Cloud Infrastructure

With many physical data centers temporarily closed, organizations have faced an urgent need to minimize the requirement of the on-site physical maintenance of IT systems. Many organizations have quickly accelerated the adoption of cloud infrastructures to support their workloads and applications to maintain business continuity. Since many of these migrations were already planned — just often for later timelines — most security teams should expect these investments are here to stay.

To gain earlier insights into risks and threats in these environments, security teams can monitor a range of events including user activity, application activity and resource and configuration changes. Fortunately, the major public cloud vendors, such as AWS, IBM, Azure and Google Cloud, provide a rich set of log, event and network flow data that can be brought into a centralized SIEM solution to gain visibility and detection across on-premises and multi-cloud environments.

By ingesting this data and applying security use cases to it, analysts can gain insight into several suspicious activities, such as:

• Anomalous user and account activity, such as abnormal authentication activity, multiple logins from different geographies or suspicious root user activity.
• Anomalous workload activity, including abnormal API calls, suspicious container activity or non-standard services accessing resources.
• High-risk configuration changes, such as suspicious IAM or security group policy changes, changes to S3 bucket policies or new or altered certificates.
• Suspicious resource changes, such as non-standard Virtual Private Cloud (VPC) or EC2 instances or a rapid increase in the number or size of EC2 instances potentially indicative of cryptocurrency mining.

While many of the cloud providers have their own native security capabilities, without a centralized view into security data across environments, analysts are forced to work within complex data silos. Today, 62% of public cloud adopters use two or more public clouds, and on average, organizations use a total of 4.8 separate public and private cloud environments. For an analyst struggling to keep up with an ever-growing workload, getting centralized cloud visibility combined with the ability to automatically analyse, detect and track threats as they progress through different environments, is critical. A centralized SIEM solution that’s capable of ingesting and analysing the event and flow data across cloud and on-premises environments can help analysts quickly and more effectively detect threats before they escalate and cause serious damage.