Public cloud adoption is complicated. It typically requires a significant focus on threat detection and the retooling of workflows and playbooks for security event management, monitoring, detection and response.
Fortunately, a wide variety of third-party and cloud-native tools and services offer capabilities that enable effective cloud event collection, aggregation and analysis. Many organizations are considering the use of observability and security event orientation and decision-making in their cloud monitoring, detection and response strategies. The observability approach may aid in developing sound metrics and tracking to ensure security operations improve over time.
Observability originated in the control systems engineering profession and focuses on system outputs to monitor and determine behaviors. To be considered observable, a system's behaviors and activity can be monitored in such a way as to determine system state.
Let's explore how that strategy relates to the cloud.
Elements of cloud observability
To build a comprehensive cloud observability strategy, IT leaders need to understand what exactly is in scope. Observability extends beyond traditional workloads to the control plane, network, application, container and storage level.
Control plane observability
A critical category of observability is the cloud environment itself: the control plane. Organizations should conduct extensive logging of all activity within the cloud. Additionally, they may deploy one of several new services to continuously monitor cloud accounts and infrastructure for best practices, configuration and security controls status.
Many controls help achieve network observability, including network firewalls, network intrusion detection and prevention, load balancers, proxy tools and behavioral network flow data collection. Cloud-native access controls, such as security groups and firewall services, and monitoring capabilities, such as flow logs and traffic mirroring, can also be used to monitor and track network events and behaviors.
Application visibility is accomplished by tracking events and behaviors at scale. This can be a challenge as workloads and identity associations communicate within the entire cloud environment, in addition to local application logs on individual systems and containers. To develop true application observability, organizations need to feed events into event management and SIEM platforms that are adapted to cloud environments -- often via API integration.
Container and serverless observability
To enable observability for containers and serverless architecture, logs and events generated by PaaS applications should be automatically collected and sent to a central monitoring platform.
Database and storage observability
Many cloud deployments employ a wide variety of storage types, including block storage, Binary Large OBject-type storage and databases. Most cloud storage services include various forms of logging, as well as a range of additional configuration controls that can be monitored and observed.
Cloud observability tools
In cloud environments, network monitoring logs, system logs and environment logs are the primary sources of observability. Other sources include feedback from configuration assessment tools and services, such as AWS Config or the open source Cloud Custodian tool, as well as other cloud-native tools.
In cloud-native compute services, such as AWS Fargate or Azure Functions, agents and traditional monitoring tools may not be feasible to implement. Thus, achieving observability presents a unique challenge. Organizations increasingly rely on external feedback and monitoring mechanisms and controls, which use a unified software backplane to which all workloads and services are tied.
Security benefits and use cases
Developing and implementing an observability strategy in cloud environments can yield significant security benefits. Observability can improve continuous monitoring, boost efficiency in detecting and correlating events, and enhance the speed and effectiveness of incident resolution.
With cloud security observability, organizations are better positioned to take advantage of automation by building automated triggers that alert or perform remediation actions based on specific conditions. For example, security teams could receive alerts when certain log file events are created or when specific conditions in the environment are noted. If a scan reveals critical vulnerabilities, automated triggers could execute serverless functions in AWS Lambda or Google Cloud Functions to quarantine a running instance or perform automated forensic evidence capture for use in investigations.