.png)
As we are increasingly moving information to the Cloud for various purposes, using Cloud services may reduce visibility into the environments where our data resides, intensifying risk and making it more vulnerable to cyber-threats. Logging, monitoring and alerting are all valuable components to maintaining an optimal and secure environment. Using a combination of logging tools and real-time monitoring/alerting systems helps improve observability and reduces the time spent sifting through log files to determine the root cause of performance problems, identifying live attacks or used for security forensics and auditing purposes. The public Cloud brings with it a great opportunity to widen and improve our logging/monitoring/alerting capabilities, whether it's a Cloud-native or a 3rd party tool, bringing a wide selection of technology offering and most importantly, tools most likely will be dynamic in their nature, by evolving and adopting to continuous changes in Cloud platforms and services.
The guiding Principle is:
Access to the CSP’s resources and all hosted environments, must be monitored and logged from a security perspective, to capture events of interest and provide overall visibility of the cloud service security posture
Here are few high-level key points to help us utilise Security Logging, Alerting & Monitoring, in the spirit of the Principle:
Enable logging (ideally for all event types),combined with alerting set for pre-defined (prioritised) events, across all environments (ideally) or parts of it, for a real-time response and forensics
Store and maintain securely logs history (ideally encrypted in multiple geo-locations, across multiple Cloud accounts) and ship logs securely (ideally to more than a single location), for maintaining logs integrity to the enterprise SIEM-type solution
Confirm (with the CSP) that systems generating logs, are by their design secured, tamper-proofed and being accessed only via a control policy
Logs Retention should follow the organisation related Policy (Inc. archiving), enabling incidents forensics
Enable logging across multiple layers (e.g. IAM events, storage access events, VPC/VNet Flow Logs, ENI/Static IP Flow Logs, app and OS security events, Serverless/Functions events, etc.), based on the use-case
Seek further compliance requirements from the Business (e.g. Periodic logs auditing)
Consider to enhance IAM Access monitoring using dedicated tools (e.g. Azure Monitor/AWS IAM Access Analyser), which ‘mathematically’ analyses access control policies attached to resources and determines which resources can be accessed publicly or from other accounts.
Enable logging and alerting on brute-force attempts, not only to know if there's a live attempt to monitor and react to, but also to prevent an outage of existing services, which are not designed to support a drastic spike in traffic/resources consumption.
Consider utilising advanced monitoring and alerting capabilities, which are able to identify the cause of an alert (e.g. defects in code/config vs. an actual live attack, both causing a degradation within the environment, but requires a different type of response)
Comments