everythingpossible - Fotolia


Top 6 cloud security analytics use cases

Security analytics use cases vary from fraud detection to threat intelligence analysis. Learn how deploying this technology in the cloud can improve enterprise infosec programs.

The list of security-oriented use cases for cloud computing is a long one. This versatile technology enables SaaS brokering services, identity and access management, and the enablement and facilitation of traditional security processes and controls, to name a few.

One of the top use cases for cloud security is large-scale event processing and security analytics. Most major SIEM providers have added cloud event processing options to their list of offerings. New services are also emerging that can process massive quantities of data to provide security outputs.

As organizations generate more event data than ever before, many of the traditional tools used within data centers are now obsolete. Fortunately, cloud infrastructure has almost unlimited capacity for handling these activities. To make better decisions about whether to implement cloud technology in their infosec programs and how it can help achieve their organization's security goals, enterprise leaders must understand the various applications of cloud security analytics. Read on to learn about the top six.

Cloud security analytics processing use cases

1. Threat intelligence analysis

Threat intelligence data provides perspective on attacker sources, indicators of compromise and behavioral trends related to cloud account use and attacks against various types of cloud services, for example. Threat intelligence feeds can be aggregated and analyzed at scale using machine learning engines in the cloud. The feeds can also be processed for likelihood or predictability models. With attacks on the cloud increasing -- particularly in the form of account hijacking -- this security analytics use case would be a welcome addition to a cloud security program. Microsoft's Advanced Threat Analytics and Amazon GuardDuty are two examples of vendor offerings. However, they are not configurable by security teams.


Log data and other events are produced in enormous quantities. Security teams need to recognize specific indicators quickly, identify patterns and spot events happening in the cloud environments quickly to defend against them. The cloud provides massive event data processing capabilities to build more intelligent detection and alerting tactics. Microsoft's Azure Sentinel is a cloud-oriented, AI-powered SIEM service, as an example.

3. Endpoint and network behavior modeling

Most endpoints are not in the cloud currently, so cloud-specific endpoint behavior modeling is likely to become popular down the road. Network flow modeling, however, is a security analytics use case worth considering for in-cloud AI processing. There are massive quantities of traffic between systems and the cloud provider control plane that should be developed into "normal" baselines for monitoring. Some endpoint security technology providers also use the cloud for detection and response capabilities.

4. Fraud detection

For financial services firms and insurers, fraud detection requires an enormous number of inputs and data types and many intensive types of processing. Text mining, database searches, social network analysis and anomaly detection are coupled with predictive models at scale. Cloud security analytics engines can help with this enormously. They could be extended to fraudulent use of cloud services -- for example, a Microsoft 365-based phishing attack from a hijacked account.

5. Malware detection

Cloud-native event processing of data and file attributes can help detect ransomware and other malware variants today -- particularly those without known signatures. For organizations interested in deploying this security analytics use case, leading endpoint detection and response vendors use cloud data processing in their services, including Carbon Black and CrowdStrike. However, there is a case to be made for in-house sandbox processing engines using data analytics in the cloud as well.

6. Data classification and monitoring

Cloud analysis engines can process all data uploaded and created in cloud environments to classify and tag based on predefined policies and then monitor for access. The analysis is based on known content types and patterns. There is a long way to go to make this type of service more flexible and widespread, but Amazon Macie is one example of a data analysis and monitoring vendor option.

Choose your cloud security analytics use cases carefully.

To be sure, there are potential pitfalls of cloud security analytics. First, tools and services will need to be available in the cloud natively or compatible with cloud service environments. Second, some degree of cloud platform knowledge is useful or even required to best implement these capabilities. This is difficult due to the fact that many security operations teams may not have the experience or skills necessary to implement these use cases.

Regardless of these possible drawbacks, cloud technology is rapidly helping address some of the most pressing requirements in security operations, and these trends will definitely accelerate in the coming months and years.

Next Steps

Time is now for enterprises to deploy analytics in the cloud

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing