In part three of my blog series on the Multi-Cloud Security Architecture, we looked at the various methodologies for detection in multi-clouds - from human investigation to machine-learning technologies. Once an attack is detected, taking immediate action to remediate the security event is critical to limit the impact across the flattened cloud infrastructure - where it is much easier for attackers to move laterally. So now, we will look into unique tactics to respond quickly and effectively to security events in multi-cloud environments.
Once threats and anomalies are accurately detected, a risk-based approach to response is required. In a more complex and dynamic multi-cloud world, powerful response capabilities allow an organization to scale their ability to react to changing threat context, take timely action, and reduce the impact of decoys that are often employed by attackers to distract the security response team from the root issue. The consequences of suboptimal response in this last case cannot be overstated. Time and time again, we see attackers using relatively coarse measures to successfully distract an organization from the attack that matters. Such is the case of a now world famous UK service provider that was overwhelmed by a simple DDoS attack, which distracted the security operations team to the point that they did not notice the SQLi attack that was actually exfiltrating customer records. In these cases, the organization’s ability to respond effectively has been overwhelmed by an avalanche of less significant events that act as distractions.
Technology is only a part of this step, as the response needs to be determined by the organization’s security process requirements. So, the architecture of the security system needs to be configurable, and tunable according to an organization’s security policy definitions. For example, some organizations might be comfortable with automated response for certain common events, whereas others might require highly-assisted human intervention and decision making in all cases. It’s likely that many organizations will mature to a model where both apply, depending upon the certainty and accuracy of detection techniques, the frequency of similar events, and the potential negative impact of response. For example, the tradeoff of automatically blocking traffic from a suspicious nation state may not outweigh the benefits to revenue for an online retailer.
Response is principally about being able to construct and manage effective and efficient workflows, and secondarily about the ability to automate some of them. In terms of technical response, a multi-cloud security system should support a set of progressive controls to be applied to the potential attacker’s communications. If all you have in your arsenal is the ability to block or forward traffic, as with many current micro-segmentation solutions, then your options are limited and you will need a certainty that might be difficult to attain to automate any actions. Therefore, the extent of the controls being applied should relate to risk, severity and certainty of the event. That way, over time, if you build this right, you can attain a virtuous circle of increasing certainty leading to stronger controls being applicable, and even automatically in some cases, to multi-cloud security events.
Now that we have reviewed response tactics in the Multi-Cloud Security Architecture, it is time to understand how we can learn from these security events, to predict future attacks. Read the final blog in my series next week and be sure to watch our on-demand webinar for more detail on the pathway to multi-cloud security.