When you transition to the cloud, it’s tempting to treat your cloud service provider like a magic genie that will automatically grant you a fully secure environment that doesn’t need monitoring.
That’s a nice pipe dream, but that’s not how the cloud works. Cloud environments require monitoring, too, and you shouldn’t approach it in the same way that you would with monitoring an on-premises environment like Active Directory.
Cloud security monitoring brings new challenges, like working with security capabilities like AWS’s GuardDuty, and understanding what data your cloud provider is (and isn’t) capturing.
These cloud security monitoring best practices will help you to be strategic, gain visibility into your environment and provide layers of security that will protect against threats.
Blumira’s cloud SIEM platform protects your entire cloud environment by surfacing priority threats and offering remediation guidance. Try a free trial.
Before you start monitoring your cloud environment, it’s important to select a secure cloud service provider (CSP). The major CSPs, like Google Cloud Platform, AWS, and Microsoft Azure are all fairly comparable when it comes to cloud security. Similarly to the Mac vs. Linux vs. Windows debate, it’s generally best to stick with the provider that you are most familiar and comfortable with, said Bill Reyor, Sr. Incident Detection Engineer at Blumira. For companies that operate on a hybrid cloud model, choosing a cloud provider using this method may prove more challenging.
When it comes to evaluating CSPs, it’s important to evaluate levels of compliance with regulations. Although the major CSPs cover most major regulations like GDPR and HIPAA, you can evaluate levels of compliance by asking a CSP to produce compliance certifications.
Also evaluate a vendor for data and network availability. Ask the vendor whether it can ensure 24/7 availability, as well as what happens in the event of an outage.
Although major CSPs are comparable, AWS is a particularly secure cloud service due to its implementation of security groups and granular IAM capabilities. AWS has gotten much better at helping its users avoid making mistakes. For example, a user needs to agree to at least three warnings before AWS allows them to make an S3 bucket public.
It’s important to be strategic about your cloud monitoring plan. To do so, you first need to have an understanding of your existing cloud security infrastructure.
For example, how is your cloud environment configured? You shouldn’t simply rely on your CSP’s default configurations. Cloud misconfigurations are a major security threat and compliance risk. In fact, the 2019 Capital One hack is an example of a major breach that occurred because of a cloud misconfiguration. In that infamous case, an intruder gained access to the environment due to a misconfigured open-source WAF (web application firewall) that was hosted in AWS.
Common cloud misconfigurations include leaving an unencrypted data store exposed to the public internet without requiring authentication, or failing to apply the least privilege principle.
To check whether there are misconfigurations within your cloud environment, you can perform regular audits — and automate these audits using cloud tools. A cloud SIEM like Blumira’s can help you to track changes within your cloud environment and identify causes of misconfigurations.
Another important component of understanding your existing environment is knowing whether shadow IT exists within your organization (hint: it probably does). You can use a SIEM to discover these instances. For example, Blumira can detect when users have saved password lists on their devices and prompt you with steps to remediate this behavior.
As with on-premises environments, cloud environments require a certain level of visibility to be truly secure. But with on-prem environments, you probably had visibility into your entire tech stack — all the way down into your bare metal hosts. When you subscribe to cloud services, you sacrifice some visibility, especially when it comes to the underlying application stack.
Built-in cloud monitoring tools like AWS GuardDuty can help provide more visibility, but relying solely on built-in features won’t result in a truly secure cloud environment. Instead, you should take a layered approach to cloud security, bringing in different specialized tools to address different components of your tech stack: physical, network, OS, application, hypervisor, and orchestration.
To start off, you should apply antimalware and antivirus tools to both the OS and virtual network. Another essential tool for cloud security is endpoint protection, especially as attackers increasingly infiltrate networks through endpoint devices.
When it comes to data encryption, not all data requires the same level of security — and applying a high level of security across all your data is usually unrealistic due to size and formatting limits. Data that contains trade secrets and personally identifiable information, for example, absolutely must be encrypted. It’s important to keep in mind that built-in services like AWS’s KMS (key management services) are certified for use by the Payment Card Industry and HIPAA, but they only work well if they’re properly implemented. If you incorrectly store key material, for example, that will negatively affect the level of security that the encryption provides.
It’s always a good idea to implement OS native encryption, using tools like LUKS in Linux or EFS in Windows, Reyor said. If you’re simply moving virtual machines (VMs) from your own data centers to a cloud provider, you can effectively apply corporate encryption tools like CrowdStrike and Symantec.
There’s a saying that goes, ‘if you emphasize everything, nothing is emphasized.’ That applies to cloud security monitoring, too; too much visibility into your environment can actually be detrimental. If you monitor everything under the sun, there’s a good chance that data will become unmanageable and therefore useless.
When forming your cloud security monitoring strategy, it’s important to sit down and determine what you want to monitor. Determine your top priorities — whether it’s monitoring network flow, cloud misconfigurations, or antivirus.
You should typically aim to log and capture the control layer — the log that records changes to the cloud service that you’re using — and the network traffic to and from that source, along with any notable security-specific log sources. In AWS, for example, the control layer is CloudTrail, the network layer is VPC Flow Logs, and the primary security service is GuardDuty. We recommend that you log all three.
There’s a difference between capturing data and getting alerts for that data, though. Too many alerts will likely result in alert fatigue and you could end up ignoring high-priority alerts altogether. When developing alerts, you should model out specific use cases for actions or chains of actions that are known to be malicious.
Context is crucial when it comes to security alerts, and can help you to understand what actions to take. Blumira’s cloud SIEM takes that a step further by providing specific recommendations on steps that will remediate the security issue.
Get started with Blumira Free SIEM:
To learn more, watch our on-demand webinar, where Blumira’s Bill Reyor, Sr. Incident Detection Engineer, Nato Riley, Integrations Engineer and Patrick Garrity, VP of Operations will give you practical advice on how to develop a simplified cloud monitoring strategy. Watch here.