By Palen Schwab
Before you can assign responsibility for a security breach, you need to go back to the scene of the crime and understand where it originated. No easy task given the dynamic and complex nature of cloud computing environments.
Do you know who is doing what across your entire cloud environment at this very moment? Can you say with certainty that all critical files are safe from bad actors and that installs never happen without prior authorization?
In order to effectively resolve a data breach, mitigate damage, and avoid future breaches, you need to know exactly where the breach took place. It doesn’t matter if it was an internal or an external threat, or even whether it was intentional or accidental. You need to know where the original breach happened, what data was affected, whether (and how) it was exfiltrated, and what happened to the data after it left your control.
Not only do you require all this information, but it has to come in a useable form that gives real-time insights into where the failure occurred so you can analyze the incident and carry out the action required to remediate the situation and ensure that it doesn’t happen again.
Your Early Warning System: Continuous Monitoring
To get to the origin of a breach, you need an audit trail so you can know who is doing what across your cloud environment — from a suspicious login to a security group change. To get this detailed level of visibility, you need to continuously monitor all activity, all the time. And we’re not talking about monitoring for user activity on just a few key servers or just at the network level or even polling the system as a check box for compliance. We mean complete, always-on monitoring across your entire environment, specifically at the host level — or the “single source of truth,” as we like to call it.
Host-level monitoring provides detailed information about the access, altering, or copying of sensitive data — all signs that are indicative of a breach. With this information, you can understand an attacker’s moves and behaviors and have the responsible parties in your organization put safeguards in place so you can identify and remediate this kind of attack in the future.
Your Tap on the Shoulder: Proactive Alerting
It’s one thing to get an alert when an attacker follows a known attack signature, but what do you do to identify zero-day attacks and insider threats that would go unnoticed using a traditional network IDS? Using a host-based IDS with anomaly detection is a good start. The moment your security monitoring solution detects anomalous behavior, it sounds the alarms. Whether someone in your system added an unauthorized user or an unusual pattern in user session activity was detected, you need to hear about it immediately.
But we all know that security tools love to provide alerts to prove their value, and the last thing you want is a tool that beeps more than it informs.
The most effective security alerting tool is one that:
- Eliminates false positives (it learns)
- Makes tuning intuitive and straightforward (it saves you time)
- Packs in as much context as possible (you don’t have to dig around much to take action on the alert)
Your Ticket to Faster Resolution: Cloud Context
No company is 100% secure, and that means you have to be realistic and focus on reducing your mean time to resolution (MTTR) if you get breached.
Using traditional approaches, incident responders had to sift through logs manually. Then they had to look in the logs for the steps leading up to and following the event — assuming the information was even available. After this, based on the data collected, they decided on the best course of action. And clearly, finding information in logs or across multiple tool sets and then making sense of it is tedious, time-consuming, and ineffective.
Today there is a much more efficient and effective way of doing things. To achieve maximum process efficiency and the shortest resolution times, you need an integrated security platform that can pull together vital security event information in one place, and automatically provide the contextual data that allows incident responders to make the best decision and take swift action.
An integrated cloud security platform monitors continually, provides rich, contextualized information, and enables alerts to be evaluated and resolved in significantly abbreviated time frames. The responder simply views the TTY Timeline to see the pre and post event details, and then, using data automatically collected, decides on the most effective remedial action.
So let’s return to the original question: Who is responsible for a security breach? Your company is. It has a responsibility to put effective cloud security in place to protect itself, its shareholders, and its customers.
To take the first step to achieving security in the cloud, we invite you to schedule a Threat Stack demo.