loader

Cloud Security Monitoring: What you don’t see might hurt you

Introduction

We now live in a time when data flows like water. Data streams of various sizes are multiplying at an astronomic rate. The transformative phenomenon of cloud computing makes this possible. However, as serene and peaceful as the view may appear from the outside, the vast amount of space also poses some unforeseen danger. While available resources might seem limitless, the risk of exposure grows as your landscape grows. The best way to ensure the security of these cloud-native assets is to implement real-time and centralised security monitoring solution in your cloud environment. This can help prevent potential attacks from worsening, which could otherwise result in a more costly response.

Cloud Computing in a nutshell

It is now possible to increase IT capacity or add capabilities on the fly without investing in infrastructure, training new personnel, or licencing new software. Cloud service providers provide storage and virtual servers that a small or medium-sized company’s IT staff can access on demand. Cloud computing technology is increasingly being used by businesses for mission-critical applications.

Cloud computing is rapidly replacing the local Information Technology (IT) infrastructure managed and run by small and medium-sized businesses (SMBs). Cloud computing provides capabilities that allow SMBs to connect IT, storage, and computational capacity as a virtualized resource pool accessible via the network.

But where did the cloud come from? Where can I find it? While this may be new to some businesses, this technology has been around for over a decade.

Where it all started

Large tech companies such as Google, Amazon, and Microsoft have demonstrated the success of cloud infrastructure. These technology firms provide their goods and services on a global scale. A significant enabler for this large investment in infrastructure, which they have mastered and improved over years of research and experimentation. Here are some of their stories.

Amazon Web ServicesIn the early 2000s Amazon’s experience with building Merchant.com (an e-commerce-as-a-service platform for third-party retailers to build their own web-stores) led them to pursue service-oriented architecture as  means to scale their engineering operations. Led then by CTO Allan Vermeulen, Amazon launched its cloud computing service in 2006. [2]

Google Cloud – 2 years after the AWS launch, Google got in the game with its own cloud service. In April 2008, Google announced a preview release of App Engine, a developer tool that allowed users to run their web applications on Google infrastructure. Years before this launch, this infrastructure was already present and only exclusive for the company. [3]

AzureIn 2005, Microsoft took over Groove Networks, and Bill Gates made Groove’s founder Ray Ozzie one of his 5 direct reports as one of 3 chief technology officers. Ozzie met with Amitabh Srivastava, which let Srivastava change course. They convinced Dave Cutler to postpone his retirement and their teams developed a cloud operating system. In October 2008, the Windows Azure platform was announced. [4]

These are just a few of the major corporations that have decided to publicise and productize their IT infrastructure strategy. They even make it easy to get started by providing a free-tier plan. As more businesses join the bandwagon, it becomes an ideal target for cybercriminals.

What’s your flavour?

There are several service models to choose from when deploying your application in the cloud. Each meets a distinct set of business requirements and provides varying levels of control and visibility over your cloud resources. [ 5 ]

  • SaaS  – Software as a Service provides applications that are accessed via the web and are managed by the software provider rather than your company. This relieves your organisation of the constant stress of software maintenance, infrastructure management, network security, data availability, and all of the other operational issues associated with keeping applications up and running.
  • PaaS – Platform as a Service (PAAS) is a cross between Infrastructure as a Service (IaaS) and Software as a Service (SaaS) (SaaS). It gives users access to a cloud-based environment where they can build and deliver applications without having to install and use costly IDEs (Integrated Development Environments).
  • IaaS – Infrastructure as a service (IaaS) provides a standardised method of acquiring computing capabilities on demand and via the internet. Storage facilities, networks, processing power, and virtual private servers are examples of such resources. These are charged on a “pay as you go” basis, where you are billed based on factors such as how much storage you use or how much processing power you consume over a given time period. Customers do not need to manage infrastructure in this service model; it is up to the provider to guarantee the contracted amount of resources and availability.

Cloud computing has been around for a while, but it will continue to evolve as faster and more reliable networks provide increased benefits to both service providers and consumers. As a result of these advancements, there are more opportunities to develop business models in an increasingly connected economy.

What does ‘security in the cloud’ mean?

Shared Responsibility

Security in the cloud is assumed to be a joint effort between the customer and the provider. The participation of each party depends on how much control is available across all the resources in the IT landscape. [ 7 ] 

                                         

The cloud provider is responsible for the security of the lower layers in the IaaS service model. The customer is responsible for the security of the operating system and all applications that run on top of it. The cloud provider is responsible for everything except the data and application in the case of PaaS.

The cloud provider is in charge of everything with a SaaS solution. The greater the cloud provider’s control over the service model, the greater the cloud provider’s security responsibilities.

Protecting your data in the cloud

Data protection in the cloud can be classified into the following. 

  • At Rest – data that is not actively moving from device to device or network to network such as data stored on a hard drive 
  • In Motion – data actively moving from one location to another such as across the internet or through a private network
  • In Use – data that is currently being updated, processed, erased, accessed or read by a system.

Implementing strong network security controls can aid in the protection of data in transit. Network security solutions such as firewalls and network access control will help protect data transmission networks from malware attacks or intrusions. This blog post about Network Security Monitoring explains some of the challenges that most businesses are facing and how critical it is to detect and prevent threats from both outside and within the organization’s network.

While data in transit and data at rest may have slightly different risk profiles, the inherent risk is primarily determined by the sensitivity and value of your data; attackers will attempt to gain access to valuable data regardless of whether it is in motion, at rest, or actively in use, depending on which state is easiest to breach.

Potential Security Vulnerabilities in the Cloud

Not long ago, a breach that compromised the data of a few million people would have been big news. Now, breaches that affect hundreds of millions or even billions of people are far too common. About 3.5 billion people saw their personal data stolen in some of the biggest breaches in the past decade. As more  data and applications move into the cloud, unique Infosecurity challenges arise. Here are some of the top security threats and vulnerabilities organizations face when using cloud services.

Data breaches

A breach can be extremely damaging to one’s reputation as well as causing financial harm. They may result in the loss of intellectual property (IP) as well as significant legal liabilities. Attackers want data, so businesses must define the value of their data and the consequences of losing it. Who has access to data is a critical question to answer in order to protect it. The mid-2018 Tesla cloud crypto-jacking exposed sensitive telemetry data, resulting in significant data breaches that were costly to businesses. This happened as a result of the company’s failure to encrypt one of its cloud accounts. [ 6 ]

Misconfiguration and inadequate change control

This is a new threat on the Cloud Security Alliance (CSA) list, which is unsurprising given the numerous examples of businesses inadvertently exposing data through the cloud. CSA cites the Exactis incident, in which the provider left a database containing personal data of 230 million US consumers publicly accessible due to a misconfiguration. Level One Robotics exposed the IP of over 100 manufacturing companies due to a misconfigured backup server, which was equally damaging.

Lack of cloud security architecture and strategy

[ 6 ] This issue is as old as the cloud itself. The desire to reduce the amount of time required to migrate systems and data to the cloud typically takes precedence over security. As a result, the company operates in the cloud using security infrastructure and strategies that were not intended for it. This problem is becoming more apparent to businesses as years go by.

Insufficient identity, credential, access and key management

Inadequate access management and control over data, systems, and physical resources such as server rooms and buildings is a new threat to the list. The cloud necessitates that organisations change their identity and access management practices (IAM). Failing to do so could result in security incidents and breaches caused by:

  • Inadequately protected credentials
  • Lack of automated rotation of cryptographic keys, passwords and certificates
  • Lack of scalability
  • Failure to use multi-factor authentication
  • Failure to use strong passwords

Account hijacking

The risk of an attacker gaining access to highly privileged accounts is increasing as social engineering and phishing attempts become more effective and targeted. Once an attacker has gained access to the system via a legitimate account, they can cause significant disruption, such as the theft or destruction of critical data, the suspension of service delivery, or financial fraud.

Identity and access management

Cloud identity management can control user access to WiFi networks, connect cloud servers, and make authentication easier. The latter is critical because it keeps outside threat actors out of your databases and (in a least-privileges security model) keeps insider threats out. As the IT environment grows, authentication protocols must expand and scale to ensure greater security while maintaining an optimal user experience.

Cloud Security Monitoring

Cloud monitoring makes it easier to identify patterns and identify potential security flaws in cloud infrastructure. Because there is a general perception of a loss of control when valuable data is stored in the cloud, effective cloud monitoring can put businesses at ease with using the cloud for data transfer and storage. However, implementing an effective security monitoring  solution in the cloud presents a couple of challenges: 

What you don’t see might hurt you

  • Dynamic environments (virtualization) – Because cloud resources come and go so quickly, managing traditional configuration for log management, log correlation, and SIEM configuration can be a nightmare. The shifts and turns in this process are difficult to track especially as it needs to happen very fast for higher availability.
  • Visibility – Not every layer of the cloud computing stack has visibility. Consumers are only given a web interface to manage their resources but there is still a lot happening behind the scenes. This blog post on Security from Obscurity best explains the importance of knowing all the security mechanisms in place and how attackers can exploit these measures to carry out cyberattacks. 

How do you know it will work?

There are several approaches to cloud security monitoring. Cloud monitoring can be done in the cloud platform itself, on-premises using an enterprise’s existing security management tools, or via a third-party service provider. Some of the key capabilities of cloud security monitoring software include:

  • Scalability – tools must be able to monitor large volumes of data across many distributed locations
  • Visibility – the more visibility into application, user, and file behaviour that a cloud monitoring solution provides, the better it can identify potential attacks or compromises
  • Timeliness – the best cloud security monitoring solutions will provide constant monitoring, ensuring that new or modified files are scanned in real-time
  • Integration – monitoring tools must integrate with a wide range of cloud storage providers to ensure full monitoring of an organization’s cloud usage
  • Auditing and Reporting –  cloud monitoring software should provide auditing and reporting capabilities to manage compliance requirements for cloud security

Cloud Security Monitoring using Elastic Security Solution

Elastic has a heavily equipped security solution designed for your real-time security monitoring and meets the above cloud security monitoring requirements; it contains many features like SIEM, endpoint protection and pre-built rules to protect you from the potential Security Vulnerabilities in the Cloud. And it’s a cloud-agnostic. You can use it with any cloud provider.

Pre-built data integration for cloud resources

Logs, metrics, traces, content, and more are streamed in from your apps, endpoints, infrastructure, cloud, network, workplace tools, and any other common source in your ecosystem. Send alerts to your prefered notification tool. Connect to all of the systems that are important to you with ease. [ 10 ]

Pre-built rules for cloud applications

Prebuilt cloud application detections automatically detect techniques and behaviours associated with attacks against SaaS technologies such as Google Workspace, Microsoft 365, and Okta, and are used to supplement existing Elastic protections for IaaS technologies. Prebuilt security analytics content for Windows and Linux environments detects a wide range of attacker activity centrally, with a focus on persistence, privilege escalation, and lateral movement. [ 11 ]

Here is an example for one of the Azure rules. It identifies the deletion of diagnostic settings in Azure. An adversary may delete diagnostic settings in an attempt to evade defences.

  • False-positive examples With Elastic Security’s detection engine, you can detect threats while avoiding the noise of false-positives. Real-world examples can be used to automate threat detection using correlations and machine learning.
  • Schedule – rules can be set to run on an interval (i.e every 5 minutes) with an additional look-back time for analysis.
  • Notifications – get alerted for every detection and be sent to the messaging platform of your choice

Conclusion

With great power comes great responsibility. Cloud security is frequently overlooked, but it is one of the most important and critical factors for long-term success. Security should always be prioritised according to scale. Fortunately Elastic is providing tools to achieve this scale and with partners like Skillfield, are ready to get them set up for the job. The greater the size of the landscape, the greater the risk of cyber threats. Because prevention is always preferable to cure, it is ideal to identify and eliminate the problem before it worsens.

Written by: Jose Mari Ponce

References:

[ 1 ] https://www.zdnet.com/article/what-is-cloud-computing-everything-you-need-to-know-about-the-cloud/

[ 2 ] https://en.wikipedia.org/wiki/Timeline_of_Amazon_Web_Services

[ 3 ] https://acloudguru.com/blog/engineering/history-google-cloud-platform

[ 4 ] https://en.wikipedia.org/wiki/Microsoft_Azure

[ 5 ] https://www.fingent.com/blog/cloud-service-models-saas-iaas-paas-choose-the-right-one-for-your-business/

[ 4 ] https://www.guardicore.com/use-cases/threat-detection-and-response/

[ 6  ] https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html

[ 7 ] https://www.checkpoint.com/cyber-hub/cloud-security/what-is-cloud-security/#:~:text=Cloud%20security%20refers%20to%20the,applications%2C%20and%20infrastructure%20from%20threats.

[ 8 ] https://www.crn.com/slide-shows/security/12-biggest-cloud-threats-and-vulnerabilities-in-2020

[ 9 ] https://cofense.com/guloader-rises-top-malware-delivery-mechanism-phishing/

https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service

[ 10 ] https://www.elastic.co/security

[ 11 ] https://www.businesswire.com/news/home/20210303006027/en/Elastic-Announces-New-Cloud-Application-and-Host-Protections-and-Streamlined-Security-Operations-Workflows