Cybersecurity operations have evolved and matured over the past few years. The core functions of security operations, or SecOps, include endpoint and network incident detection, correlation of event data, and response and forensics work.
The rapid shift to the cloud, however, has brought even more changes to SecOps. In fact, we even have an emerging buzzword: CloudSecOps.
What is the difference between CloudSecOps vs. traditional SecOps?
Let's start with definitions. SecOps is a combination of security and IT operations staff who monitor and assess risk and protect corporate assets.
CloudSecOps is an evolution of SecOps that focuses on building controls, implementing monitoring and enacting security response activities in cloud environments.
It's important to highlight three key differences between CloudSecOps and SecOps:
- CloudSecOps requires full integration with DevOps and cloud engineering. Security teams need to work alongside cloud operations teams to ensure controls are embedded in deployment practices. Governance practices may require changes, too. Senior stakeholders need to reorganize to accommodate more consistent and continual integration across teams and disciplines.
- Security needs to be more focused on cloud-specific topics and categories, such as identity management and other software-defined infrastructure controls. Many of these are cloud-native and specific to one or more cloud service provider environments -- for example, security group network access controls in AWS or network security group access controls in Azure.
- CloudSecOps needs to define and configure background controls in cloud environments. Known as guardrails, these are intended to continuously operate and ensure unacceptable or unexpected actions are detected and shut down. This requires in-depth knowledge and understanding of cloud service environments and how they operate, as well as configuration and management of the cloud guardrail services specifically -- for example, Amazon GuardDuty, Azure Monitor or Google Cloud Security Command Center.
Responsibilities of the CloudSecOps team
CloudSecOps teams are responsible for a range of functions. These responsibilities include the following:
- Define incident detection and incident management workflows and playbooks for cloud environments.
- Adapt on-premises detection and management workflows and playbooks for cloud environments.
- Implement cloud-native and third-party security controls and guardrails in cloud deployments.
- Collect cloud log and event data, and implement advanced analytics processing for security telemetry. This will likely extend and transcend traditional SIEM systems to encompass data at a much larger scale, with emphasis on cloud-specific attacks and threat models.
- Conduct threat detection practices, such as threat hunting, within cloud environments. Focus on unique indicators of compromise and tactics, techniques and procedures that align with cloud attack models, such as Mitre ATT&CK for cloud.
- Apply vulnerability management tools and operations in cloud environments. While some traditional vulnerability scanners have integrated well into leading cloud services, tools that are better suited for analyzing containers, serverless, and other cloud-specific objects and workloads may be needed. Likewise, evaluating security postures for cloud workload images and components may require changes to existing risk management standards and reporting.
- Revise and automate asset discovery and configuration management tools and practices. These responsibilities may be shared with IT operations and even DevOps and DevSecOps teams. CloudSecOps teams, however, need to be involved in building cloud asset inventories and ensuring configuration standards are defined and applied for cloud objects and workloads.
- Conduct configuration and vulnerability management for the cloud fabric itself. Large cloud service environments offer organizations an array of configuration options, many of which can be easily misconfigured or exposed, leading to new vulnerabilities and an expanded threat surface. Implementation and oversight of tools such as cloud security posture management will likely fall to CloudSecOps
In addition to the aforementioned responsibilities, CloudSecOps teams need to ensure security controls are embedded across the teams they work with. This includes, for example, working with DevOps and cloud engineering teams to embed controls into infrastructure-as-code templates. If the company's DevOps teams are responsible for implementing and maintaining their own security tools and controls, CloudSecOps teams need to help define standards and assist with monitoring and reporting capabilities.