This article has been originally posted at CRFT Blog.

Andre Gironda is a cybersecurity veteran with over 30 years of broad exposure to the industry. I've asked Andre to share his recommendations on cost-effective toolkits and frameworks that really change the game for cybersecurity defense teams as they transition to the cloud.

Cloud Versus On-Prem

I've been connecting cybersecurity incidents to global geopolitical events for the past two decades. After responding to data spills as well as data or system integrity and availability incidents, including system compromise and denial-of-service, I can safely say that the cloud is just another target. Both traditional infrastructures and cloud infrastructures must be treated for cyber defense. Without offense and defense tied together properly, neither is going to be completely capable. One standard that addresses this gap is the MITRE Cyber Exercise Playbook, even though I wish it were more universally adopted. If we don't practice in the way that real events go down, then there is no point in anything else we do.

SecurityOnion Superplatform

I have, on occasion, recommended (and, to be honest, criticized) the SecurityOnion (SO) Linux distribution, which is a production-ready, always-on superplatform. Unfortunately, one of its shortcomings is that it's not great at analyzing endpoint artifacts. However, in 2019 Doug Burks and other contributors have changed the game: SecurityOnion have been improved with specific integrations and detection capabilities that I have not seen anywhere else. The platform is now broad enough to support traditional, cloud, and mixed environments. In particular,

• the integration of Elastic Basic (free extra features!), ElastAlert, Zeek, RITA, Strelka, TheHive, and malware information sharing platforms (MISP),
• scaling with TrimPcap, Redis, Logstash, and Curator,
• and enriching with FreqServer, DomainStats, and Analyst VM (with CapMe to Wireshark, NetworkMiner, and Sguil) completes the much-needed feature set.

However, I would also like to see it given more immutable infrastructure treatment, and maybe the addition of LogonTracer and SysmonSearch.

Addressing Endpoint

There are some areas of potential growth for SecurityOnion I'd like to highlight. SO's use of the growingly-outdated OSSEC/Wazuh agents means it is not at the level of most Endpoint Detection and Response (EDR) providers, and even with SysmonSearch integration, it would be difficult to compete with Volexity, Velociraptor, or LimaCharlie.

EDR solutions themselves have a long way to go. Some of them (perhaps not Endgame or Sysmon, but others for sure) are consolidating vulnerability management towards a scan-less architecture. Other vulnerability management solutions, such as Vulcan Cyber, seek to combine traditional infrastructures, cloud infrastructures, and even application security vulnerabilities under a single solution banner, including full-stack remediation.

Other hurdles for merging EDR capabilities into the superplatforms go beyond resistance and slow adoption. Elastic's story began their initial public offering (IPO), followed by acquisitions of Endgame and Perched, but still has ways to go. At this point, Elastic Enterprise has too many agents. While Elastic Endpoint Security provides solid Endpoint Protection Platforming (EPP) and EDR, other pieces require separate agents. Auditbeat is needed for Linux containers (to provide ATT&CK level system activity and events), and the classic Logstash for non-container log shipping.

Containers are quickly becoming a big business to the cloud and in hybrids like Google Anthos. "DevOps with Kubernetes" by Packt Publishing does a great job covering the use of Fluent Bit to Elasticsearch, yet another piece to this puzzle. DevOps teams love lightweight agents (like Fluent Bit), but their security features often take a backseat. In cyber defense, it's crucial to recognize that some of our favorite tools don't fit all the "bolts." To fully realize a superplatform, we will need to address the proper, right-sized EDR fit for all types of future architectures.

Other Alternatives

Are there other platforms worth a mention in cyber defense? Maybe SkadiVM, CSI Linux, and the Paladin Toolbox -- completely lifesaving when combined with Arsenal Image Mounter. I use these as offline platforms, though, often only for memory/disk forensics, even more often only as a deadbox. I wish there were a better way, but these tools have also come a long way in recent history compared to the forensic tools of the dark past. Anyone who has tried to do digital forensics in the cloud can attest to the lack of preparedness and tool support.

Defending Cloud on a Budget

As an industry, we must integrate cloud defense with the platforms above. Cloudtrail-anomaly and diffy, both from NetFlix Skunkworks, are the best at the moment for what they do, but only available on AWS. As more organizations finalize their cloud strategies, we will see the adoption of Google Cloud Platform (GCP), Azure, Nvidia GPU Cloud (NGC), Databricks, IBM Cloud (formerly SoftLayer), DigitalOcean, Paperspace, and many others.

As Noah Gift coined it in his new O'Reilly book, "Python for DevOps", multicloud is the concept of levering cloud container orchestration and infrastructure-as-code (IaC) with tools like Terraform for redundancy and price differentiation. AWS has EstimatedCharges and EC2 Spot, but we will start to see platforms that maximize cost savings across multiple cloud environments. What will be the effects on cyber defense?

Cloud security experts such as Scott Piper, Chris Farris, and William Bengtson are making a significant impact on our future through their incredible contributions. Exploring cheaper and more efficient ways to practice AWS defense benefits the community as a whole. For example, what is more cost-effective: turning down CloudWatch (to the minimum of 5GB) to rely solely on CloudTrail and GuardDuty with access to their datasets via cloudtrail-partitioner? Or by maximizing the use of Ultrawarm with Amazon Elasticsearch, Access Analyzer, AWS Systems Manager (with SSM agents), or even AWS Security Hub?

TL;DR

The bottom line is, here's how to get started:

1. Get a tactical case manager, like TheHive or Incident Pony for AWS;
2. Stand up a SecurityOnion Master with MISP integration to your incident management and SysmonSearch;
3. Configure Ethernet switch or VPC traffic mirroring to SO Forward Nodes;
4. Sign up for a license of Elastic Basic (free), Elastic Cloud, or Amazon ES; and
5. Finalize your defense superplatform to support all your traditional and multi-cloud requirements.