The Missing Link Between Security and Operations

26 October 2024
Blog
5 min read

Today, Security Operations teams (aka SecOps, SOC, D&R, and IR) are overloaded with alerts that are generated from a diverse set of cloud security products—CSPM, CDR, SSPM, and more. These teams are the ones tasked with the most crucial job—triaging alerts quickly so that organizations can detect attacks faster, contain them, and respond in a timely manner. This job becomes increasingly difficult with the deployment of each new security tool, vendor, and detection capability.

When an alert is generated, the first thing security analysts seek to determine is “who did it,” and the next thing they examine is “what else they did.” The answer to “who did it” is called identity attribution, while “what else they did” is called identity telemetry. It is common for an analyst to spend hours to attribute a principal identity to an alert. This often requires sifting through logs, untangling complex role obfuscation and even directly messaging humans to find a culprit. Given the time it takes to perform the identity attribution, it is rare that a typical analyst will spend additional time to investigate what else was performed by that identity (the telemetry).

Detective looking at a cork board with evidence on it

This time spent by analysts isn’t an easy problem to solve; performing identity attribution and creating telemetry in the realm of cloud and SaaS poses several very real challenges, including:

  1. Proliferation of identities: Today, organizations implement IDP solutions to manage human identities, streamlining user onboarding and offboarding from a central location. IDP works by mapping human identities to roles and permissions, allowing them to perform operations in the cloud while masking individual identity information. To complicate the matter, both public clouds and SaaS apps contain a plethora of non-human identities—bots, service accounts, keys, and workloads with privileges. These non-human identities are not managed by IDPs; instead, they are siloed by their providers. Despite this lack of centralized management, these non-human identities perform some of the most sensitive operations in the cloud, including code deployment, infrastructure creation, automation, and running applications.

  2. RBAC: RBAC enables the use of roles and permissions rather than direct access linked to individual identities. This approach obfuscates the details of an actual identity in the logs and instead records information about the role and service accounts as the entities performing operations. The complexity further increases with cross-account access and role chains, which can obscure the actual path attackers may take to perform sensitive operations.

  3. Training/Skills Gap: Mastering the complexities of cloud, DevOps, and SaaS demands a wide-ranging skill set that most Security Operations teams lack without specialized training. Even those with extensive cloud expertise will face challenges when joining a new organization, as they must navigate different architectures, terminologies, and internal practices—much of which is based on tribal knowledge specific to that company. Without the right tools, this rare combination of cloud expertise and environmental familiarity becomes a barrier to SecOps efficiency.
Robot arm writing an equation on a chalk board

Automating Identity Attribution and Telemetry

An ideal solution would be to algorithmically attach an identity to every operation in the cloud at runtime. Once this identity attribution is performed correctly, it creates a foundation for constructing telemetry as we now have a comprehensive activity dataset for every single identity. Once identity attribution and telemetry are accurately constructed, they create a massive opportunity for the SecOps team to enhance detection, investigation, response, and threat hunting. Here are some of the tasks that can be performed more efficiently:

Alert Investigation

With identity attribution and telemetry in place, any alert received by an analyst can be investigated efficiently. If a human identity is associated with an alert, the analyst can promptly contact the individual via Slack or Teams to confirm their involvement in the activity. An immediate response from the user saves analysts valuable time. Even if there is no reply, analysts can quickly verify the user’s location and see if it aligns with their usual work environment.

Moreover, using identity telemetry, analysts can determine what other actions the identity carried out not only at the time of the alert but also in the preceding hours, and not only in the system in question but also in other parts of the enterprise, such as in AWS, Okta, GCP, and so on. Such comprehensive telemetry enables SecOps engineers to triage alerts with confidence and efficiency.

Threat Detection

Instead of relying on rule-based detections, analysts can be alerted to abnormal identity behavior. The telemetry associated with an identity serves as its baseline, allowing for quick detection of deviations. Identity behavior analytics (IBA) differs significantly from user behavior analytics (UBA) because identities are more complex in the cloud due to the above mentioned reasons, such as RBAC, role chains, delegations chains, and non-human identities. With identity telemetry as a foundation, analysts can receive real-time behavior alerts, enabling them to detect zero-day attacks effectively.

Threat Hunting

Proactively monitoring each identity — human or non-human — and creating real-time telemetry enables systems to assign risk scores to each identity on various criteria, such as API calls performed, location used, and any other behaviors. These scores categorize identities into high, medium, and low-risk groups, allowing analysts to focus their threat-hunting efforts on high-risk identities and detect potential threats before they escalate into incidents.

Conclusion

In conclusion, identity attribution and telemetry play crucial roles in the next-generation Security Operations, enabling security teams to use a behavioral approach to detect the latest cloud threats and investigate issues faster. Breez delivers a cutting-edge solution that algorithmically links every operation in the cloud to a specific identity in real-time. By achieving precise identity attribution, we provide a solid foundation for constructing detailed identity telemetry—capturing a comprehensive dataset of activity for every identity. With this rich identity attribution and telemetry in place, Security Operations teams can significantly enhance their detection, investigation, response, and threat-hunting capabilities. Our platform streamlines these critical tasks, allowing security teams to work more efficiently and effectively in the cloud environment.

Schedule a demo here.

Get Started