Using root cause analysis across your SDLC security tools is a force-multiplier for your existing teams and security tools.
A three-part blog series
In today’s rapidly evolving cloud security landscape, organizations face severe talent shortages compounded by an overwhelming amount of detection across the Software Development Lifecycle (SDLC). Cloud security teams can’t keep up and can’t hire their way out of the problem. Even though organizations have made significant investments in control-plane and data-plane detection, they are still struggling to get optimal value from those tools because they can’t quickly get to the root cause of the cloud issues. The problem is no longer “do we have enough detection capability?” but rather, “how do we effectively act on this mountain of detection data?”
Cloud security teams can’t keep up and can’t hire their way out of the problem.
In our three part blog series, we’re going to explore:
- Part One: The double-edged sword of detection proliferation
- Part Two: The pain, time, and expense of remediation busyness, issue investigation, and management
- Part Three: The importance of Root Cause Analysis in the cloud
Part One: The double-edged sword of detection proliferation
As cloud environments become increasingly complex — e.g., rapid adoption of specialized DevOps tools, rapid adoption of new cloud services, increasing application interdependencies, multi-cloud — a multitude of security tools and technologies have emerged to tackle various aspects of the cloud security conundrum. A survey by Cybersecurity Insiders discovered that 78% of organizations utilize an average of six or more distinct cloud security technologies to manage and safeguard their cloud data (Cybersecurity Insiders, 2021).
Having more tools is not necessarily a bad thing, as organizations aim to ensure they:
- have best in class detection
- have security coverage across their entire SDLC
- aren’t entirely dependent on one vendor
- have multiple layers of defense
However, this growing list of specialized security tools gives rise to its own set of challenges. Each tool cannot see the whole picture. Since these tools generally do not talk to each other, security data becomes siloed across the cloud SDLC with numerous duplicates and false positives. This makes life harder on the security team, causing delays in remediation and a disconnect between cloud security teams, infrastructure teams, and DevOps teams.
How have we managed this problem in the past?
Traditional SIEM tools (now part of XDR) have been aggregators of important security data and are critical for incident response, log archival, and large-scale event correlation. SOAR (also part of XDR) is a great tool for developing custom response workflows. However, both SIEM and SOAR are not ideal solutions to solve the problem of identifying root cause, automating cloud security investigations, and remediating cloud security issues at scale. Both tools still require someone to take on the challenging (and manual) tasks of deciphering security issues across multiple tools, identifying the root cause, and guiding application teams on how best to remediate. XDR tools often struggle with handling complex asset and issue relationships, mapping SDLC security issues to applications and services, and effectively managing context around state-based issues. This fragmentation has exacerbated the challenges security teams face.
A primary responsibility of security teams is to swiftly empower DevOps, application, and infrastructure teams to remediate issues. However, with the current toolset not identifying the root issue nor providing the root solution, this process demands a considerable amount of time and expertise. In some cases, it might even be impossible to achieve without access to rich contextual information from various SDLC security tools. For instance, cloud security engineering teams might overlook essential data from the development pipeline, such as static and dynamic security issues connected to production problems. This fragmented, siloed perspective on data poses challenges for organizations trying to efficiently reduce cloud risk.
Getting to Root Solutions
That’s why we built Longbow to be a force-multiplier for cloud security teams and their existing tools. Longbow automates issue prioritization, contextualization, and root cause analysis to discover the Best Next ActionsTM that reduce the most risk with the least amount of investment. Stay tuned for Part Two in the series where we will discuss the pain, time, and expense of “Remediation Busyness”.
- Cybersecurity Insiders (2021). “2021 Cloud Security Report.” Retrieved from https://cybersecurity-insiders.com/2021-cloud-security-report/
CPO and Co-founder of Longbow Security