Cloud Creates SIEM Blind Spot

  /     /     /  
Publicated : 22/11/2024   Category : security


Cloud Creates SIEM Blind Spot


Current SIEM and log management approaches for network and security devices are moot in the cloud



After spending buckets of money and years of intense human resources on the deployment of comprehensive security information and event monitoring (SIEM) tools and techniques, many organizations are seeing these precious investments lose much of their value in the rush to reach for the cloud. Public cloud initiatives and, to some degree, even virtualization deployments are adding security black holes to the enterprise security monitoring framework. No light of visibility goes in or out of these blind spots.
To maintain security standards within increasingly distributed, virtualized, and outsourced IT infrastructure, enterprises will have to adjust if they want to understand the events that affect their infrastructure and the flow of users and data across the traditional enterprise network perimeter.
Virtualization and cloud breaks the current model, says Mike Rothman, analyst for Securosis. Youve got no visibility of the infrastructure, by definition. So the existing methods of SIEM/log management for network and security devices anyway are moot.
This issue is amplified in the public cloud arena, where enterprises share infrastructure with other organizations dynamically and have little control or even glimpses into how everything is put together and flows.
Most SIEM products have no difficulty providing complete visibility in virtual environments and private clouds where you have control over both the physical and virtual environments. Where system access and control are limited, so is the visibility, says Michael Maloof, CTO for TriGeo Network Security. While cloud-based applications are a boon to productivity and data access, they rarely provide the same level of activity monitoring that you have in more traditional environments. For example, a cloud application linked to Active Directory can provide you with access control data, but not that the access originated in China.
But even when virtualized environments are actually controlled within the organizations infrastructure boundary, there remain complications in keeping track of all the activity that occurs at different virtualized layers.
I think people can make an assumption that anything thats inside the environment is safe, but you may see rogue virtual environments coming in, says Bill Roth, chief marketing officer for LogLogic. He warns that the first step in keeping tabs on virtualized environments is to make sure there are only as many VMs as absolutely necessary. Its so easy to spin up, and storage and processing is becoming so cheap that you run the risk of VM sprawl; companies need to be vigilant against it, he says.
No matter whether in a public or private cloud, organizations need to see to it that applications are better tuned to output monitoring information, Securosis Rothman advises.
We need to start instrumenting the applications to provide monitoring information and the like to provide some means of visibility, he says. The reality is most application folks dont do a good job of building visibility into their applications. But theyll need to, given that organizations want the flexibility to run some or all of the applications in a cloud-type of environment.
Most important within the cloud environment, though, is the acquisition of key logs that offer better views into how the infrastructure that affects enterprise data really is working.
If youre going into a cloud, demand your logs so you understand how your system is moving around so you understand what kind of performance youre getting, Roth says. Demand your logs and demand transparency. If you cant get them, it should be a deal-breaker. Just because the cloud metaphor is opaque doesnt mean the service should be.
Maloof agrees, explaining that organizations will not be able to shift responsibility for a data breach onto their cloud provider, so they need to be proactive about keeping an eye out for potential problems.
The fact is that while you can cloud-source many applications today, that doesnt eliminate the liability associated with data loss and the need to demonstrate sound monitoring policies for compliance requirements, Maloof says.
And it shouldnt stop at logs. Organizations also need to work with providers to get a good picture into user activity and data access trends for cloud-based pools of information. This starts with improved cloud access control.
Identity and access management systems are a critical piece of the puzzle, closely linked with well-defined policies and application-layer policy enforcement, Maloof says. While the data and the applications exist outside the traditional network boundaries, the identity and access control systems will bridge both the physical and virtual systems.
The success of these drives for visibility really hinges on cloud provider participation, though. According to LogLogics Roth, who is an active participant in the Cloud Security Alliance (CSA), customers are still having a hard time convincing larger providers, such as Amazon, to improve their transparency. He believes that customers need to put the pressure on. In addition, participating in organizations such as the CSA can help the industry develop standards for security monitoring within the cloud.
We are working on a number of things that I think are going to be really important, Roth says of the CSA, which is expected to release drafts of a security monitoring matrix in November. These are things that I think are going to be facilitate the development of cloud security.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cloud Creates SIEM Blind Spot