A More Secure Digital Future

During my long career, there has been one constant requirement I often hear, “I want to see an end-to-end view of an application.” This is the holy grail to assure great user experience, assure security and observability.  Developers, IT infrastructure and operational teams struggle every day with this lack of visibility of an application’s dependency map. Gaining end-to-end visibility is hard enough when you own every device or piece of software that supports an application as in a private data center.  It’s nearly impossible in today’s enterprise cloud environment where you don’t own or control the entire infrastructure.   

The lack of visibility is most troubling in cloud security as the use of multiple security tools, each with different capabilities and event formats, leads to unmanaged complexity as multi-cloud consumption scales up.  Part of this complexity stems from multiple tools, alert types, and vendors/platforms that emit far too much exposure of issues that, collectively, overwhelm consumers with information.  This space is a shared responsibility model between provider and consumer that requires appropriate tooling for its enablement.   If your Security Operations Center or SoC uses these cloud security notification services–Azure Security Center, AWS Security Hub/GuardDuty/Cloudtrail, GCP Security Command Center and Chronicle, Oracle Cloud Guard, IBM Security and Compliance Center, then you are acutely aware of the problem.

All of the above cloud security notification services are extremely useful as they emit security logs, alerts, and notifications of the cloud services being consumed. The problem is they all emit security notifications in different schemas containing different definitions of the same event.   There is no translation or common dictionary that canonicalizes or nomalizes this data. The result is that enterprise cloud consumers are burdened with massive toil and staffing their SoCs with dedicated people skilled for each Cloud Service Provider (CSP).  

And these people are extremely hard to find and recruit.  Over an eight-year period tracked by Cybersecurity Ventures, the number of unfilled cybersecurity jobs grew by 350 percent, from one million positions in 2013 to 3.5 million in 2021.  They predict the same number (3.5 million) of openings in 2025. In addition, special tools are needed to ingest CSP specific emitters into a security infrastructure such as SIEM, SOAR and security data lake in an effort to make sense of the endless streams of data (on the order of millions of messages a second!).  As a result, cloud security is new to most SoCs teams.  SoC teams are optimized for on-prem threat hunting, incident response and other workflows; not cloud.

Toil and Bloat and Visibility Gaps…Oh My

Wait, it gets worse.  The average enterprise security team manages approximately 75 security products.   These cloud security CSP silos create massive gaps in visibility across CSPs caused by a lack of a common event model which drives  complexity up and worsens as cloud consumption scales up.  This challenges a security team’s ability to maintain a minimal viable security posture. This is the current state of affairs. Roughly translated, it means that cloud security is making enterprise cloud more expensive and complex than it has to be, less secure and doesn’t afford the protections and controls large corporations need to consume cloud services en masse. This is one of the main reasons why McKinsey & Company shows that most enterprises are only 20 percent of the way into their cloud journeys.  An unscientific survey of ONUG Board members resulted in only 10-15% of their workloads in the public cloud.  

Layered on top of infrastructure bloat, toil, lack of visibility and security is the fact that cloud services are increasingly the preferred access method of hackers to attack a corporation with ransomware, software supply chain and other attack vectors. The number of vulnerabilities in cloud-deployed applications tracked by IBM Security X-Force has grown exponentially from 2018 to 2021. One of the top attack vectors X-Force observed targeting cloud was threat actors pivoting from on-premises environments into cloud environments. This lateral movement was seen in almost a quarter of incidents X-Force responded to in 2020.  

An Open Canonical Data Model

Multi-cloud security is a massive problem that can be solved. To create a more secure digital economy, there needs to be a common data model for all security notifications, both on- and off-prem. The technical term for this is a canonical data model. That is, a common schema and definitions that describe logs, alerts, events, and other security notifications, from the above CSP cloud security services and on-prem devices so as to provide a holistic, end-to-end view of an application’s security posture. An open, vendor-independent, community-lead canonical data model (CDM) offers a standard approach to reporting security events, which are easily ingested into a wide range of security infrastructure tools.   

There is so much duplicate effort taking place in the industry to create vendor-specific or vendor-ecosystem-specific CDMs that will never provide an end-to-end view of an application and its security. These vendors span CSPs and security tool providers such as Splunk, Palo Alto Networks and many others. The ONUG Collaborative Cloud Security Notification Framework’s (CSNF’s) open source CDM project is taking on this industry-wide effort to serve all stakeholders, that is, sources and consumers of security notifications. 

An open CDM would certainly make everyone’s life easier if it served as a single standard that is sufficiently extensible and always up to date. When a log producer, for example, needs to create a new field, there will be a process to quickly standardize it. The CDM needs to be a living, breathing entity that is constantly updating to represent the rapid pace of new product and service offerings. At AWS’s Re-Invent in Nov 2021, there were 85+ new service announcements made, all with new cloud security emitters to track and ingest!  As such the CDM needs to be owned by the industry that is open, vendor independent, community driven, managed independently and automated in its extensibility.

A Safer Digital Future

With a CDM that is owned by no vendor but by the industry, an ecosystem of applications and tools that enable SoCs and other teams to secure workloads can be created. Applications that accelerate threat hunting, enable cloud governance, prevent and mitigate ransomware, secure software supply chains, and automate the massive toil that takes place in today’s SoCs can become a reality.  Workloads that are out of compliance or software vulnerabilities can be identified more quickly, malware likewise.  More robust and meaningful dashboards can be created that draw insights from a security infrastructure that presents a holistic view of an application’s dependency map and delivers true security posture status to executive management.  In short, SoCs will be given the tools to operationalize cloud security and enable greater consumption with CSP specific staffing relief. 

In addition to the translational services a CDM provides, decorating is also being built into the ONUG CDM standard.  CDM messages are being decorated to identify revenue generating or highly sensitive assets so as to hasten incident response. Decorating CDM messages opens up a wide range of CONTROL possibilities so that SoC teams and others can customize and optimize their security infrastructure to their unique requirements, thus providing their executive management with the security assurances needed to consume cloud services. Industry specific decorators are being created now by cloud consumers and shared as open source code to enable corporations to customize how they consume security data and respond to incidents.

CDM and its decorators will  revolutionize cloud security.   A resulting ecosystem of applications and tools will explode on the cybersecurity market with the availability of an open CDM and decorators. 

The ONUG Collaborative is building an open CDM with Microsoft Azure, GCP, IBM, Oracle, Fidelity, Goldman, FedEx, Cigna, Raytheon Technologies, Intuit, Kaiser Permanente, Wiz, SysDig, Cisco, Qualys and many others. At ONUG Spring on April 27th and 28th in NJ and online, the Collaborative will host the first live multi-cloud demonstration of the CDM and a range of decorators. You can see the CDM live at ONUG Spring (register here), and better yet, you can get involved and contribute to this open source project here.