Despite our best efforts, perfect attack prevention is not possible and the cloud doesn’t change that. A comprehensive security strategy for IaaS/PaaS should include monitoring for attacks that have bypassed the layers of preventative controls we have put in place. This is not a replacement or substitute for an enterprise SIEM. Rather, think of this as a domain-specific analysis of the cloud telemetry generated by the IaaS/PaaS provider to identify cloud-based threats within their own environment.
7 Best Practices to Enable Cloud Threat Detection
1. Use Visibility as the Foundation to Apply Behavioral Analytics
Visibility is one of the foundational elements of the security hierarchy. This visibility provides the foundation to establish normal baseline behaviors of all entities in your public cloud tenants and subscriptions. Using baselining and behavioral analytics, threats can be detected at all layers of cloud visibility — network traffic, identities, workloads, applications and data-related behaviors.
2. Leverage the Built-in Threat Detection of Cloud Providers
The leading cloud providers now offer their own built-in cloud threat detection capabilities that have been steadily improving. Activate and use these built-in services. Most use a combination of telemetry sources to identify attacks, including network flow logs that leverage analytics and supplemental sources of threat intelligence. Cloud-native threat detection is very relevant for this use case. That’s because the tooling is almost identical policy wise as that being used in enterprise data centers for years, but benefits from supporting the dynamic nature of the cloud. Further, this is achievable without losing any of the visibility that security teams expect.
3. Use Network Taps only on the Most Critical Workloads
Based on customer demand, the leading cloud providers have recently added the ability to receive a virtual tap of traffic in their clouds. This can provide significantly more visibility than from network flow logs; plus, third-party network traffic analysis offerings can leverage this detailed information. However, the amount of data generated is sizable, so this type of detailed monitoring doesn’t need to be used on all assets.
4. Correlate Network Visibility with Threat Intelligence
If one of your cloud-based resources is communicating outbound to a known command and control center, you should be alerted. This requires threat intelligence to be applied to the network visibility. Ideally, the threat intelligence is provided directly by the cloud provider or via partnership with credible third parties. For example, one critical piece of telemetry to incorporate in the analysis is DNS callouts from your cloud-based resources. Use this DNS telemetry if it is exposed by your IaaS/PaaS provider.
5. Cross-correlate Behavioral Anomalies with Sensitive Data Awareness
In the majority of cases, the goal of cloud attacks is to steal data. By combining network and activity behaviors with data context, the efficacy of detecting real events can be improved.
6. Extend Cloud Threat Detection into Kubernetes
Kubernetes-orchestrated clusters are essentially “clouds within clouds.” The monitoring and visibility of the Kubernetes logs, network flows and application behaviors within the cluster should be baselined and analyzed for indications of compromise.
7. Use a Managed Detection and Response Service if you Don’t Have the People or Resources
Most enterprise security departments are understaffed. Detecting and responding to potential attacks imply you have the staff to do this. For enterprises that don’t have the resources, managed cloud threat detection and response services are available. Some cloud providers offer this. However, enterprises should ask potential service providers for explicit support and integration with public cloud capabilities as some don’t yet support public cloud while others may limit their support to IaaS (but not PaaS) monitoring.
