4 Principles for Cloud Monitoring and Threat DetectionBy: Secureworks
It is true that cybersecurity best practices require you to do much more than just monitor your organization’s endpoints. After all, to be successful, attackers must do much more than simply bypass endpoint controls. They must move laterally across your environment to discover and exploit your organization’s other vulnerabilities—until they finally make contact with the systems and/or data that make all of their hard nefarious work financially worthwhile.
Effective cloud monitoring is an essential element of enterprise threat hunting, complementing other key disciplines such as endpoint and network monitoring.
Here are four key principles to bear in mind as you seek to implement cloud monitoring as part of your overall cybersecurity strategy.
Cloud monitoring principle #1: Clouds are fuzzy
The word “cloud” has evolved as a general descriptor of any infrastructure not running on your enterprise premises. But beware. A fuzzy definition of “cloud” leads directly to a fuzzy implementation of cloud monitoring—which means it’s doubtful you’ll get all the telemetry you need to keep your organization safe.
That’s why effective cloud monitoring requires an accurate, complete, and up-to-date inventory of your organization’s cloud-based resources, which can include:
- Infrastructure as a Service (IaaS): These are assets such as web servers, database servers, and storage that a cloud provider hosts for your organization for a fee.
- Platform as a Service (PaaS): Under IaaS, the service provider typically just takes responsibility for the hardware and virtualization layers of the hosted technology stack. Under PaaS, the provider also delivers key components of the stack, such as operating systems and middleware.
- Software as a Service (SaaS): SaaS providers deliver the entire technology stack to your organization so your users only need their client-side software—which may simply be a web browser or a small set of browser extensions—to run a complete application.
- Hosting/co-lo services: While technically not cloud per se, service providers that simply provide a physical location for infrastructure your organization owns and maintains are often perceived as part of the overall “cloud” mix.
One important aspect of cloud monitoring is ensuring you monitor your organization’s entire “cloud” footprint—including all IaaS, PaaS, SaaS, and hosted infrastructure.
Cloud monitoring principle #2: Clouds are slippery
In addition to ensuring that your cloud monitoring covers all four cloud types, you must also bear in mind several characteristics that make cloud monitoring substantively different from traditional endpoint monitoring. These characteristics include:
- Mediated access. When you monitor traditional on-premise infrastructure, you have the freedom to implement any agents or probes you choose. This is not the case with the cloud. Many cloud providers force you to depend on the telemetry they provide regarding cloud behaviors and activity. Others may allow you to choose your means of monitoring but will limit your choices and/or still mediate the access your instrumentation has to the infrastructure they host and manage for you.
- Elasticity. One commonly sought benefit of cloud is elastic capacity. Cloud providers offer the flexibility to add infrastructure capacity as required—and then rightsized capacity back down to baseline levels if and when a demand peak subsides. This elastic capacity enables organizations to avoid capital costs while still ensuring application performance at peak loads. However, it also means additional servers and storage may be brought online at any time. To be effective, cloud monitoring must have the ability to dynamically track any such added infrastructure from the moment it is activated to the moment it is deactivated.
- Multi-tenancy. Technically, “cloud” originally referred to multi-tenant services—i.e., services that allocated what is essentially a single pool of resources to individual subscribers on an as-needed basis. Over time, however, service providers learned that many potential customers would never agree to multi-tenancy, and required dedicated resources that were walled off from those used by other subscribers by some physical means. Cloud monitoring requires SecOps teams to understand exactly where their organization enjoys the security advantages of dedicated single tenancy vs. where multi-tenancy could create exposures to threats allowed in by peer subscribers.
- Shadow IT. Because cloud empowers business units to implement technology without having to spec, acquire, implement, and manage underlying IT infrastructure, it often results in “shadow IT”—i.e., technology deployments that occur without authorization by or even the knowledge of IT proper. At some organizations, these kinds of technology deployments are even encouraged and inventoried. The term “shadow IT” is hardly appropriate at all. In other cases, shadow IT can in fact often remain in the shadows. Such shadows can obviously create security problems if SecOps relies exclusively on IT’s inventory of its own infrastructure. To protect your organization, you must be diligent about discovering and addressing any instances of shadow IT.
Cloud monitoring principle #3: What the cloud can tell you
Threat hunting is just that: hunting. And hunting isn’t always about spotting your prey. Effective hunting often requires you to search for and discover clues that help you determine whether there is even any prey to begin with—and, if so, exactly what kind of prey it is and where it might be headed next.
In the case of the cloud, these clues can take many forms, including:
- Normal but potentially indicative behaviors (NPIs). These are activities that fall well within your organization’s normal baseline—or that often fall outside that normal baseline for normal business reasons—but have nonetheless been associated with certain types of attacks.
- Anomalous behaviors. These are activities that are unusual and warrant further investigation, even though they are not clear indicators of any specific type of attacker exploit.
- Signal behaviors. These are clear indicators that malicious activity is afoot within your environment—although additional work will be required to determine exactly what the full extent of that activity is and what measures will be required to fully neutralize the attack.
- Known vulnerabilities (CVEs). These are reported vulnerabilities in one or more elements of your cloud environment—including the operating systems, virtualization technologies, and databases that any of your cloud providers may use.
- Provider notifications. These are issues and/or incidents your cloud provider reports to you directly regarding active or resolved situations in their own environment.
- Peer issues. These are situations that have occurred or are occurring in the environments of peer subscribers to any of the cloud services your organization uses. They may not necessarily be voluntarily or publicly reported to you by the peers themselves since in most cases they are under no legal or regulatory obligation to do so. However, you can often learn about them through third-party sources.
Cloud monitoring is not simply a matter of getting the same telemetry from an external source that you currently get from an internal source. It’s about monitoring each of your different cloud instances in its own appropriate way.
Cloud monitoring principle #4: Putting your cloud clues in context
Finally, don’t forget that the whole point of cloud monitoring isn’t merely to monitor the cloud. It’s to leverage telemetry from the cloud in conjunction with other inputs—especially those from your endpoints and your network—to consistently spot emerging threats earlier in the kill chain.
So your cloud monitoring success really has three components in the context of threat hunting:
- How accurately, granularly, and comprehensively you monitor your organization’s multi-cloud resources.
- How well you integrate those multi-cloud SecOps inputs with the rest of your endpoint and network telemetry.
- How expertly you use that aggregated behavioral data to detect actual threats.
Plus, of course, there’s a fourth component: How well you translate your detections of active threats into the countermeasure actions necessary to fully neutralize them.
If you’re a cybersecurity leader, Secureworks® is the ideal partner in your efforts to optimally incorporate cloud monitoring into your broader threat hunting and cyber safety strategy. Our cloud monitoring capabilities are second to none. Our threat research team rigorously maintains unmatched insight into how threat actors unwittingly reveal themselves through the distinctive behavioral clues they leave as they pursue their criminal goals. Our Taegis™ XDR technology uniquely translates that threat research into threat protection.
Additionally, our team of security experts builds a strong partnership with you on a human, professional-to-professional basis.