Wiz

SecOps for Cloud

Key terms for cloud security practitioners

Let's start with a vocabulary refresher. 

Understanding these foundational terms is essential for navigating and securing cloud environments. Below is a glossary to guide your team, focusing on definitions, SecOps responsibilities, and associated challenges. 

CSP (Cloud Service Provider) 

Organizations that deliver cloud computing services, including storage, networking, and platforms, enabling businesses to build and scale infrastructure without managing physical resources. 

Examples: AWS, Microsoft Azure, Google Cloud. 

Responsibilities for SecOps teams: 

  • Threat Hunting: Continuously monitor CSP environments for indicators of compromise and suspicious activities. 

  • Detection Engineering: Develop and refine detection rules based on CSP telemetry and runtime data. 

  • SOC Analyst Tasks: Triage alerts, investigate incidents, and contain threats in CSP-managed environments. 

  • Incident Response: Coordinate response plans tailored to cloud-specific scenarios, including misconfigurations or API abuse. 

  • Digital Forensics: Analyze CSP logs and artifacts to uncover root causes and secure evidence for post-incident reviews. 

Challenges

  • Managing security across rapidly changing cloud environments with inconsistent policies, especially if operating in multiple CSPs. 

  • Detecting and responding to threats in complex, distributed environments. 

  • Staying up to date with threat actor behavior and understanding their tactics, techniques, and procedures (TTPs). 

IaaS (Infrastructure as a Service) 

Provides virtualized computing resources over the internet. 

  • Examples: AWS EC2, Azure Virtual Machines, Google Compute Engine. 

  • Responsibilities for SecOps teams: Enforce security policies, monitor for unauthorized access 

  • Challenges: Detecting and mitigating misconfigurations, monitoring for vulnerabilities across multiple virtualized instances, and managing patching at scale. 

PaaS (Platform as a Service) 

Enables rapid application development with a managed infrastructure. 

  • Examples: AWS Elastic Beanstalk, Google App Engine, Azure App Service. 

  • Responsibilities for SecOps teams: Monitor application logs for anomalies and enforce secure API configurations. 

  • Challenges: Protecting against API misuse, ensuring secure data handling, and addressing vulnerabilities introduced during fast development cycles. 

SaaS (Software as a Service) 

Delivers software fully managed by providers via the internet. 

  • Examples: Salesforce, Microsoft 365, Google Workspace. 

  • Responsibilities for SecOps teams: Implement strong authentication mechanisms, regularly audit user permissions, and monitor SaaS usage for potential data exfiltration. 

  • Challenges: Preventing insider threats, ensuring proper DLP (Data Loss Prevention) policies, and managing access across multiple SaaS platforms. 

Logs 

Records of events within cloud environments, crucial for auditing and threat detection. 

  • Importance to SecOps: Configure or recommend logging to capture relevant security events, ensure retention policies meet compliance needs, and are used as a telemetry source for threat detection 

  • Challenge: Collecting, centralizing, and combing through logs to identify anomalies without overwhelming teams. Log collection and storage can also be expensive. 

Runtime 

The operational phase of software execution, critical for monitoring application behavior. 

  • Importance to SecOps: Monitor runtime behavior for unusual patterns, enforce runtime security policies, and ensure seamless response to  threats. 

Challenge:  

  • Understanding what is unusual vs. expected behavior from the development and DevOps teams. Implementing runtime protections without affecting performance. 

Runtime Security 

Processes and tools focused on protecting applications and workloads during their execution phase. 

Importance to SecOps: 

  • Detect and mitigate threats in real-time without disrupting application performance. 

  • Monitor dynamic runtime environments, such as containers and serverless functions, for anomalies. 

  • Enforce runtime security policies, such as process whitelisting and memory protection. 

Challenge:  

  • Balancing robust threat detection with low performance overhead, especially in highly dynamic cloud environments. 

  • Correlating runtime events with cloud activity  

  • Aligning with the business teams on the risk tolerance of an application and the appropriate response playbook 

Traditional Runtime Agents 

A technology originally developed for physical endpoint devices and later adapted to support some cloud applications. These agents evolved from on-premises security tools and were initially not optimized for cloud environments. They are installed directly on hosts or instances, often operating in user space and including a kernel module. Full agents typically have higher resource consumption and carry some risk of crashing the underlying OS but are feature-rich. 

Importance to SecOps:

  • Full agents are important to SecOps teams because they provide deep visibility into system activities and offer robust threat detection capabilities. They allow for real-time monitoring of processes, file system changes, network connections, and user activities, which is crucial for identifying and responding to sophisticated threats.

  • These agents can often perform on-device analysis, reducing the need to send all data to a central location and enabling faster response times.

  • Additionally, their feature-rich nature allows for more comprehensive security controls, including the ability to block malicious activities in real-time, which is essential for protecting critical cloud workloads.  

Challenge:  

  • Can have high resource usage and can expand the attack surface. 

  • Difficult and time-consuming to deploy and some workload types are not supported, often resulting in blind spots. 

eBPF Agents 

Runtime technology designed specifically for cloud applications. Lightweight agents using extended Berkeley Packet Filters for runtime security. These agents operate in a reserved part of the kernel, eliminating the risk of crashing the host. Feature set tends to be more focused on runtime security and monitoring. 
Importance to SecOps:

  • Leverage eBPF agents to monitor kernel-level activities, enforce security controls at runtime, and provide detailed telemetry for investigations. Configure for real-time threat detection and blocking, and integrate with existing security workflows. 

Challenge:

  • Ensuring effective coverage while minimizing overhead. 

Cloud Context 

The unique combination of infrastructure, configurations, and permissions in a cloud environment. 

Importance to SecOps:

  • Use cloud context to understand detections, triage/investigate incidents, and minimize blast radius.

  • For legacy detection and response approaches, SecOps may query for or collect context during an investigation.  

Challenge:

  • SecOps teams typically do not have direct access to the tools that provide cloud context and must ask other teams. They also lack training on these tools and context to tailor security processes effectively. 

Containers 

Lightweight, portable units for application deployment. 

Importance to SecOps:

  • Monitor container runtime activities and conduct container detection and response exercises. 

Challenge:  

  • SecOps teams are typically not experts in cloud-native development.  

  • Monitoring, detection, investigation, and response across the cloud, container, and orchestration layers in ephemeral cloud-native deployments. 

  • Organizations may use a different solution for container security than cloud security. 

  • Requires collaboration between developers, DevOps, CloudSec, and SecOps. 

Serverless 

Execution of code without managing servers. 

Importance to SecOps:

  • Monitor serverless runtime activities for anomalous and malicious behavior. 

Challenge:  

  • Monitoring highly ephemeral workloads that traditional agents cannot be deployed on. 

  • Serverless infrastructure introduces new concepts and attack surfaces for SecOps teams to learn and secure. 

Attack Surface 

  • All the potential entry points, vulnerabilities, and exploitable assets in a cloud environment that attackers can target. 

    Importance to SecOps:

    • Understanding the attack surface helps SecOps teams identify where threats are most likely to originate.

    Challenge:  

    • Cloud resources are often ephemeral, spinning up and down frequently, making it difficult to maintain an accurate inventory of the attack surface.

    • A significant portion of the cloud attack surface arises from human error, such as default settings or over-permissive roles.

    • Dependencies on third-party tools and integrations increase the potential for supply chain attacks.

Cloud TTPs 

Cloud Techniques, Tactics, and Procedures used by threat actors to carry out attacks.  

Importance to SecOps:

  • Critical to understand and defend against specific cloud threats  

Challenge:  

  • Single-cloud, multi-cloud or hybrid setups introduce diverse attack surfaces.

  • Legacy security tools are often ill-equipped to handle cloud-native threats.

  • Cloud environments generate vast amounts of logs and telemetry. Identifying meaningful signals amidst this noise can overwhelm SecOps teams.

Intro to SecOps for cloudBenefits of the cloud