Blog
Discovering Unknown Problems in the Alert Pipeline
Read More
When a large data company decided to migrate their systems fully to the cloud, their cybersecurity team knew it would be a challenge. The company’s senior security architect put it succinctly: “Our CTO said, we’re going completely to cloud. Everyone buckle up.”
Though the organization had assets in the cloud for many years, the team wasn’t sure they were ready to be 100% in the cloud from a security standpoint. Because of how extensive their company and networks were, they knew they had to prioritize transparency, automation, and the ability to convey processes and results to less-specialized teams.
As a large enterprise, they were also acquiring companies regularly and expanding their cloud footprint as a result. “We’re on prem and we’re in all five clouds—not just the big three.” When it comes to assessing security gaps, the team knew they would have to be able to test against vulnerabilities in every environment.
Leveraging the SafeBreach platform enabled the organization to increase both accuracy and efficiency in their cloud security control validation, alerting and detection engineering, and reporting. It also served as a foundational element for transparency, inter-team collaboration, and the ability to track progress and posture throughout the transition to cloud.
The Approach
Before making the big transition to cloud, the security team decided to follow a systematic approach that would assess their current levels of visibility and identify existing security gaps. But this transition wouldn’t just be about migrating their existing program—this major shift also gave the organization the opportunity to increase the maturity of their overall cloud program in preparation for being 100% in the cloud.
Greater accuracy and efficiency through automation
The rearchitecting process was rigorous. The team went through their system domain by domain, assessing visibility and gaps, creating feedback loops, and implementing automations where it made sense. Automations were key to leveling up their efficiency and maturity. According to a senior security architect on the team, “One of our main drivers was to make sure that whatever we were doing, we could give that to a business unit so that they can go do it themselves.”
Developers within the organization were moving faster than their security counterparts. Automation, they knew, would help speed processes and remove some of the friction between developer teams and security teams when security measures slowed down features and launches. “We wanted to stop being the ‘no’ on the ‘go-no-go’ decisions.”
Finally, that automation allowed for greater protection of business assets and customer data. As one team member put it, “If it’s not automated and it’s not repeatable, that means it’s manual and a human is doing it, and humans make mistakes.”
Working as a larger team and communicating progress
Rather than limiting the scope to just the security team, the organization chose to include their cloud engineering, cloud architecture, and operations teams. When developing, testing, and validating security guardrails, this allowed everyone to be on the same page from a posture perspective. Additionally, the organization had a monthly cloud business sync that included everyone involved in cloud.
“As a data hungry person, SafeBreach is totally my jam, because it helps quantify things we’ve been doing for so long.”
The team used SafeBreach’s reporting capabilities to convey progress and overall security posture improvements to these stakeholders, as well as business leaders within the organization.
“We have lots of posture management tools out there. But the data there has gotten so saturated now that it’s even hard to quantify that. But I can go run a quick simulation with SafeBreach and bring that data back to you within minutes. And that’s gold.”
Leveraging the flexibility of SafeBreach
The team was able to simplify and streamline their validation process by peeling out and running simulations that were specific to certain tools and functions. “With the SafeBreach platform we can get as granular as we want. We start small and then add to it from there—just lay on the defense as we proceed.”
As part of this layering process, the organization leveraged SafeBreach integrations with Splunk, third-party tools like endpoint and vulnerability management, indicators of compromise (IOCs) from a threat intelligence feed they subscribe to, and others. “It just makes it easier. It’s just a whole lot quicker to be able to report findings whenever there’s a native integration there.”
SafeBreach’s simulations also give the team a timely and efficient way to keep up with new vulnerabilities. “We run new simulations that SafeBreach adds so that we’re constantly growing and maturing with the new threats that come out.” With SafeBreach’s 24-hour SLA on all new US-CERT and FBI Flash alerts, the company could validate their protection against the latest attacks in real time.
Managing detections in the cloud
One major focus in the transition was on detections. Team members who had extensive experience with logs and detection knew that transitioning to the cloud meant that there would be additional noise—but perhaps not what they were looking for, and not what they set their cloud watch metric to be. “What if our logs break? You can put health checks in there, but there are some logs that have a heartbeat, especially in cloud.” SafeBreach gave them the ability to create custom detections and cut through the noise.
Testing the endpoint stack
With different operating systems, different network segments, and legacy engineering networks, testing the organization’s endpoint stack was a daunting task. The security team didn’t want to have to hassle the endpoint team to make sure everything was updating correctly, so they looked to SafeBreach to streamline the process. Since they were already testing other areas with SafeBreach, they leveraged the platform to validate that everything was being updated as intended.
Read the blog: Choosing the Best EDR for Your Organization Can Be Complicated – But It Doesn’t Need To Be
The Results
Even the most experienced and effective team would find the task of migrating completely to the cloud to be challenging and complex. What this enterprise found in the SafeBreach platform was the ability to scale their processes through automation, check their work through validation, and take some of the burden off of other teams who were focused on other business activities.
With a space as multifaceted as an enterprise cloud environment, collaboration and transparency were key to this organization’s success. That transparency was enabled by the SafeBreach platform’s reporting capabilities. Ultimately, the team was not just using SafeBreach as a platform, but “as a basis for a risk assessment program.”
“It’s already won hearts and minds, so I don’t get a lot of pushback when we want [other teams] to integrate into SafeBreach. It’s only going to grow and continue to provide value to us.”
