www.paladion.

net

Guide to Next-Generation
Cloud SecOps
 ABSTRACT
Security Operations (SecOps) face many challenges,
including a shortage of skilled people, proliferating
security technologies, and a reactive mindset. In the
cloud, these challenges are made even more acute by
cloud-specific threats, access control issues, and a shared
security model with cloud providers.

Next-Gen Managed Detection and Response (MDR) brings

affordable threat detection and comprehensive response
capabilities to cloud-based, on-premise, and hybrid IT
architectures. These AI-enhanced services fill detection
gaps and unify inputs from multiple security tools while
providing both automated and manual responses.

This eBook will focus specifically on MDR in the cloud and

how Next-Gen MDR can provide these services at a scale,
efficiency, and effectiveness that outpaces what most
organizations can afford internally.
 TABLE OF CONTENTS

04 Introduction

05 Problems Lurk in the Cloud

06 New Threats in the Cloud

08 The Impact of the Shared Responsibility Security Model

09 Rapid Change and High-Volume Feature Releases

10 Cloud-Specific Threats

11 Access Control Issues in the Cloud

11 Additional Complexity and Gaps Caused by Hybrid and

Multi-Cloud Architectures
13 How Next-Generation MDR Addresses Cloud

Security Challenges

14 Cloud-Native

14 Automation and Artificial Intelligence

15 Continuous Security Posture Management (CSPM)

15 Full Response

17 Paladion’s Next-Gen MDR: AI.saac

19 Applying the Power of AI and Machine Learning

20 High-Level Architecture

21 Solution Components

22 Threat Response

25 Conclusion

26 About Paladion
 INTRODUCTION
Security Operations (SecOps), which is challenging enough in
the data center, becomes even more difficult in the cloud. Issues
include a shortage of skilled people and a proliferating number of
security technologies. Taking a reactive approach is not realistic;
organizations must get ahead of attacks to stay protected.

Public clouds run on a shared security model, with the customer

responsible for access control and security countermeasures in a
continually shifting environment. As the customer implements
new cloud technologies like cloud-based containerization and
data lakes, they are on the hook for defending themselves
against a range of unique, cloud-specific threats. These include
attempts to penetrate “leaky” cloud storage buckets, cloud console
takeovers, cloud DDoS ransom, compromises of Office 365, and
more.

Next-Generation Managed Detection and Response (Next-Gen

MDR) brings an effective solution. Having already proven its
success in the data center, MDR is now improving cloud security
management.

Next-Gen MDR solutions bring broad threat detection and

comprehensive response capabilities to cloud-based, on-premise,
and hybrid architectures. They leverage cloud-native tools and
employ Artificial Intelligence (AI) to fill detection gaps and
unify input from multiple security tools. On the response side,
the platforms automate responses to enable SecOps teams to
concentrate on the most severe threats and work more efficiently.

4
 PROBLEMS
LURK IN THE
CLOUD
Appealing as the cloud may be for its flexibility
and economic benefits, cloud infrastructures
present serious security challenges. These
include the shared security model, the rapid
release of new cloud features, access control
issues, and more.

Statistics from McAfee reveal problems on a

massive scale:

• The average organization has 2,200

individual IaaS misconfiguration
incidents per month1

• 24% of organizations are missing high-

severity patches in their public cloud
environments2

• 27% of organizations have users with

compromised public cloud accounts3

1. McAfee, 5 Key Findings for 2019 Cloud Adoptions and Risk Report, 2019

2. Redlock, 13 Cloud Security Statistics to Know in 2019 (with 9 Best Practices), 2018

3. Forcepoint, The Human Point: An Intersection of Behaviors, Intent & Data, 2017

5
NEW THREATS IN THE CLOUD

The cloud opens up new attack surface areas, ranging from smaller vulnerabilities to
entirely new types of cyber threats.

Examples include:

• “Leaky bucket” cloud storage that leaves sensitive data exposed.

• Cloud console takeovers that give hackers control of the entire cloud.

• Cloud-based email like Office 365 that brings spear phishing, account takeovers,
and business email compromises that can result in financial or IP theft.

• SaaS services that can be hijacked through failures from the SaaS provider or
internal users.

The cloud presents a range of new security risks, from

smaller vulnerabilities to entirely new types of threats.

6
API AND CLOUD INTEGRATION
VULNERABILITIES

Standards-based APIs and similar technologies

make the cloud an excellent environment for
flexible, fast, and economical integrations. However,
the very openness that makes all this connectivity
possible also creates new risk exposure.

In addition to attacking APIs, hackers can target

connection points like Azure’s Event Hub or data
integration services like Amazon Redshift data
warehouse. These attacks can be particularly
devasting since so much information flows through
these access points. What’s more, the information
flow often doesn’t look incongruous, so these attacks
can go undetected for very long periods.

7
THE IMPACT OF THE SHARED RESPONSIBILITY SECURITY MODEL

Cloud customers work within the shared responsibility security model.

The CSP is responsible for securing its infrastructure and network. Their SecOps team
monitors the compute, storage, and network hardware comprising the cloud platform.
The customer, in turn, is responsible for their own data and application security, including
the patching and access control issues that arise with working in the cloud.

Shared Responsibility Model

Cloud Service Provider Customer

Infrastructure Data

Network Applications

This shared responsibility model makes a great deal of sense. The CSP cannot be
expected to know which users are authorized to use the software installed in the
customer’s cloud. Nor is it realistic for the CSP to remember the specifics of how the
customer wants to secure its data and applications.

However, the shared responsibility model leads to a lot of problems too. At a minimum,
the cloud becomes yet another digital asset SecOps has to monitor by installing cloud-
based versions of on-premise SIEM systems, Intrusion Detection Systems (IDSs), and other
security tools.

8
RAPID CHANGE AND HIGH-VOLUME FEATURE RELEASES

CSPs frequently introduce new features and solutions to attract new customers and
keep existing customers from defecting. Some of these changes can have huge
impacts on SecOps. For instance, a CSP might launch a complete Internet of Things
(IoT) management platform along with a data analytics service to go with it. That’s
fine – right up until someone in the business decides to take advantage of this new
feature without telling SecOps…and in doing so, inadvertently exposing their network
and data to hundreds or thousands of untracked and unsecured devices.

The relentless pace of change makes it hard for

SecOps to keep up.

IMMATURITY OF IAAS AND SAAS SECURITY FEATURES

CSPs make many security tools available in their cloud platforms, such as virtual web
application firewalls and cloud-based IDSs. However, these CSP security offerings tend to
be immature or incomplete compared to their traditional data center counterparts. This
gap leads to SecOps teams having to install and manage their own tools.

Unfortunately, cloud resources can be exceptionally

challenging to configure. A single flaw may expose the
organization to massive risks.

9
CLOUD-SPECIFIC THREATS

The cloud is vulnerable to all of the same threats as on-premise

infrastructure but comes with its own unique risks.

Multi-tenant architectures used by CSPs create an additional layer of

vulnerability. An attacker could use Spectre or Meltdown to access data on
multiple VMs hosted on the same cloud hardware.

Human error is always a huge problem, but the cloud magnifies common
mistakes into organization-wide vulnerabilities. Simple configuration
errors can leave entire databases unprotected. These mistakes often
result from application testing or other processes that require the use
of a database in a non-production environment and are easily missed by
SecOps teams…often because they’re never even made aware of these test
instances.

Advanced Persistent Threats (APTs) are often based in the public cloud,
so that they can infiltrate an organization’s cloud assets laterally.

Insider threats are also particularly common and devastating in cloud

environments because access can be so far-ranging. If monitoring and
access controls are deficient, insiders can conduct malfeasance and fraud
on a broader basis than they might on-premise.

10
ACCESS CONTROL ISSUES IN THE CLOUD

Who accessed what? That’s one of the most critical questions facing SecOps teams as
they analyze session logs and reports.

Deciphering the access control map becomes more complicated in the cloud. Users may
get in using a “side door” by accessing digital assets remotely without having to pass
through the corporate network. Cloud Access Security Brokers (CASBs) can help – as can
identity access systems that have been set up for cloud use.

Using cloud deployments can inadvertently set up side-door

access to critical data and systems.

ADDITIONAL COMPLEXITY AND GAPS CAUSED BY HYBRID AND

MULTI-CLOUD ARCHITECTURES

Few organizations are one hundred percent in the public cloud. Many businesses have
data across on-premise, public, and private cloud architectures. Others have applications
and data that span AWS, Azure, and Google cloud. Such hybrid cloud architecture sets
up a tricky security dynamic for SecOps to track by requiring many overlapping and
repetitive systems for multiple cloud instances…further increasing the possibilities for
human error and the need for automation.

11
 THE PEOPLE SHORTAGE

A shortage of skilled, available, and affordable SecOps personnel is becoming

an increasingly urgent issue for almost every security organization that’s
working in the cloud.

80% of security professionals say it is

becoming increasingly difficult to find

people with the skills they need.

And 68% say this skills shortage is

impacting their security operations.4

Mid-market firms are stuck in an especially difficult position. They urgently

need to move to the cloud for reasons of business agility but struggle with
recruiting and retaining enough SecOps team members with strong cloud
skills to support their ambitions.

Few organizations can find enough qualified SecOps

team members to keep up with their cloud initiatives.

4. TechBeacon, 31 Cybersecurity Stats That Matter, 2019

12
 HOW NEXT-
GENERATION
MDR ADDRESSES
CLOUD SECURITY
CHALLENGES
To understand how Next-Generation MDR mitigates
cloud security risks, it’s useful to compare it with
traditional MDR practices.

PROACTIVE VS. REACTIVE

MDR services vary, of course, but in general, they

take a reactive approach. The service provider
monitors the customer’s infrastructure and digital
assets. When they receive an alert, they respond
to it. They typically use tools like Security, Incident,
and Event Management (SIEM) solutions to manage
multiple security systems such as IDSs.

In contrast, Next-Gen MDR takes a proactive

approach to both detection and response. It
performs the same monitoring functions as
earlier MDR service offerings but adds a critical
new element: threat hunting. Next-Gen MDR is
continually looking for evidence of attacks.

13
CLOUD-NATIVE

Next-Gen MDR solutions have been developed specifically with cloud use cases in mind
and integrate deeply into an organization’s entire cloud stack. This means that they
can work seamlessly across multiple clouds, including containers, microservices, cloud
consoles, and data repositories while leveraging existing security tools. For example, a
Next-Gen MDR solution can provide threat detection by using unified SIEM, EDR, user
access, and flow data across AWS, Azure, private clouds, and traditional data centers.

With complete integration, the MDR solution can access data about the status of each
element of the stack to detect and respond to threats. The offering also includes a regular
review of their configurations to ensure no new solutions have created unintended
vulnerabilities.

For robust security in the cloud, Next-Gen MDR solutions

must completely integrate into the entire solution stack.

AUTOMATION AND ARTIFICIAL INTELLIGENCE

A Security Operations Center (SOC) is typically on the receiving end of outputs from
multiple security systems, including NGFW, Unified Threat Management (UTM), and
more. This security data piles up, even with analytics systems like SIEM in place. An under-
resourced SecOps team may be overwhelmed by the deluge of security data.

Next-Gen MDR automates the handling of huge volumes of security data, which helps
reduce the workload placed on SecOps teams. It pulls data from a wide range of existing
security products like IPSs, firewalls, UTMs, anti-virus, SIEMs, endpoint detection and
response solutions, web application firewalls (WAFs), user behavior analytics (UBA), and
cloud security solutions.

14
CONTINUOUS SECURITY POSTURE MANAGEMENT (CSPM)

To be successful, cloud security and countermeasures must be continuous rather than

episodic. Next-Gen MDR services should offer Continuous Security Posture Management
(CSPM). CSPM continuously tracks cloud assets and configurations for compliance with
security policies.

FULL RESPONSE

Next-Gen MDR contains threats and orchestrates a complete response to evict the
attacker. Some responses can even be fully automated with the client’s agreement. The
SOC’s goal is to avoid the unfortunate but common scenario where a managed security
service spots a threat, opens a ticket, and sends it over the wall to the customer. Given the
pace of attacks and the overloaded nature of SOCs, that can be a formula for disaster.

USE CASES FOR THREAT DETECTION

Next-Gen MDRs manage a wide variety of cloud cybersecurity use cases, filling in
detection and response gaps created by shortages of personnel and tool limitations. In
addition to cyber defense countermeasures like mitigating APTs and securing SaaS apps,
common cloud use cases include:

Stopping data leakage Detecting fraud

Ensuring compliance with

Preventing insider attacks
security frameworks

15
NEXT-GEN MDR IN ACTION

A Next-Gen MDR platform should be able to provide the detection and response service
timeline depicted in the “Left-of-Hack” and “Right-of-Hack” diagram in Figure 1. The figure
offers a useful way to visualize the timing of threat detection and response actions. Each
of the six steps within this workflow represents processes occurring along the timeline of
an attack. The “Left-of-Hack” portion includes the proactive steps taken to detect threats
before they occur. The earliest form of detection is threat anticipation, followed by threat
hunting, which happens closer to the time of a hack, while security monitoring serves as
the detection capability occurring up to the moment of a possible compromise.

Figure 1 – Threat detections and response workflows represented by proximity

to the time of a compromise

The “Right-of-Hack” includes the time-to-respond workflows, which follow a similar time-
based pattern. The incident analysis takes place immediately after an attack, followed by
auto-containment, and then response orchestration.

A robust MDR solution includes both pre- and post-attack activities.

16
 PALADION’S NEXT-
GEN MDR: AI.SAAC
Paladion’s Next-Gen MDR is AI.saac, a patented
AI platform first deployed in 2011. It achieves
proactive results by mining customer’s
security data on a 24/7 basis across three
dimensions:

• SOC monitoring: looking for known threats,

based on rules and signatures

• Threat anticipation: searching for known attackers by

correlating external threat intelligence

• Threat hunting: using AI and machine learning models to

detect anomalies that indicate the presence of malware or APTs

Figure 2 – Screenshot of AI.saac-MDR’s Active Discovery process, showing suspected

attack sites and their connections across cloud assets

17
This broad detection process takes a proactive fight against malicious actors across
the public cloud. It can ferret out threats in cloud assets on most platforms (e.g., Azure,
Google, AWS), operating systems, as well as in containers (e.g., Docker), microservices,
and cloud consoles. The platform can also detect threats coming from SaaS solutions
like Box and Salesforce. There are few, if any, places for APTs or malware to hide with
this approach. Machine learning models make it hard for threats to evolve and escape
detection.

In addition to broad, continuous detection of threats and vulnerabilities, AI.saac performs

regular configuration and compliance assessments. This approach is essential for strong
security because misconfigured cloud systems are where APTs and comparable malware
lurk. An out-of-compliance VM, for instance, can be hijacked and used for more invasive
penetrations.

Taking this proactive approach leaves nowhere for

cybersecurity threats to hide.

WHY BE PROACTIVE?

Next-Gen MDR platforms detect the presence of APTs that

get overlooked by reactive processes. For example, Paladion
MDR caught a hidden banking trojan that went undetected
by existing Symantec EPP, FireEye EDR, Qradar SIEM, and a
Next-Generation Firewall (NGFW). In another case, Paladion
detected an attacker’s lateral movement between dev
and production instances of a website – movement that
anti-malware and firewalls missed.

18
APPLYING THE POWER OF AI AND MACHINE LEARNING

AI and machine learning are now commonplace in cybersecurity products. AI.saac takes
those technologies even further and has a proven track record. It is powered by neural
nets as well as by supervised and unsupervised natural language processing (NLP).

AI.saac processes 25 billion security events per day.

Known Threat Actors

• Threat feed-based
detection logic
• SIEM Rules
• Threat modelling
and attack tree
Unknown Attacks

enumeration Figure 3 – AI.saac-MDR

Known Attacks

• Signature matching
• Watchlists/Blacklists
(IPS, WAF, DLP, AV) leverages advanced security
analytics to group attacks
• Statistical models, • Watchlists/Blacklists across two dimensions, based
behavior analysis,
on threat actors and attacks.
peer analysis
• Machine learning
• Visual analysis

Unknown Threat Actors

Figure 4 – Tactical threat intel process, where commodity threat data (e.g., cloud sources, open
sources) is collected, parsed, and scored before being curated through validation and correlation.
The result is a collection of operationalized threat data used by the AI.saac platform.

19
HIGH-LEVEL ARCHITECTURE

Customer SoC MDR SoC

AI.saac-MDR Platform

Existing
security tools Ticketing
Detection Response systems, etc.
(e.g. SIEM, APIs APIs
NGFW, IPS)
Anticipate Hunt Monitor Analyze Contain Orchestrate

Agents

LEC LEC LEC LEC MDR Agent EDR Agent

Figure 5 – High-level

Datacenter 1 Datacenter 2 VPC VNETS Server 1 Server 2 Endpoint 1 Endpoint 2

reference architecture
of the AI.saac platform
LEC on Virtual LEC for Cloud MDR Agents for EDR Agents for
Appliance Assets Servers Endpoints
operating in a hybrid
cloud environment

Figure 5 shows a simple reference architecture of Paladion’s AI-Driven MDR working in a

hybrid cloud environment, a typical usage scenario for Paladion’s customers. The AI.saac
platform is the heart of the solution, running on Paladion’s own cloud infrastructure. APIs
enable integration with existing security tools like SIEM and IPS, as shown on the left side
of the diagram.

The system deploys agents across all digital assets, including on-premise servers, cloud
instances (e.g., AWS and Azure), Virtual Private Clouds (VPCs), and Virtual Networks
(VNets), and endpoints like mobile devices or laptops. The agents and integrated security
tools feed event data into the platform’s detection processes. These, in turn, anticipate,
hunt, and monitor for threats.

APIs connect the platform’s response processes to external ticketing solutions. Both
detection and response processes are visible to end-users at the Paladion SOC as well as
to the customer’s SecOps team members

AI.saac-MDR offers a “single pane of glass” in which to engage

in threat detection and response management.

20
SOLUTION COMPONENTS

The AI.saac-MDR contains multiple services and core technologies along with hundreds of
AI models, use cases, and playbooks.

Core technologies: Threat intelligence, impact analyzer, endpoint detection and response
(EDR), UBA, network traffic analysis, advanced threat analytics, triage, big data SIEM, one-
touch integration, and deep forensics

AI models: ML algorithms such as classification, clustering, regression, association, and

pattern matching; deep learning algorithms such as standard neural networks (NNs),
convolutional neural networks (CNNs), recurrent neural network (RNNs), and intelligence
automation

Figure 6 – Components of the AI.saac-MDR platform, from an end-user perspective

21
THREAT RESPONSE
AI.SAAC-MDR
Paladion works with clients to clearly outline CUSTOMER
what types of threats can be automatically
SUCCESS STORY
responded to and which require human
intervention. In the case of the latter, threats A global e-commerce company had made a
significant investment in security solutions, yet
are auto contained to limit the damage until
these tools were not performing adequately. The
a human can be brought into the loop. company’s internal security teams were over-
stretched to the point where they could not
investigate and respond to threats in a timely
manner. At the same time, the company found
INCIDENT ANALYSIS itself targeted by APTs.

AI.saac investigates the impact, attacker,

Challenge: The company was suffering advanced,
attack campaign, and extent of the targeted cyber-attacks, including non-signature-
based threats in their network, and complex
compromise to determine the appropriate
threats in their broader environment.
amount of resources that should be
allocated. Solution: Paladion deployed a full AI-driven
Managed Detection and Response (MDR)
program with 24x7x365 security monitoring
For example, for a malware or intrusion alert,
across the company’s entire network. The
the incident analysis process automatically company’s new security program included
multi-channel big-data security analytics and
discovers if there are indicators of
Paladion’s comprehensive response services.
compromise (IoCs). The platforms assess
if the attacker is communicating with Results: By partnering with Paladion, this
e-commerce company:
other workloads and then considers other
elements, such as “What is its ‘blast radius’?” • Detected new attacks and complex malware
at each stage of the attack chain.
or “Is it part of a campaign from a known
• Accelerated and expanded their ability to
threat actor?”
identify attacker information, asset impact,
and attack spread.

The main goal is to contain • Automated their network and endpoint

response.
threats and swiftly stop their
• Greatly accelerated their alert validation,
spread. incident analysis, and threat containment.

• Reduced incident analysis effort by 50%.

22
AUTO-CONTAINMENT

If the alert is deemed to be severe enough to be considered an actual incident, the

platform initiates an automated containment process to stop the attack and its impact.
The solution automatically suspends rogue accounts and quarantines infected machines
preventing the spread of infection. Arresting the spread of the attack may involve
reconfiguring network security groups (NSGs), removing workloads, or initiating a kill
process using endpoint detection and response (EDR) solutions.

AUTOMATED REMEDIATION AND ORCHESTRATED RESPONSE

The Paladion threat response sequence flows from auto-containment to automated

threat remediation. This process may include automated steps like orchestrating actions
among SecOps team members. Paladion incident responders quickly collaborate with
the customer’s SecOps teams to contain, mitigate, and recover from an incident. SecOps
teams can execute threat visualization and run automated playbooks with supervised
machine learning algorithms guiding the whole process.

The platform is also capable of orchestrating an incident response. The goal is to contain
attacks in minutes, orchestrate an effective response, and destroy the root cause of
the attack. After automated responses, there may be human follow-up, stakeholder
notification, machine repairs, or other recommendations.

For events requiring client input, a Paladion Incident Responder reaches out to the
customer with a complete incident analysis to orchestrate a full, coordinated response.
This response spans across both the Paladion team and the customer’s SecOps staff.

The platform guides the SecOps team in forensics breach investigations and helps to
resume regular customer operations as soon as possible. Of course, the system learns
from each incident and evolves customer defenses to perform better in future events.

23
DATA-RICH TICKETS

Given the time-starved nature of SecOps work, anything that cuts down on incident
management time is welcome. The Paladion approach is to provide SecOps team members
with information-rich tickets they can use to expedite incident response. Before creating a
ticket, AI.saac goes through a 20-point checklist covering:

• Threat containment status and sandboxing data

• IP reputation, IOC matches, associated alerts, source behavior, and target behavior

• Malware check, blacklist match, and vulnerability status

• Geographic risk and “blast radius”

• User accounts, processes, files, and network connections

• Asset value and user risk

CHEAT LIST FOR AZURE AND AWS

Cloud configurations are complex and constantly changing. It can be confusing for anyone,
so we’ve created continuously updated “cheat sheets” that identify customer areas of
responsibility when entrusting data to either Azure or AWS. We provide comprehensive
checklists of key strategies for ensuring cloud deployment security.

These cheat sheets make it easier to ensure security for cloud-based deployments, but if
you aren’t comfortable with the technical requirements, our team of top-notch security
experts will work with you to ensure you have the right controls in place.

For example, Strategy 4 for AWS covers key details for managing the security of Amazon
Machine Images. Since not all users who can create AMIs will understand the security
ramifications, we recommend that you create minimum security standards or AMI
templates with pre-defined security for users. An Azure example covers how to automate
security controls on new VMs.

24
 CONCLUSION
AI-Driven Next-Gen MDR makes it possible to establish a robust and enduring security
posture in the cloud. With deep detection and full response capabilities, the Next-Gen
platform, AI.saac, helps organizations overcome limitations on staffing as well as the
effects of a reactive mindset and proliferating security technologies. It enables SecOps
to stay on top of complex, constantly evolving cloud environments. AI and ML power
the detection capability and inform the automated incident response processes –
complementing and augmenting the in-house SecOps team’s ability to secure its assets
in the cloud.

READY TO IMPROVE SECOPS

IN THE CLOUD?

SCHEDULE A DEMO

25
 ABOUT PALADION
Paladion is a next-generation cybersecurity provider to technology,
manufacturing, and cloud-first companies across the United
States. They are consistently recognized and rated by independent
technology advisory firms for their Managed Detection and Response
Services, Cloud security, and Vulnerability Management & Response
services, which is anchored by their patented Artificial Intelligence
platform – AI.saac.

Paladion provides threat detection and response for over 200

companies, including some of the world’s largest enterprises.

200+ Customers. 98% Client Retention Rate.

For more information, please visit www.paladion.net

26