do not know what your standard configuration should look
like, you will have a harder time detecting anomalies. No
one wants to be chasing their tail while threats dwell in your
environment, hidden only by a blizzard of snowflakes! Stan-
dardizing your automation stacks and image build allows
you to deploy them as infrastructure as code (IaC), and
apply tactical security protections as part of a CI/CD pipe-
line. Determine what parts of your stack need to differ,
based on the capabilities inherent in each cloud deploy-
ment model, but focus on keeping them as uniform as
possible.
Instrumentation is often where enterprises focus first, but
this should come after defining the cloud deployment
model and standards, as those decisions will drive tooling
needs. Focus on instru-
mentation
that
improves visibility and
enables
correlation
across
on-premises
and cloud environ-
ments. Again, minimize
dwell time (the time
threat actors go unde-
tected) in your environ-
ment by ensuring the
best visibility for your
security
operations
team. Do not shoehorn on-premises tools into public cloud
service if you can deploy a tool that supports both environ-
ments natively. Focus on maximum commonality in your
tool stacks, and standardized instrumentation across your
hybrid IT environment, to maximize visibility while minimiz-
ing complexity.
Automation, the last essential discipline, helps streamline
security practices and enables you to do more with less.
Security teams are under siege from both budgets and bad
guys. Automating common security processes – such as
security tool/config deployments (e. g., shifting left), log
aggregation, analysis, alerting and compliance monitoring
– will free the human team to focus on higher value tasks.
The security automation endgame is developing SOAR
(Security Orchestration, Automation and Response) capa-
bilities, where the high-fidelity capture of forensic data sup-
ports discovery and remediation. For example, if a Linux
host is deployed without applying the proper CIS bench-
marks, it will be detected and moved to an isolated sand-
box. Implementing additional SOAR capabilities allows the
IT staff to focus more on high-value practices, such as
active threat hunting.
Your level of success
with these capabilities
across a Hybrid IT
landscape will vary by
environment, as public
cloud platforms pro-
vide robust support for
these
capabilities,
while they are more
labor
intensive
on-premises.
Training is an often overlooked
discipline in adopting public
cloud, but it is essential, and
should be started as early as
possible in your enterprise's
cloud journey.
Training is an often overlooked discipline in adopting public
cloud, but it is essential, and should be started as early as
possible in your enterprise’s cloud journey. Different envi-
ronments have different operating characteristics and dif-
ferent architectures. It is critical that your IT and security
operations understand the key differences between the
various architectures, as threat vectors will appear different
in each one. What looks like common east-west traffic in an
on-premises data center could be lateral movement by an
intruder in your public cloud estate, and your team needs to
understand the difference.
14 | THE DOPPLER |
FALL 2019
Attending to these key security disciplines across the vari-
ous deployment models is challenging. While there is no sil-
ver bullet, management approaches and tools are continu-
ing to evolve multi-environment support. Adopting a
container strategy, for example, offers workload portability
across different deployment models, while supporting stan-
dardization, tooling commonality and robust automation.
Tools such as Kubernetes or OpenShift offer differing
approaches to adopt and manage containers, and both
have broad adoption and vibrant ecosystems. Developing a
container strategy will help streamline and focus your
efforts to operate a Hybrid IT, Hybrid Cloud or Multicloud
estate securely.
The adoption of standardization, effective instrumentation
and robust automation, plus ensuring that your teams are
trained on the architectural and operational differences
between cloud deployments, are essential to securely
unlocking their value to your enterprise.