Of all of the solutions we examined for this month's emerging products, this was the most surprising. The need seems to us to be obvious but this is the first actual example we've seen of a product of this type. The typical security operations center (SOC) has been pretty well-defined for the hardware and software defined data centers when those data centers are on-premises. But what about if the data center is in the cloud? Will the traditional SOC suffice? Elastica doesn't think so and we have to agree.
On the surface, CloudSOC really is little more than redefining a few terms to make them more cloud friendly. IDS/IPS, for example, becomes "Detect" in CloudSOC parlance. But this creative approach to managing security in the cloud is a lot more than semantics. While functionality may seem the same on the surface, a SOC for the cloud has some real challenges that a physical SOC cannot address easily or reliably. That is why, when we looked this one over, we had a sort of "aha!" moment. We were tempted to say "Why didn't we think of that?"
Fundamentally, CloudSOC is a new security stack defined for the cloud, residing in the cloud and provisioned from the cloud (or what Elastica defines as SOC 2.0). The CloudSOC security stack consists of audit, detect, protect and investigate functionality. These four broad functions break out into a variety of tools. The tools broadly break out into device logs (as defined by the security devices in use in the cloud environment), gatelets (gateways as defined by the cloud applications in use) and securelets (as defined by the applications in use in the cloud). These tools can be added directly from the cloud.
Once a user has configured a SOC environment, they run it as one would a physical SOC with the exception that being addressed are the security management and monitoring issues peculiar to the cloud. So, for example, one can add users and provision their accounts centrally. Admins have dashboards that are specific to the four individual pillars or are a general look at the security environment. The general dashboard provides such things as the services being audited, threat alerts and policy alerts. One strong feature is that the dashboard identifies high risk, moderate risk and blocked users. All of this is displayed in an intuitive fashion.
Specific dashboards are even more interesting. For example, one aspect of the audit dashboard is auditing shadow IT. This is a recurring theme in all of the security tools at which we have looked. Looking at the overall audit dashboard, we see such things as an audit score. Scores are a big part of this tool because scores give an objective way to gauge the security health of the enterprise. Each of the four functions, except device logs (audit, detect and protect) has its own dashboard. Device logs has a comprehensive listing by data sources with excellent drill-downs.
In addition, the tool has a useful function called the ThreatScore. ThreatScore is based on the severity of suspicious activity and has a simple, but comprehensive, drill-down. It's high accuracy is based on behavior analysis of user activities and is fully automated for enforcing policies in complicated environments where a human administrator might miss something. The display is intuitive.
The usage graph is organized by services and takes special note of messages generated by each service, or application, and then tracks the severity of the messages. Documents are classified using natural language processing and semantic analysis. Once classified, policies can be applied and enforced to prevent data leakage. Policies can be applied to services and no matter from where those services are accessed, the policy will be applied.
Further, users can create their own dashboards using widgets and drill-downs giving custom views for various applications.
This is a most unusual but extremely useful tool set. The idea that the cloud needs a different type of security management, albeit one that feels familiar to traditional security administrators, seems obvious. However, to our knowledge, there are no direct competitor to CloudSOC available. Another thing that we liked about this tool is that because it is based on the activity in the cloud and because it is a unified collection of applications, it effectively puts the cloud and its security management under a single pane of glass. While there are good arguments for concatenating the physical, virtual and cloud data centers into a single management tool, our opinion is that there is more benefit in peeling off the cloud because it has so many unique aspects - many of which are not technical but, rather, contractual - and demands its own security management tool set.
At a glance
Product Elastica CloudSOC Platform
Price Pricing varies based on subscription, users and the specific modules the customer wishes to implement.
What it does A security operations center defined for the cloud, residing in the cloud and provisioned from the cloud.
What we liked This is one of those rare products where we have to ask, "What's not to like?" This has everything admins need to provision and operate a SOC designed specifically to manage security in cloud-based, software-defined data centers.