BACKGROUND IMAGE: verticalarray/stock.adobe.com
As powerful as the cloud may be, it's not magic. If you have a problem before you transition to the cloud, it won't...
just go away once you make the switch.
Cloud security monitoring is a good example of this. Organizations have historically struggled with monitoring for cloud security issues: data volume from logs and alert information is high, complexity can create visibility gaps and fatigue can set in among those resources parsing monitoring data -- particularly when there's a high rate of false positives.
To make security monitoring most effective in a cloud context, organizations need to think strategically and put some planning into their monitoring efforts; they need to think through both new cloud usage as they add different types of cloud services, and the intersection points between cloud and on-premises monitoring. Understanding how to do this first involves understanding how cloud security monitoring services work, understanding what options are available depending on the types of services they employ and applying a few techniques to ensure that they create a holistic monitoring picture.
How security monitoring in the cloud works
Consider what happens when traditional log management or log correlation are used to support the cloud. Depending on the type of services that drive your organization's enterprise applications, it can be challenging to draw a direct one-to-one mapping between these tools and cloud environments.
This is true for a few reasons. First, being a cloud customer means not having full visibility into the entirety of the underlying application stack. In on-premises environments, you had visibility into everything from the top of the application stack down to the bare metal of the physical hosts and the cable connecting those hosts to each other.
As a cloud customer, much of the underlying substrate is abstracted from your view. The amount and type of data available will vary depending on the type of cloud service you employ and the provider you've selected: for example, logs from a serverless environment like AWS Lambda will have a different format from that coming out of Microsoft's Azure Compute. Ultimately, the type of data, the verbosity of that data, and the method for accessing that data will depend on the service provider, the specific product at that service provider, and your own particular use of the cloud platform.
Second, there are specific tool sets that cloud providers have made available to their customers to help with cloud security monitoring challenges. The specifics of how these tools work vary with implementation. A service like AWS GuardDuty, for example, can help provide better and timelier information about AWS resources. Products like Microsoft Azure Sentinel can provide a monitoring capability in a hybrid scenario by bringing together monitoring from the on-premises environment as well as data in Azure.
If your organization uses both AWS and Azure -- with any number of other environments and SaaS services -- you'll have a number of different possible monitoring capabilities, as well as a number of different methods for gaining access to those capabilities. Building a complete cloud security monitoring solution for your environment means pulling together the relevant data from all sources and using them to their best effect.
In addition to technical challenges, there are also business and process challenges. Aside from shifts in scope, there are also potential service provider issues that can come into play. This is particularly true with smaller or more niche service providers you might employ from a SaaS provider offering a targeted business application. Is the service provider keeping the types of records you think they are? Are they generating alerts or other monitoring-relevant information in a format that your staff can consume and use? Is the monitoring data you receive sufficient to be able to prove that a particular event did or didn't happen? Have you checked?
Cloud security monitoring best practices
There are a three steps or cloud security monitoring best practices organizations can take to help ensure their monitoring capability is as robust and useful as it can be. These aren't the only ways to establish comprehensive monitoring. Depending on what the organization uses the cloud for and what providers it uses, there could potentially be hundreds or thousands of different individual steps to best hone monitoring capabilities. At a high level, there are a few things that will almost always provide benefits, regardless of the specific nuances of the deployments.
1. Know your usage
To develop a cloud security monitoring strategy, you'll need to know a few things. First and foremost, you'll need to know what applications and data you want to monitor. In other words, the intended scope of coverage for your monitoring efforts, including what systems, products, services and service providers are in scope.
Shadow use of cloud applications and services can make it challenging to get to a complete list of everything in scope. Likewise, changes in usage -- either from evolution of how services are used by business or technology teams or from new service offerings on the part of providers -- can make today's complete list an incomplete one tomorrow. Making an effort to understand what you want to monitor is a key element in planning a comprehensive monitoring strategy.
2. Know your providers and their features
Let's revisit the example of Microsoft Azure Sentinel and AWS GuardDuty -- two monitoring-related features from two major cloud providers. These only represent one of many monitoring-related features available from these providers.
In the AWS world, GuardDuty provides security-relevant alerting, but there's also CloudWatch for event collection, CloudTrail for operational auditing and numerous other monitoring-related features. They are each designed to solve a particular problem. Understanding what those features are, how they work and how they interrelate is a valuable tool in your toolbox.
Some cloud providers like smaller SaaS vendors might have more limited monitoring options while major providers like AWS or Microsoft may have more than one option with many opportunities for customization. Researching what those options are enables organizations to select the right options based on how, where and for what they're employing that provider.
3. Integrate where you can
Knowing what your monitoring options are and what you'll need to apply them to is a great start, but getting a complete monitoring picture means piecing together different services from different providers. Depending on the number of providers in scope, you may find that collecting the data for analysis can be cumbersome. It can be valuable to work through the two lists you've created -- applications/data in scope and service provider monitoring features -- systematically to ensure that your monitoring approach is complete and, where possible, that you're pulling together and integrating that information to enable administrative and operational personnel to monitor it in an efficient manner. Depending on the service provider, you may be able to export telemetry or log data to other platforms or consume it directly from security tools; where possible, that can be advantageous.
Top monitoring tools
There is a plethora of cloud security monitoring tools available for enterprise use. AWS offers a few previously mentioned tools: Amazon CloudWatch, CloudTrail and GuardDuty.
CloudWatch enables real-time monitoring of AWS resources and customer applications running on the Amazon infrastructure, in a hybrid cloud environment and through on-premises applications. CloudWatch provides organizations with metrics about CPU use, latency and request counts.
AWS CloudTrail focuses more on governance, compliance and risk auditing. It provides an API for call-recording and log-monitoring web services. CloudTrail also offers to send alerts about logs in near real-time. It also provides continuous monitoring of AWS account activity and pulls together account event history.
Amazon GuardDuty is a threat detection service that offers continuous monitoring for malicious activity on users' AWS accounts and workloads. GuardDuty can also be integrated with CloudWatch to monitor multiple accounts.
While AWS is arguably ahead of the cloud security monitoring curve as of this writing, Microsoft also offers Azure Sentinel for cloud monitoring. It was released in early 2019 and collects data across the enterprise's use of Office 365. It also uses machine learning for threat detection and automates some monitoring tasks.
Microsoft also offers Azure Monitor for log analytics and end-to-end application monitoring.
Other cloud security monitoring tools include Cisco's AppDynanics, CA Unified Infrastructure Management, VMware's Hyperic, New Relic and Exoprise.