Security incident management in the cloud: Tackling the challenges

Identifying security incidents in cloud environments isn't easy, but there are steps companies can take to ease the process.

For most incident handlers and security operations teams, one of the most challenging steps is identification -- how do you notice something unusual, and how can you tell whether it's an event (such as a simple file permissions change) or an actual incident (such as an account being accessed illicitly)? This problem is compounded when you move assets into a cloud provider environment for a number of reasons. In this tip, we'll cover some of the top challenges with security incident management in the cloud and what to do about them.

Lack of network device control

The first major challenge with identifying events in the cloud is due to a general lack of network device availability to and control by consumers. For example, no network firewalls, intrusion detection sensors, proxies or other traditional controls that identify unusual events and incidents can be placed in the standard Amazon EC2 environment. While Amazon does provide a simple firewall and some load balancing capabilities, consumers don't have any means to natively receive network logs and events within the EC2 environment.

To solve this problem, cloud customers have a variety of options. First, they could consider using private cloud services within a cloud provider infrastructure. For Infrastructure as a Service (IaaS) customers, this is often an option (for example, Amazon's Virtual Private Cloud). Within a private cloud, customers can add virtual machines that perform intrusion detection and firewall functions and also control the logs from these platforms.

Another option, especially for IaaS users, is to enable and manage host-based security such as host-based firewalls or host-based IDS/IPS. Any security at the host level can be managed more easily, including logging and event generation configuration. For organizations using PaaS and SaaS, the amount of logging and event information available will vary from one provider to the next and is usually presented in a Web-based console, sometimes with export functions.

Log correlation and analysis

Log management and analysis, including correlation with security information and event management (SIEM) tools, can be a major challenge for organizations using cloud resources. For SaaS and PaaS customers, most (if not all) of the logs generated from activities within the environment will be controlled by the cloud provider. In these cases, you may not be able to get access to the events at all. For IaaS clouds, where you control the systems in question, logs can be generated at the local system level. The bigger issue is where you'll send them and how to analyze them.

You should specifically ask how [your cloud provider will] notify you when an internal incident affects your systems, data and applications.

To better enable effective incident response using virtual machine logging and events in a cloud provider environment, your best bet is to create a new log aggregation system in the cloud along with your other systems. Many organizations install a simple Linux server running Syslog and then send all local system logs to this server, which should be carefully locked down. From there, the logs can be sent back to a local SIEM or other log management platform via VPN, or even encrypted on the local platform and downloaded with SSH or a SCP (secure copy protocol). This doesn't work well for the more "real-time" needs of many incident response scenarios, however, and you may need a private cloud that allows you to incorporate vendor virtual appliances or more continuous VPN connections to your internal security management tools.

Inability to access event data

Likely the biggest cloud security incident management issue overall concerns the difficulty in obtaining event data. Here are some examples:

  • Cloud service provider (CSP) administrator actions: You will likely have little to no visibility whatsoever into the actions your CSP staff takes related to their infrastructure, including your assets. This is something to inquire about with the provider when negotiating your contract, and you should specifically ask how they'll notify you when an internal incident affects your systems, data and applications.
  • Denial of service (DoS) attacks: DoS attacks against your cloud infrastructure can be devastating, and even attacks against others in a multi-tenant environment can have a ripple effect that impacts availability of your systems and services. If you have a private cloud in a CSP environment with network traffic monitoring capabilities in place, you can likely generate events related to excessive traffic volume or unusual protocol use. However, most DoS attacks today are much more stealthy and may impact you before you know it. CSPs should be monitoring and ideally defending against these attacks for you, and you will most likely need to leverage their incident response teams to help in this type of scenario.
  • Application attacks: To monitor Web application attacks in the cloud, you may need to install a local Web application firewall (WAF) on Web server instances, such as ModSecurity. Or, you may be able to leverage either a WAF Security as a Service, such as Imperva's Cloud WAF, or integrate another WAF service within the CSP environment like the Amazon distributed WAF. You could also leverage host-based IDS or IPS agents, as well as some network IDS such as the Snort AWS appliance from Sourcefire. All of these are much more effective in a private cloud environment. Monitoring and alerting on application attacks again underscores how difficult it can be to get event and alert data in a public cloud-based environment.

In many cases today, you'll need to rely on providers to identify and mitigate incidents in the cloud. The more control you have (usually with IaaS services) and the more flexibility you have in adding virtual appliances and network security infrastructure, the better you'll be able to quickly identify suspicious events and take action.

About the author:
Dave Shackleford is owner and principal consultant at Voodoo Security, senior vice president of research and CTO at IANS, and a SANS analyst, instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the co-author of Hands-On Information Security from Course Technology as well as the "Managing Incident Response" chapter in the Course Technology book Readings and Cases in the Management of Information Security. Recently, Dave co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing