Frankly Speaking 6/23/20 - Handling security incidents in cloud environments
A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, AI/ML, and cloud.
If you were forwarded this newsletter, you can subscribe here. For more regular updates,
I wanted to welcome all the new subscribers! Thanks for the support and for helping get my last article on cloud security onto the front page of Hacker News. Please forward this newsletter to people in your network who are interested.
I know many of you have been patiently waiting for my next newsletter. Given what’s been going on in the world and in my personal life, I thought it would be good to take a pause. Now, I’m back!
Quick announcement: I am hosting a webinar panel on Thursday 6/25 at 10 am PDT with some of my portfolio companies on how enterprise security has changed recently. You can join us here. (I know there’s a lot to fill out, but BrightTALK is a useful tool.)
If you can’t make it, it’ll be available on-demand, and I will write a summary in my next newsletter.
LET’S BE FRANK
I’ve recently been writing a lot about cloud security and how it’s changing security paradigms. This week, I want to explore how the cloud will change incident detection and response. In recent years, incident response (IR) teams have become more influential, especially around purchasing security products. The simple reason is that IR teams have to deal with incidents that the security tools missed.
One major difference in the cloud is that teams can use the cloud providers’ APIs to obtain relevant information from the cloud. Similarly, the information is more homogeneous as opposed to datacenters where companies have their own tool setups, configurations, customizations, etc. Another key difference is that developers are doing IT work. As a result, I believe a few things will change with IR teams, and this list is by no means comprehensive.
IR will be more automated. In cloud environments, developers are doing most of the traditional IT operations work. Most of that is automated to allow for faster and more frequent releases. As a result, IR will have to deeply integrate into the CI/CD process. They might have to generate JIRA and ServiceNow tickets that allow a DevOps person to determine if it’s a security incident or something benign.
More IR-focused products. SOAR products, such as Demisto and Phantom, became popular because IT environments were so heterogeneous that there needed to be one place for IR teams to coordinate responses to an event/incident and have a broader view of the environment. However, with the cloud, environments are a bit more homogeneous, making it easier to design products for IR to respond to events. That’s why I believe we will see more products targeted toward IR teams.
Traditional SOCs are going away. Centralized security operation centers (SOCs) where analysts sit in one place with various dashboard will go away in the cloud world. This model assumed that IR needed to monitor and detect malicious operations, but now DevOps has automated most of the operations. IR teams no longer need or can respond to incidents by themselves but need to coordinate with DevOps instead of IR. I believe we will see more “decentralized SOCs” that will triage events to DevOps. How will it work or look exactly? I’m not sure.
Open questions:
What other changes will happen to IR?
Does the persona/background of the person doing IR change?
How will this affect how security programs are structured? How will budgets change as a result?
How will SIEM/SOAR look different?
As always, my email is open if you want to discuss this more: frank.y.wang@dell.com
TWEET OF THE WEEK
Great father’s day gift?
