Sysdig
Cloud Native Learning Hub

Sign up to receive our newsletter

Responding to Cloud Breaches: Audit Logs, Threat Detection, and Incident Response

To discuss how to respond to cloud security breaches today, it helps to start with a history lesson.

If you’re a history buff – or you just paid attention in high school – you’re probably familiar with the Maginot Line, a series of defensive positions that the French army constructed between the world wars. The French government’s grand idea was that by building impervious defenses, they could prevent an invasion of France from Germany like the one that had taken place in World War I.

Unfortunately for the French, the German army simply maneuvered around the Maginot Line in 1940 and invaded France from the northeast, which was not fortified. Having placed too much faith in defensive measures, the French and their British allies were underprepared for the fast-moving warfare that took place once the defenses were breached. Within a mere 46 days, the French, despite having established an excellent defensive posture, suffered what one historian famously called a “strange defeat.”

What does the fall of France have to do with cloud security, you ask? The answer is that, just as the French learned the hard way in 1940 that it’s impossible to prevent a military breach completely, organizations today must recognize that it’s impossible to guarantee that a cloud breach will never take place. Although investing in defensive measures via cloud security posture management (CSPM) is important, you must also prepare to respond to a cloud breach when one does occur – as it inevitably will.

There are three key ingredients in preparing for a cloud breach:

  • Cloud audit logging, which helps you detect unusual activity in your cloud environment that could reflect a breach or attempted breach.
  • Threat detection, which uses a variety of data sources to identify active breaches.
  • Incident response, which allows you to react efficiently and effectively when a breach is discovered.

This article dives into what it takes to protect against cloud breaches by discussing the role that audit logging, threat detection, and incident response play in managing cloud security threats.

The Inevitability of Cloud Breaches

The first step in preparing for cloud breaches is recognizing that they will happen. No matter how much you perfect your CSPM tools and processes in order to harden your cloud environment against attacks, there is always a risk that an insecure configuration lurks deep within your cloud stack – or that a new type of threat will emerge to exploit a vulnerability no one has anticipated.

After all, even the most sophisticated tech companies routinely suffer security breaches, despite investing vast resources in cloud security and maintaining world-class cybersecurity talent. If they can’t prevent breaches, neither can you.

This is not to say, of course, that it’s not worth investing in CSPM as a means of breach prevention. Perfecting your cloud security defenses as much as possible by detecting insecure configurations and devising secure architectures is crucial for minimizing the number of breaches that take place. It also helps to reduce the damage that a breach may cause.

Nonetheless, it’s unrealistic to expect total immunity to breaches.

Preparing for Cloud Breaches: Auditing, Threat Detection, and Incident Response

You can, however, plan ahead for breaches so that when one takes place, you can identify it, evaluate it, and respond to it as quickly and effectively as possible. Doing so requires investment in three key areas: audit logging, threat detection, and incident response.

Audit Logging and the Cloud

Cloud environments are complex, to put it mildly. It’s likely that your organization deploys an array of different cloud services, such as object storage, virtual machines, containers, and serverless functions, to name just a few of the popular categories of cloud computing services. You may also have multiple accounts for each cloud, and – if you’re like 93 percent of organizations today – you use multiple clouds at the same time.

Audit logging is the first crucial step toward keeping track of potential security threats within a sprawling, multi-layered cloud environment. Audit logs systematically record actions within a cloud environment as the actions take place. They tell you who did what, when it happened, and what changed.

With audit logs, in other words, you can systematically monitor which new cloud resources were deployed, which IAM policies were changed, which user accounts were added or deleted, and so on. And you can do this across all of your cloud environments and services.

With this information, you can gain early visibility into potential security threats, even in cases where a threat has not yet evolved into an actual breach. For example, audit logs can alert you to the creation of an unauthorized VM or a new IAM role, which could be some of the first steps that attackers take as they work to establish a beachhead within your cloud environment.

Using Cloud Audit Logs

All of the major public cloud providers offer native services to enable audit logging and help you track the logs. However, because these services typically work only with individual cloud accounts and individual clouds, you should aggregate cloud audit logs from across your various cloud environments so that you can analyze them centrally, using third-party auditing tools that are capable of detecting suspicious patterns within audit data from any public cloud environment.

You should also take care to configure cloud auditing effectively. The key to a good audit log is to strike the right balance between recording too much information and too little. You typically don’t need to know about every single minor change that takes place in your cloud environment, and if you log too much, you set your team up for alert fatigue. But you do want to know about major security-related events, such as changes to IAM configurations, network settings updates, the deployment of new workloads, or changes to user accounts.

Cloud Threat Detection

While audit logging is the first step in detecting potential breaches, threat detection goes further. Threat detection is the use of a variety of data sources – such as audit logs, networking logs, and cloud metrics – to detect active threats and assess their potential impact.

In other words, threat detection not only helps you to identify breaches, but also to understand the nature of each breach and how much damage it could potentially cause. In turn, threat detection helps you formulate a plan for responding in the most efficient way to the various threats that your cloud environments face.

Some threats are more severe than others. A threat that impacts a dev/test environment, for example, is not likely to be as dangerous as a zero-day breach that impacts a critical production workload. Threat detection helps you determine which types of threats to prioritize.

Likewise, threat detection uses threat intelligence data to provide context about different types of threats. Threat intelligence helps your team understand where a threat originated, which types of vulnerabilities it is exploiting, and how to remediate it effectively.

Cloud Incident Response

The final step in responding to cloud breaches is incident response. Incident response is the tools and procedures that a team uses to isolate, mitigate, and definitively remediate an active threat.

Although every threat is different and it’s impossible to predict exactly which steps you’ll need to take to respond to an incident, you can develop playbooks for different types of incidents and use them as a guide when performing incident response. For example, you might create one playbook for handling a security incident that involves unauthorized data access, another for breaches of a container runtime environment, and another for threats that impact cloud-based virtual machines.

Your cloud incident response playbooks should detail not just how your team will respond to each type of threat, but also which team members will play which roles in handling the response. You should also think ahead of time about which resources your team will need to execute its response.

Keep in mind, too, that, although definitive threat remediation should be the ultimate goal of incident response, it often makes sense to isolate a threat first in order to prevent it from escalating until you can fully remediate it. Toward that end, your playbooks should include steps for disabling compromised accounts or isolating compromised cloud workloads at the network level, for example.

Cloud Security Breach Preparation

Although you should strive to prevent cloud security breaches, don’t think of it as a defeat when a breach occurs. Instead, recognize that breaches are inevitable, no matter how much your team excels at CSPM.

What spells the difference between defeat and victory is your ability to respond effectively to cloud breaches when they do take place. By investing in audit logging, threat detection, and incident response, you’ll position your organization to handle cloud breaches successfully by minimizing their impact and remediating them as quickly as possible.