Just like in the movie Jurassic Park, it’s not the velociraptor you see, it’s the velociraptor you DON’T see that will attack you from a different direction!
That’s a little similar to cybersecurity, and why having control over your network, and visibility into attacks and behaviors is so important. Many companies rightfully are intimidated by cybersecurity or are held back by the cost of experts or implementation. As a result, companies turn to outsourced solutions, often backed by Amazon Web Services or Azure.
There are a few problems with this approach: control, flexibility, and compliance.
Like a one-size fits all track suit, you may have to learn to like an outsourced solution on AWS or Azure. The email may work fairly well, and be a familiar implementation of MS Exchange. But you rarely get visibility in any kind of SIEM (Security Incident and Event Management) system, much less plans for system patching or upgrades, or attack vectors. SIEMs use large amounts of data – logs or behaviors – and correlate the data to indicate breaches (attempted or successful).
But companies don’t get to customize their cloud SIEMs, nor have visibility into the data being collected, or how the correlation engines work (rule sets, learning/AI systems, etc.). As a result, companies are left to hope that they are not being attacked, and to trust whatever firewall rules and logs are providing an underlying source for analyses. If companies could control their configurations, they would want to track attack attempts (not just successes and attacks within network, not only at the exterior firewall), and customize the sources of data to logins and file systems and traffic patterns, to provide a more thorough and representative picture of network and threat vectors and way to adapt to changing threats.
Why is why great flexibility and customized analysis for delegated administrators are the hallmark of a well-designed system and SIEM. Enterprise-class SIEMs actually have this type of flexibility; a challenge is most cloud providers don’t provide interfaces for customization, or the providers don’t want to log the vast volumes of data that would be needed to give companies and their delegated admins the ability to select data sets and correlate threat vectors.
Which leads to compliance. While CMMC rules are still evolving, cloud solutions are based on data interleaving and redundancy – it’s how RAIDing, efficiency, and redundancy work. But this means that unless properly protected and isolated, that compliance can be tricky for cloud companies to provide disc images when cyber event analysis when data from many companies is interleaved and spread across multiple volumes. The result may be compliance in name only, but the need for cloud services to grow out of the simple data processing role to provide services truly worthy of a cybersecurity partner. With these types of analysis features, it’s the cyber attack you didn’t see coming, that your SIEM or limited customization didn’t allow you to discern, that will fail to identify cyber attacks and events that are critical to your operation. And when you only see the results, it may feel like the velociraptor that snuck up on you from the side, just found its next meal.