SOC in the Cloud

I’ve been interviewing quite a few vendors recently about their advanced platform support for cyber ops. My expectation had been that these SOC discussions would be old hat for me, since I’d been employed for decades in this area. I was supposed to be the guy you asked about SOC operations – not the one who had to learn from others. Or so I thought.

And so, amidst the background hum of some noisy Linux servers in the Stevens Tech Data Center, I hopped onto a call last week with Shelli Strand from ProtectWise, a company that includes Scott Chasin of BugTraq fame as a founder. Shelli took me through the ProtectWise Grid, which I quickly recognized as a sensible means for scaling a SOC to support hybrid cloud environments.

Architecturally, the platform is designed to support public cloud infrastructure. Shelli and I talked about the on-going concerns some organizations have regarding security and resiliency of public cloud. She was upbeat about the prospects: “All those cloud allergies we saw in our industry for so long,” she explained, “are now being superseded by the advantages of a cloud delivery model.”

SOC support for public cloud, I've come to learn, requires ingest of network data at scale via software sensors, so that security teams can have a unified view of metadata and content. Such sensors must work for the hypervisors you would care about including Xen, KVM, and VMWare. They must also directly integrate with IaaS cloud services from Amazon, Microsoft, and Google.

The resulting SOC in the cloud has great advantages: It involves much less hardware breakage; it enables geographically disperse expert staff; and it simplifies out-of-hours incident response because everything is accessible always. That is, since your data is available virtually, analysts can untether from the confines of physical SOC operations. To an old SOC-hand like me, this is profound.

I know that many security folk will continue to cringe at this concept – namely, of hybrid virtual operations supporting sensitive threat analysis in the cloud. They will tell you that they prefer their SOC – not to mention their critical applications – hosted inside the firewall-protected perimeter. Some will even joke that this is how God intended for SOC operations and enterprise applications to be hosted.

The problem is that the perimeter approach is not working. Enterprise security continues to reside in the Dark Ages, with most organizations unable to protect their data from inside the firewall. Even the comprehensive perimeters protecting the US Intelligence Community have been breached by just residing inside. #Snowden. This suggests, like any good football coach will tell you, that if you are losing the game, then perhaps you should try something new.

My belief is that you should be distributing your application workloads to virtualized hybrid cloud environments immediately. This will result, if done correctly, in a greatly reduced legacy perimeter that is only obliged to protect remaining assets too stubborn (or too frivolous) to support a move. And yes, I do understand the controversial nature of that claim to your auditor or regulator.

The resultant distributed workloads should then employ micro-segmentation, CASBs, and related cloud security controls to manage the distributed security policy enforcement. You can then totally reinvent your SOC operations, shifting more in the direction of virtual cloud-based processing. I suspect Shelli and the ProtectWise team would be happy to help you in this regard.

At minimum, if you follow this approach, it will make those 2AM incident response calls a bit easier to handle.