, and judgment.