Greater use and consumption of cloud-based services has been a key trend amid the COVID-19 pandemic these past twelve months. The ability to access and operate corporate services anywhere has minimised the disruption to business as usual for many, but a migration to cloud also poses a number of key risks which need to be considered; such as proliferation of "shadow cloud", an ever-widening attack surface and the requirement for greater speed and agility in responding to incidents and events.
The risk of introducing ‘blind spots’
The abstraction of infrastructure into public clouds has left many organisations with blind spots. Cloud environments are often spun up in isolation from the security team, and even for those the organisation is aware of; knowing what to log, monitor, and alert on, can quickly become overwhelming. Major cloud providers have come a long way in the logging and monitoring solutions they provide, but as with all things ‘cloud’, there is shared responsibility here. To combat this, a threat led approach is key, which includes reviewing service provider offerings and evaluating their effectiveness and coverage against the unique active surface presented by your cloud infrastructure.
Having gained the required visibility, the challenges cloud poses to monitoring and response are substantial still. Configuration changes can be made at the flick of a switch, resulting in resources being provisioned and destroyed almost instantly. Topologies and attack vectors change by the week, meaning that the focus is no longer on traditional Indicator of Compromise (IoC) detection, fixed asset lists, and reactive measures.
Instead, effective cloud security monitoring is reliant on proactive identification of misconfigurations, anomaly detection, and the facilitation of quick response.
Being proactive means enabling greater security
A key benefit of cloud is that it allows you to be agile. However, the same benefits hold true for adversaries who gain a foothold in your infrastructure. A compromised privileged account can exfiltrate data at the click of a button, leaving no time for a security team to respond. This is compounded with the fact that managing cloud infrastructure is incredibly complex, something which is often disguised by the user-friendly UIs presented by service providers. It's not surprising that the vast majority of cloud breaches follow similar patterns, resulting from misconfigurations.
From experience, it's only too common to see least privilege being applied inconsistently and ineffectively: where networks are left unintentionally exposed and essential controls such as MFA not being enforced. With this in mind, cloud security monitoring is well placed to be used as a tool to pro-actively make detections and improve security posture rather than solely acting reactively.
It's important to get the basics right. Detection of IAM configuration changes resulting in overprovisioned accounts or abnormal escalation of privileges, and identification of misconfigured storage access settings, are essential. Firewall and network security group changes should be reviewed to ensure they do not expose sensitive infrastructure, and monitoring performed to assess the rollout and non-compliance with fundamental controls, such as MFA.
The above are just a start, but picking up vulnerabilities and misconfiguration early in this way is vital in reducing ease of compromise and the early gains of attackers. Building upon this with anomaly detection of user behaviour, alongside security audits and penetration tests to identify weaknesses and iterate use cases further, which will provide a solid foundation for effective cloud security monitoring.
Agility in response
And what of the analysts who are responsible for dealing with alerts and investigating anomalies? They face a continual battle - having to keep track of frequently changing assets as well as evolving technologies such as serverless environments. At the same time, formal incident processes with sometimes lengthy SLAs do not match the agile nature of cloud environments. Cloud has emphasised the shift we have already started to see in order to combat these challenges, with a transition away from isolated security monitoring and response, towards embedded security.
Integrating security operations resources into cloud development teams facilitates quick triage and investigation, and builds a culture of collaboration. Analysts are able to query early signs of abnormal behaviour more readily with developers and engineers, and build a greater understanding of the environments they monitor. This doesn't need to be a complete transformation of your existing operating model, and can start with simple measures such as informal but direct comms channels with DevOps.
In summary, here are some tips on how you can enable effective cloud security monitoring:
- Get the basics right – Monitor privileged access management and proactively identify and remediate misconfigurations in storage and network access settings.
- Cut through the noise – Use a threat led approach to identify the cloud logging and monitoring use cases required to mitigate the unique risks posed to your infrastructure.
- Embed security – Build relationships and active communication between Security and DevOps teams to facilitate quick triage and investigation.