If the line "We are detective" only reminds you of "guilty pleasure" radio songs from the 1980s, despite the fact that you are responsible for cybersecurity or compliance in your company, then you should read on. In any case, you probably should read on because this is a trend that is becoming increasingly important in times of growing uncertainty and loss of trust – in contracts, in companies in the supply chain, in "the Internet", and in nation-states.
Trust as the foundation for reliable assurance
Understanding, assuming, mitigating, and managing risks in our increasingly hybrid IT infrastructures is often based on the level of trust in the respective system/service/company providing required capabilities. So, we may trust companies and their good reputation. Sometimes we trust in contracts and SLAs (Service level agreements). If not, we trust in the threat of penalties for breach of contract. We may also trust third party testimonies (certifications and audits) that provide us with robust assurances that standards and control frameworks are being met. But if this is not sufficient, we appoint an auditor ourselves, and trust in a completed audit tailored to our needs.
The objective in the end is to achieve a level of assurance that is sufficient to adequately fulfill our risk management obligations. This is an actively managed process, performed by a range of players between IT, cloud service providers, auditors, senior management, legal departments, and many more. And it is based on the robustness of evidence and confidence in statements made.
What to do when trust is not an option?
But what we have lost this trust in assurances made in whatever form? What if our risk appetite is too low for us to be able to rely on them? And what if it is obvious that national legislation in a considerable number of countries or regions does not warrant a relationship of trust? What do we do when it cannot be ensured for organizations of all kinds that services provided, for example in the cloud, are free from the influence of third parties, especially the state? This encompasses surveillance up to and including espionage or the creation of personal profiles of customers and employees for political or for criminal reasons by a multitude of threat actors, including the service providers.
A classic risk management response to such a risk is "avoid". For many companies, however, this also entails abandoning parts of the business model. When talking to the CISO (Chief Information Security Officer) this might be an option, but when talking to the CEO (Chief Executive Officer) "avoid” becomes rather more difficult.
Just the facts, man
What to do? Well, simply do not trust if it is not appropriate! An increasingly important trend here is “detective controls”, i.e., monitoring what is happening in the systems. Based on selected runtime information, undesired behavior (especially accesses) can be identified, and countermeasures can be taken. In hybrid environments, this may also require a comprehensive time-based and time-critical correlation of vast amounts of information from otherwise isolated systems, which is certainly not a trivial challenge.
However, the computing power and capacities required do exist today, and modern SOC (Security Operations Center) approaches like SOAR (Security Orchestration, Automation and Response) are on their way to becoming a central enabler.
In the cloud, AWS Cloud Trail or Azure Monitor, for example, serve as sources for a massive volume of real-time performance and log data. This data must be selected, understood, and correlated in a meaningful way.
Real-time log and activity data is big data
In separating signal and noise, pattern recognition and machine learning can be used to counteract the loss of confidence by analyzing the actual activities. However, the extraction of the truly important information and a robust analysis increasingly requires experts who have been trained to deal with this.
Your cybersecurity team may need to be complemented by a team of data scientists/data analysts as a counterpart to the security experts. Because it's important to understand what's going on in your cloud environment. It's not just about collecting data; it's about gaining insight into what's really going on. Hybrid, real-time log and activity data is big data, so you need to apply proper processes and technology to it.
This raises a multitude of further questions: Which companies should take this step first? Large companies and/or those with high criticality? Companies with a multi-cloud strategy and/or smaller companies and start-ups without a mature cybersecurity team?
And yes, of course, with job descriptions of such demanding requirements, the problem of the skills gap in IT in general, and cybersecurity in particular, strikes again: How do you obtain this expertise for your own company? Is it really necessary to recruit actual staff for your own company or can this essential know-how be provided by a service provider? And how much domain knowledge do these data scientists need to do their job well?
There is still a lot to discuss. Therefore, we will address these and other questions in this interesting new topic area in a follow-up blog post. But, as a first conclusion: If we can no longer trust, this leads us back to "We are detective".
For more information there is valuable KuppingerCole research available, you can instantly listen to a recent episode of our podcast about SOAR and if you want to discuss your organization’s specifics in more detail, please don’t hesitate to contact me.