Attackers are targeting cloud applications, leading to serious security concerns and the need for constant cloud security monitoring. However, most threat detection and response services available today are not built specifically with the cloud in mind or to address specific cloud security threats.
To complement the inherent security provided by cloud service providers, companies need security tools with capabilities designed for threat detection and response that are made for the cloud. During SADA’s 2022 Google Cloud Ground School, Justin Foster CTO & Co-founder of Cysiv, spoke on how companies can modernize their security operations with Cysiv SOC-as-a-Service, a subscription-based model for 24/7 managed threat detection and response that is available on the Google Cloud marketplace.
Who Can Watch Your Cloud 24/7?
There are three main solutions organizations try today to achieve 24/7 cloud security monitoring. Each has its pros and cons.
The first, but most costly and time consuming, is to build your own Security Operations Center (SOC). Companies start by selecting a SIEM, to harness log data and other telemetry, and then have to plan for staffing. Analysts are difficult to find, and it also requires a large team to watch your environment 24/7. Costs for an in-house SOC run into the millions.
To address the costs, technology, and staffing issues related to building a SOC, managed detection and response (MDR) services entered the market. Though this allowed companies to outsource the threat monitoring, investigation, and response processes. However, MDR services are often designed for detecting threats targeting endpoints and not those that target modern cloud environments. Overall, their ability to leverage data from other infrastructure; applications; and IoT, OT or IoMT sources, is sorely lacking.
The other alternative is to work with an MSSP. MSSPs work to solve the 24/7 SIEM and SOC problem. However, these providers are often using older SIEM technology and may not understand how best to make use of cloud telemetry and cloud logs. Because the tools aren’t optimized for the cloud, they end up producing an overabundance of alerts for threats that aren’t actually there. And that assumes that they’re able to ingest data from cloud sources in the first place. MSSPs also typically lock companies into a multi-year contract, even though needs and the threat landscape change.
A Cloud-Native Alternative Rooted in Data Science
During the Google Cloud Ground School session, Justin shared how, in creating the Cysiv platform and the SOC-as-a-Service model, Cysiv looked to address the shortcomings of existing solution providers in a new and different way. Cysiv’s approach for handling 24/7 cloud security monitoring and cloud security threats looks different for several reasons.
First, Justin highlighted that a key differentiator is that the Cysiv platform is cloud-native and built on Google Cloud. Because Cysiv is using the cloud platform they are also helping to protect, threats to customers are threats to Cysiv too, so the team is always on the lookout and learning how to detect and address them. Cysiv also uses their own SOC-as-a-Service platform and technology to make sure their services stay online, secure, and functioning well. Bottom line: Cysiv has stakes in the game and specific cloud experience, all of which customers get the benefits of with Cysiv SOC-as-a-Service.
Cysiv’s technology and approach also stands apart. Justin explained how Cysiv provides cloud-first threat detection supported by Cysiv’s cloud-native, co-managed, “next-gen” SIEM. The SIEM is the heart and is optimized to look at the TTPs that are of concern to your organization.
Cysiv has also upped the game in threat detection, using a multi-technique approach that blends threat detection techniques. Cysiv goes beyond signature-based approaches, looking also at behavior-based, algorithm-based and more to uncover abnormalities that point to complex threats.
Making this threat detection system work requires a special approach to data engineering and data science. Cysiv starts with raw logs and telemetry gathered from a variety of sources. Once the data is normalized, it’s then enriched and passed through Cysiv’s two-step threat detection engine to produce actionable, high-quality, high-confidence detections and security incidents. The two-step model is unique and ensures that only high-quality detections are sent to analysts for further investigation.
Finally, the “as-a-service” model makes 24/7 cloud monitoring accessible and customizable. The cloud is billed and consumed as you use it, so why not have a SOC service that is delivered the same way?
Cysiv SOCaaS is consumption-based so you can scale up and scale down, and is delivered with a cloud-native analytics platform that understands the telemetry and ISVs in this space, Justin explained. As part of the subscription, companies also get a full threat intelligence database, a full threat detection engine — already configured — SOAR to work on workflows and playbooks, case management built in or connected to tools you already have, like JIRA, and all the personnel you need to put staffing concerns aside.
We “Get” Cloud: Providing the Foundation for Modern Security Operations
If you are moving an application or workload to the cloud or building net-new inside Google Cloud Platform, you will need to have proper cloud security monitoring in place as threats are not slowing down.
“Having a proper security practice is having a good build-time, well-configured foundational security from Google Cloud, and having run-time security to watch for changes as they occur,” Justin said.
Watch our video for more details on how Cysiv SOC-as-a-Service works with the Google Cloud Platform to accelerate your application development initiatives while reducing cyber risk.