As more companies move to a multi-cloud environment, their IT departments become inundated with security notifications. Trying to make sense of these statuses can be challenging as each cloud provider has its own notification formats. Adding one provider doesn’t mean doubling the notifications; the data grows exponentially until enterprises reach the “wall of worry.” 

Large enterprises have constructed security infrastructures to process the volume of events being transmitted. However, they require additional staffing to interpret and process the data sent from each provider. The ongoing shortage of qualified security personnel continues to complicate an organization’s ability to monitor its security posture, creating visibility gaps. These gaps in minimal viable security posture are what the notifications were designed to prevent.

No cybersecurity notification standards or syntax exist. As a result, enterprises using cloud services must expend more human and capital resources to address their increased cybersecurity exposure. They hope to identify and mitigate threats by creating security data lakes, Security Orchestration Automation and Response (SOAR) systems, and Security Information and Event Management (SIEM) infrastructures. However, the lack of standardization limits automation and controls. Without a standard, companies lack the tools to help staff be more productive and increase visibility across cloud and on-premise infrastructures.

A Wall of Worry

The goal of any cybersecurity effort is to eliminate visibility gaps. Organizations want to see what is happening across their entire infrastructure. Any gaps in visibility are a cause for concern. What vulnerabilities are being exposed? Are weaknesses being exploited in areas where staff has limited information? It’s difficult to make improvements in security processes when a complete picture is unavailable. Without a standard framework for cybersecurity notifications from cloud providers, the wall of worry will become higher, making it almost impossible for enterprises to maintain a minimal viable cybersecurity posture.

Cloud Security Notification Framework (CSNF) – A Cross Industry Initiative 

Cloud providers generate notifications that are semantically equivalent but require work to make them usable by security applications. The Cloud Security Notification Framework, being developed by the ONUG Collaborative’s Automated Cloud Governance Working Group,  would standardize terminology and provide a common set of elements that would ensure consistency across cloud providers. It would minimize the friction created by trying to process multiple inputs at scale. 

The framework would establish a standard for security event logs. When cloud service providers (CSP) adhere to this open standard, raw security data could be more easily ingested and contextualized. The standards would establish translational services for common security notifications across the cloud provider ecosystem. Standard definitions and syntax is what is required across CSP’s  so that automation can be applied to security infrastructure

The CSNF Decorator 

The resulting data would be sent to a decorator, where extended data could be incorporated to provide more context for status reporting. Decorators are wrapper functions, the original behavior is not altered, but it is enhanced with new behavior. 

The decorator formats among other things,  MITRE ATT&CK and NIST controls. The decorator creates a common security information model that speeds decision-making and establishes much-needed controls.

 As Nick Lippis, Co-Founder and Co-Chairman of ONUG explained, large enterprises are hesitant to consume more public cloud services because of a lack of controls. Controls that protect assets in private data centers are not the same as in the cloud. The controls vary even among cloud providers. Until the providers deliver appropriate controls and governance, customers will delay moving to the cloud, where they lose control of their data and applications.

Digital Organizations invest considerable financial and human resources to build security platforms to integrate log files from multiple sources. These log files include alerts, assessments, IoT endpoints, the cloud, and on-premise systems. With a common standard such as CSNF, IT departments can simplify their integration efforts and improve their file processing, whether using SIEM, SOAR, or data lakes.

Security Information and Event Management (SIEM)

Security information and event management (SIEM) technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. SIEM solutions are designed to collect massive volumes and varieties of data from both technical and non-technical data sources and display that data in visual formats that make the information easier to digest. CSNF provides a standard canonical model to support data enrichment of event and non-event contextual information to security event data in order to transform raw data into meaningful insights. Security events can be enriched with MITRE ATT&CK tactics, NIST compliance families, user information, third party threat intelligence or asset inventory tools.

Security Orchestration, Automation, and Response (SOAR)

By using augmented security alerts, SOAR platforms can improve their workflow and management capabilities. Data from a CSNF decorator can be processed quickly, so automated workflows can be updated. Because the information is consistent, it is easier for SOAR tools to absorb the data and produce actionable results.

Data Lakes

Security data lakes are most often cloud-based solutions that combine information from a range of sources. Because IT security staff may not know what data should be collected, all data is stored in the cloud for later use. With additional data, analytics can be performed to improve a company’s security posture.

Security personnel can focus on improving security instead of managing data. Using extended security data enables SOAR tools to address such security issues as anomaly detection. Security staff can be notified of a possible event or incident before it happens. Machine learning works more efficiently with consistent data formats.

Next Step

The CSNF decorator is designed to reduce the wall of worry that comes from increasing security alerts from multiple CSPs.  By normalizing and enriching data, the decorator allows monitoring enterprise-wide information to be automated. With fewer resources focused on labor-intensive data management, organizations can define workflows that deliver better and more consistent reporting. All these features help ensure a minimal viable security posture. 

The ONUG Collaborative includes leaders from companies such as FedEx, Raytheon Technologies, Cigna, IBM Cloud, Cisco, Goldman Sachs, and Microsoft who are seeking to establish a standard for how cloud providers process notifications. This focus became even more crucial with the rapid digital transformation brought about by the pandemic.

The accelerated digital transformation created a large work-from-home contingent which expanded networks beyond the on-premise trusted environment. When coupled with the increase in cybersecurity, the need for visibility across the enterprise has become critical. A standard is needed to enable organizations to gain the visibility they need without squandering their valuable resources on digging through log files.

ONUG’s Fall event, which is scheduled for Oct 20-21, will include a demonstration of the CSNF decorator solution. Anyone interested in improving their security infrastructure can find more information at www.onug.net.