According to a recent survey of senior security professionals in the US and Europe, more than a quarter of security alerts are false positives, highlighting the risk of security analysts missing genuine incidents amongst the noise and failing to correctly prioritise tasks. If more than a quarter of the alerts SecOps teams receive are irrelevant, it is no surprise that there is significant concern about prioritising the correct tickets and there is a palpable risk that a genuine threat may simply get lost in the noise. However, with cloud threats only set to increase, implementing innovative technology to augment the human workforce should be seriously considered by SOC and IT experts and cloud security automation is a good place to start.
A rise in cloud-centric attacks
As we enter the post-COVID business landscape, the fight for recovery and success relies heavily on digital innovation. However, with accelerated transformation initiatives comes rushed patching and rapid, unplanned cloud migration. In its analysis of cyberthreats across 2020, McAfee discovered almost 3.1 million external attacks on cloud users throughout the year, with numbers increasing by over 100% each quarter. Therefore, fears around cloud security are substantiated, especially with quick migration often meaning that organisations misunderstand who takes responsibility for security once their data is in the cloud. As Gartner analyst Kasey Panetta states: “The challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organisation’s data.” In fact, Gartner predicted that by 2025, 99% of cloud security failures will be the fault of the customer.
Some of the biggest security concerns within the cloud environment are Zero Day attacks. These are vulnerabilities leveraged by hackers before security analysts are able to find a solution and even before they know the threat exists. It is these unknown attacks, rather than the ‘already knowns’, that pose the largest threats to IT teams. Many security professionals either do not have access to tools that ensure efficient network monitoring across both cloud and on-premise environments, or they do not have the experience and expertise to overcome the ever-evolving threatscape. So, while multi and hybrid cloud environments now play a major role in supporting the ‘work from anywhere’ trend, new security rules must be written for both digital tools and IT processes. Instead of focusing on recognisable threats, SOC analysts should be on the lookout for network outliers and behavioural anomalies, which could indicate the presence of a Zero Day attack, by utilising automation tools that reduce noise and prioritise the identification of irregularities. This technology could be the difference between analyst burn-out and Zero Day detection.
Automation and visibility to support the human workforce
The outcome of automation should always relate to people and processes and cloud security automation is not only improving the process of threat detection, it is also easing the workload for the security analysts. The security team will still have a vital role to play in the protection of the cloud environment as, while automation will ultimately augment the human experience, it will not replace it completely. Advanced automation technology is specifically designed to dampen alert noise, filter results and streamline tickets to make sure that false positives are reduced and Zero Day vulnerabilities are found, flagged and prioritised. The SecOps teams leveraging this automation can then apply business specific context to their data and make informed decisions based on the alerts at the top of their automated lists. For cloud environments specifically, which often have a variety of monitoring tools in place, automation becomes even more essential.
However, a central consideration when implementing cloud security automation is the level of visibility available into your data. Without a full and unified view into all network traffic, automation can only go so far. It is impossible to manage what you cannot see – but it is even harder to analyse and glean insights from data that is hidden or only half visible. If cloud visibility is not prioritised, it is likely that the outliers and anomalies that automation tools are set to identify will continue to be missed. What’s more, the combination of legacy systems often working alongside the cloud environment can mean that many organisations implement different tools for different parts of the environment. It is therefore inevitable that visibility holes will be created. Providing security analysts with an automated solution that will genuinely support them in the increasingly intense threatscape – spanning hybrid and multi clouds alongside on-premise infrastructure – is indispensable.
Security concerns have dominated cloud considerations for years and with the arrival of 5G and the exponential growth in data it will bring, alert noise will only increase from here. It is important that tools like automation become a critical support for SecOps teams struggling with burn-out from the increased workload, especially with predictions that the UK is heading towards a ‘digital skills shortage disaster’. The cloud is ultimately integral for organisations battling for post-COVID success, but without optimising security it could also become the catalyst for business failure.
By Ryan Sheldrake, Field CTO, Lacework