Cyber teams
Excerpt from a monthly review between FinOps and SOC:
"Your farm of 10 servers costs €1,000/month each just to process logs. Is that really necessary?
"There are three years' worth of network logs sitting on SSDs. Do you ever plan to use them?"
FinOps, in its mission to control/reduce infrastructure costs, will often be at odds with the teams in charge of cybersecurity (SOC, governance) who seek to secure the company at any cost. The purpose of this article is to present some of the existing points of friction, but also to show what FinOps can bring to the cybersecurity approach. The examples will be based primarily on Azure but apply equally to AWS or GCP.
FinOps, in its mission to control/reduce infrastructure costs, will often be at odds with the teams in charge of cybersecurity (SOC, governance) who seek to secure the company at any cost.
This article aims to highlight some of the existing points of friction, but also to show what FinOps can bring to cybersecurity. The examples will be mainly based on Azure, but apply equally to AWS or GCP.
Points of friction
Feature activation
Most companies will ask their cyber teams to produce best practices for using each cloud service (e.g., this configuration must be enabled, this setting is prohibited because it does not comply with security policy, etc.). Often viewed solely from a security perspective, these guides will enable every possible feature imaginable, as long as it increases the security of the infrastructure. For example, AWS QuickSight (BI service) offers two versions, standard and enterprise, which deliver almost the same business features. The enterprise version enables private network access and improves AD integration, among other things. Unsurprisingly, this version is more expensive. Security will therefore prohibit the deployment of the standard version. This is logical and consistent, but in the analysis, the security risk/cost ratio has not been considered or addressed. Does the security provided by the enterprise version justify its additional cost?
The logs
As key tools for security teams, logs can be the first sign of an attack or the only trace left behind by an attacker. On Azure, we find various types of logs that are often incorporated into Sentinel:
- AAD log (log user connections)
- Azure Activity Log (logs activities on the Azure portal/API/CLI at the control plane level)
- Diagnostic log (specific to each type of resource, but audit logs that may affect the data plane are often found)
- AD log (retrieval of logs from the on-premises AD)
- M365 solutions log (Defender, Purview, O365, etc.)
- Log network watcher (log all network traffic on Azure)
Including AD logs in Sentinel provides unparalleled control over your Active Directory, but you can also be overwhelmed by the number of events. The AD infrastructure is one of the most verbose there is. It is vital not to capture all logs/events, but to filter out those that correspond to security incidents: Azure Monitor Agent (replacing the log analytics agent) includes this feature. You must use DCRs (Data Collection Rules) to capture only relevant events (based on event IDs known to be problematic (4766, for example) or on a level of criticality).
Note the appearance of the Defender for Identity agent, which does not directly report events but will recognize behaviors (golden tickets, etc.) and report them. This will reduce storage costs but requires an additional license.
Network watcher logs can also be particularly large if all features are enabled permanently and everywhere.
- Traffic analytics makes its logs easier to read.
- The log version, version 2, contains session statistics for flows (bytes and packets), which are therefore larger.
- Retention (which can be infinite)
In large environments, it is very easy to accumulate terabytes of data that can lie dormant for a long time and be underutilized. Traffic Analytics is extremely powerful and makes it easy to answer the following questions:
- Which hosts experience the most blocking? (authorized/blocked traffic statistics)
- Where is the bandwidth of our links (SKU) adequate?
The FinOps team can and should challenge the security teams' settings to achieve settings that are relevant and cost-effective for the organization (retention may be lower in non-production/critical environments, etc.).
The risk with open-bar security (activating all features) is that after a while, the business may no longer want to pay the bill and abruptly cut off tools that are highly relevant to the organization's security.
Symbiosis between FinOps and Cybersecurity teams
Reducing the attack surface
One of the first tasks for FinOps teams will be to track down and remove unused resources that are still being billed by the cloud provider. These are potential entry points (public IP addresses that have not been released and are still attached to a development VM connected to the company network) or relays for lateral movements (function apps) that are being removed.
Security teams will be able to identify these resources (because they are no longer being maintained, for example), but they often find it difficult to get business operations teams to listen to them ("you never know, it might still be useful"). The FinOps team, addressing the business directly with specific, factual arguments ("this resource is €500/month thrown out the window"), elicits a response from the business teams, who will ensure that the resources are removed as quickly as possible, unlike a hypothetical security risk, which will not necessarily motivate them to take action.
BLUEPRINT IMAGE
Another task will be to implement automated systems for shutting down/starting up resources during the night/weekends/holidays (60-70% savings on average compared to a resource that is always available) for development/acceptance testing environments, etc.
This reduces the vulnerability of these resources and facilitates the work of cyber teams by limiting events/logs during non-working hours, when there are generally fewer security personnel available to deal with them.
Reduce potential targets for data theft
Another task will be to reduce storage costs (20-40% of the cloud bill) either by requesting the deletion of data (which is duplicated or whose retention period has expired or is irrelevant) or by transferring it to less efficient but cheaper storage (very effective for infrequently accessed data). Cloud providers offer automated tools to manage the data lifecycle, which can help your compliance teams ensure compliance with retention periods for legal documents, PII, etc.
| Scenario | Hot | Cold | Archive |
|---|---|---|---|
| Storage only | 20.42 | 11.16 | 1.91 |
| Reading | 681.86 | 738.02 | 55648.04 |
| Writing | 633.05 | 1153.37 | 1247.96 |
Changing storage levels can be effective, but only if you have a good understanding of your data consumption. Switching to archive storage can reduce your bill by a factor of 10 or increase it by a factor of 2000, depending on your usage.
Azure Backup is the backup solution for VM-type resources. In its operation, if a VM has been backed up once, it will never delete its last snapshot and will keep it forever, even if the VM has been deleted. This can pose a security risk (data kept beyond its retention period, restoration by a malicious administrator, etc.). Fortunately, Azure charges for backup storage, and the FinOps team will implement an automatic purge to ensure that only relevant snapshots are retained, thereby limiting the risk of data leakage.
These FinOps actions enable cybersecurity teams to protect only relevant resources and limit their number.
IMAGE BACKUP INSTANCES
Azure Backup Center dashboard, the additional cost can quickly reach several thousand euros per month.
Reduce available resources on a compromised system
Another task will be to ensure that resources, particularly compute resources (VM, app service, ASE), are just the right size and sufficient to perform their tasks with acceptable performance. If the system is compromised by ransomware, this means that less computing power is available to slow down the encryption of your data.
Shutting down production elements during non-working hours can be risky (Microsoft does not guarantee that resources will restart immediately; see the start ofthe first lockdown, when demand for cloud resources was so high that Microsoft was unable to honor restarts). Another solution may be to resize them on the fly (for PaaS resources) via a function app.
Identify the owners of the resources
Another FinOps activity will be to ensure that each resource has an owner so that the cost of the resource can be billed back to them, particularly via tags. This will make the work of the Cyber teams easier, as they will be able to quickly identify a contact in the event of an incident involving a resource.
Conclusion
Cost-driven management
For ISO/IEC 2700, information security consists of ensuring that an organization's hardware or software resources are only used for their intended purpose.
IT security also involves ensuring that the attacker incurs higher costs to successfully execute their attack than the potential gain. What we can turn into our defense must not cost more than what we need to protect.
We are moving from a risk-based approach to a cost-based approach. The public cloud environment allows for immediate billing estimates, or after a test period for each of the settings. CISOs have been able to get budgets approved more easily in recent years because executive committees have made cyber threats a priority. This trend may not last, so CISOs will have to prove that they are spending wisely.
Most GDPR compliance projects were easily approved thanks to the threat of a fine amounting to 4% of turnover. We need to present cyber projects using the same type of argument so that they are included in the budget!
Working with cybersecurity teams
It should be noted that we are facing a new opportunity for attackers: modifying cloud resource configurations to increase costs and harm the company. Configuration control tools, rigorous IAM management, and operations monitoring are more relevant than ever...
The automated processes implemented by finops teams (shutdown/startup, purging, etc.) are vital and can be prime targets for attackers seeking to disrupt the company's operations (hundreds of developers could lose a morning's work if their machines fail to start up). They must be reviewed by cybersecurity teams and monitored as such.
Tags will be very important for finops, as they will carry information about owners, BUs, environment types, and operating ranges (for automatic shutdown/startup). Particular care must be taken when managing rights to modify these tags. (Unlike AWS, Azure does not yet allow rights to be granted for a single tag type). The tagging strategy (which tags to use, who modifies them) must be discussed and approved by all stakeholders in the company.
Balance to be found
It should be noted that resilience with SRE (Site Reliability Engineering) will be added to the cost/security discussion. Organizations must provide their business teams with a guide/framework for using the various cloud services covering these three aspects (and update them regularly).
The ability of finops teams to effectively challenge cyber teams on their costs will be essential to securing management support for cyber initiatives over the long term. DevSecOps must evolve into its final form: DevSecFinOps.
Matthieu GAILLARD-MIDOL
Practice Leader DevSecOps, Squad
