The three types of cloud security data
As a cloud-native SaaS company, Snowflake has always had a need for cloud security. It’s a brave new world, with its own risks and opportunities. One of these opportunities is the amount of data that can be leveraged to spot threats before they make themselves comfortable in your cloud.
Infrastructure provided by AWS, Azure, and GCP is heavily instrumented. The virtual nature of resources such as EC2 instances and S3 buckets, coupled with the “API First” culture at the major cloud providers, means that security teams can get super granular data on what’s happening in their environment.
The availability of everything over API at AWS is not a coincidence- Jeff Bezos famously issued his internal API Mandate ending with “Anyone who doesn’t do this will be fired. Thank you; have a nice day!”
Security teams should take advantage of this data-driven opportunity, and not limit themselves to traditional security analytics with its focus on event logs. In the cloud, three types of data are essential for effective security analytics: activity, inventory, and configuration.
Activity Data
Event logs describing actions performed by users and systems are the classic raw material for threat detection. These records focus on what was done, with some reference to who and where.
Inventory Data
In the old days of server racks and ESX, it was no small task to get data on what you’re supposed to protect. Network discovery scans and Excel spreadsheets were the unfortunate standard for inventory data. With API-enabled cloud infrastructure, inventory data can take its rightful place in your security analytics program.
Inventory data can be defined as records describing resources belonging to the organization. These records should contain not just a unique ID but also resource properties such as the server name, its MAC address, and the environment in which it runs.
Typical inventory data includes records of cloud accounts, cloud servers, and cloud users. Advanced teams may also collect inventory records of software packages and even the laptops used by cloud admins.
This data can power detections of unprotected servers, unmonitored accounts, and compromised user accounts being used from unauthorized endpoints. Inventory data can also be correlated with activities to make event-based detections more accurate, by increasing severity when sensitive resources are involved or suppressing alerts when some action is expected based on where it happened.
Configuration Data
To get a firm grasp on your cloud environment, you need to collect a comprehensive set of configuration data. For each resource listed in your inventory, record how it was configured at a point in time. Storing a daily record of each server’s associated security groups, privileges, and other configuration data is critical for identifying risky settings and investigating incidents. Same goes for users, permission policies, and any other resource that is configured within your environment.
Configuration is an area that has actually seen a visibility regression in some cases with the move to the cloud, especially for organizations that used to manage servers in Active Directory. Infrastructure as Code frameworks such as Terraform can help centralize control of cloud configurations but collecting data on what is actually deployed is essential.
Collecting activity, inventory, and configuration data is the foundation of a high fidelity security analytics program. With cloud storage requiring little investment in terms of budget or management, make a plan to aggregate all three types of data from your cloud environments.
