Only Up: Building SecOps in the Cloud
-
By
Maxime Lamothe-Brassard
, Co-Founder and CEO at LimaCharlie - Best Practices, Featured,
Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Maxime Lamothe-Brassard of LimaCharlie says the only place left for SecOps development to go is up– into the cloud.
SecOps in 2023 is a lot like IT was in 2003– cumbersome. However, just as Amazon transformed IT with AWS and EC2 to enable flexible and scalable services, there is the potential to transform SecOps with a cloud platform, which could also enable efficient and cost-effective services.
SecOps has been bound by multiple-point solutions and tied down by multi-year contracts. Even worse, many of these solutions lack any sort of meaningful customization or require a second layer of solutions just to manage the first. However, just as the cloud-enabled economies of scale, easy configuration, and integration via APIs, SecOps now has the opportunity to embrace the same transformation.
There are multiple operating systems, an endless spectrum of applications and services, databases, developers, devices, and different users. Security teams frequently have to stitch together integrations between intractable black-box solutions and open-source tools. SecOps has become a burden and the cloud could lighten the load.
Only Up: Building SecOps in the Cloud
Fundamental Building Blocks
IT primitives are the basic building blocks that establish a foundation for other systems and services. Cloud primitives include features such as VMs, databases, containers, and load balancers.
SecOps primitives for the cloud serve the same purpose as IT primitives for the cloud. They provide the key capabilities, not as a collection of random tools, but as a set of solutions designed to interoperate in an agnostic way. A SecOps cloud that provides the appropriate primitives eliminates the need to purchase point solutions, which can be translated into cost savings for the platform. Likewise, a SecOps cloud that prioritizes ease of integration between solutions eliminates the need to develop piecemeal integrations, enabling greater efficiency and flexibility.
At a minimum, for the core value from a SecOps Cloud Platform to be realized, the following capabilities should be present
- Multi-tenancy: Multi-tenancy utilizes common infrastructure to enable enhanced efficiency. Each tenant’s resources, such as compute instances, are isolated and their data is segregated and encrypted to ensure security.
- Entity-based telemetry ingestion and retention: Telemetry data provides the foundation for entity-level visibility, threat detection, incident investigation, compliance monitoring, and scalability. Entity-based means that storage and ingestion comes from first-class origin, not generalized logs.
- Automation: By enabling real-time event triggers, rapid incident response, proactive threat hunting, security policy enforcement, automation of routine tasks, incident remediation, and adaptive security measures, automation based on telemetry becomes a crucial cloud primitive.
- Forwarding: Forwarding telemetry data to any destination as a first-class concept provides organizations with the flexibility, interoperability, and customization needed to integrate with a wide range of security tools and systems. It enables centralized visibility, extensibility, and compliance, empowering organizations to build a robust and tailored security operations environment.
- Agency: Generalized agency mechanisms enable not-yet-known actions against not-yet-known threats in real-time on other environments, such as cloud services and endpoints, enabling organizations to continuously adapt and respond to the evolving threat landscape.
- Extendibility: APIs facilitate automation and integration with security tools, customization, extensibility, orchestrated workflows, ecosystem collaboration, developer enablement, and scalability.
Moving SecOps to the cloud offers the same benefits as the public cloud, simplifying the procurement, deployment, and integration of best-of-breed cybersecurity solutions, tailored to each organization’s specific needs through generic capabilities. Powerful new systems can be put into place at the speed of cloud, and at scale.
Enabling Innovation
The SecOps cloud is fundamentally open through APIs, documentation, interoperability, affordability, and multi-tenancy. This creates a neutral space for all cybersecurity professionals, whether they are enterprise users, service providers, or security vendors. Think of the SecOps cloud as a fabric, a sandbox for innovation, or a vehicle to disseminate data and insights into other systems in cost-effective ways. This enables enterprise users to have the right solutions for their specific needs, seamlessly integrated into their environment for a fraction of the cost and complexity of integrating multiple vendors.
For service providers (e.g., MSSPs), the SecOps Cloud offers a reliable, scalable way of building services without specific vendor lock-ins, long commitments, or high costs. Onboarding a new customer (i.e., tenant) is just an API call away– regardless of their existing security stack. Likewise, security vendors can prototype new products and bring them to market faster than ever before since they do not need to reinvent existing technologies and components every time.
One-size-fits-all security solutions lack the flexibility to address the complexities of modern networks and evolving threats, leaving organizations with a collection of fragmented tools. The public cloud has transformed IT systems– now it is time to put the SecOps cloud to work for the cybersecurity community.
This is the future of security operations.
After leaving the government, Maxime provided direct help to private and public organizations in matters of cyber defense and worked for CrowdStrike, Google, and Google X. Maxime left Google X - where he was a founding member of Chronicle Security - in 2018 to co-found LimaCharlie.
- Only Up: Building SecOps in the Cloud - August 14, 2023
Maxime Lamothe-Brassard
As part of the Canadian Intelligence apparatus, Maxime previously worked in positions ranging from the development of cyber defense technologies, counter computer network exploitation (CCNE), and Counterintelligence. Maxime led the creation of an advanced cybersecurity program for the Canadian government and received several Director’s awards for his service. After leaving the government, Maxime provided direct help to private and public organizations in matters of cyber defense and worked for CrowdStrike, Google, and Google X. Maxime left Google X - where he was a founding member of Chronicle Security - in 2018 to co-found LimaCharlie.
