Tap Into Your Inner Logs for Better Anomaly Detection and Incident Response

Tenable Cloud Security enriches cloud activity log data to give you the context you need to quickly respond to and remediate cloud risks.

In 2023, it took organizations an average of 204 days to identify a breach, according to the IBM Cost of a Data Breach Report 2023. Perhaps of equal concern: 82% of breaches involved data stored in the cloud. The average total cost of a data breach increased 2.8% in 2023 to $4.45 million.

With so many tools at their disposal, you might wonder why security teams continue to struggle with detection and response times.

Let’s take a real-life cloud scenario. An organization found that its cloud costs had gone up quickly, without any discernible reason why. As a result, the company started to wonder if it had been breached. A security investigation revealed that the DevOps team had accidentally created an over-privileged Amazon Machine Image (AMI) on a public IP. The privileges were included as part of the DevOps team’s template, so that every time a new AMI was spun up, it was creating an over-privileged and vulnerable instance.

By gaining access to the server, attackers could leverage excessive privileges to run a cryptominer, benefiting from the free compute services, while the attacked entity was charged for the expensive compute utilization.

Why wasn’t this breach identified sooner? Traditional security methods failed because the machine logs gave no indication of this misconfiguration on their own. Only a more in-depth investigation could identify and contain the issue in a reactive manner. Several challenges contributed to the delayed detection. Due to costs, detailed data collection that includes management logs, relational database service (RDS) logs and data events are not always collected. Furthermore, even when the data is collected, it can be challenging for incident response teams that lack deep cloud expertise to decipher what it means and where the potential risks are.

Four cloud incident response challenges

Let’s explore why cloud incident detection and response can be so challenging.

1. Gaps in log data

In traditional on-prem infrastructure directly owned and controlled by an organization, robust log data is pretty much at your fingertips. In the cloud, the infrastructure is owned by the Cloud Service Provider (CSP). An incident response team’s ability to investigate attacks is therefore dependent on what data is being collected by the CSP. This is made more challenging by the fact that each CSP has its own defaults and nuances for data collection, which not only can impact what data is collected, but also the cost to access that data and the length of time that data is retained. Without expertise in the details of each CSP’s default settings and an understanding of their unique differences in data capture and retention policies, incident response teams can be left with serious gaps in data, hampering investigation and remediation efforts.

2. Dynamic cloud architectures

Cloud native architectures with microservices, containers and Kubernetes are increasingly the norm. More importantly, they have many more moving parts than traditional virtual machines, making them highly complex. They are also highly distributed and ephemeral in nature, dynamically scaled as resources are needed. The volume of parts and the fact that they are ever-changing, makes it difficult for incident response teams to assess how an attacker may have gained initial access, and what changes they may have made over time — especially if data is only retained for a specific, and limited period of time. Therefore, if an incident is not detected early, accessing the data needed to investigate incidents may be difficult or impossible.

3. Limited asset context

Security teams often have zero or near-zero visibility into the configurations and relationships of cloud assets. This lack of contextual visibility makes it challenging to identify the potential steps that may have been taken by a bad actor to execute a successful attack path. Imagine the police investigating a home burglary without visibility into the layout of internal rooms or the location of the windows and doors of the house. That’s the reality facing security teams in the cloud when analyzing cloud logs.

4. Insufficient insight into privileges

In the cloud, identities and privileges are the new perimeter. And identities are not just limited to people. Machine identities in the cloud can greatly outnumber the volume of human identities. For an attacker, human or machine identity makes little difference. With thousands of digital identities and credentials in cloud environments, it is easy to overlook a weakness an attacker can exploit to access or modify infrastructure. Without an understanding of identities and privileges, the task of understanding the domino chain of events leading to a successful breach can seem impossible.

5. Alert fatigue

Alert fatigue is both a challenge and an outcome of the issues discussed above. The function of logs is to collect data and maintain a record. But data alone is of little value if it is overwhelming. Not all data or activity is relevant. Nor is it malicious. And this is perhaps the biggest challenge for security teams. Many tools have static policies to identify categories of suspicious activity which can result in false alarms when there’s no established baseline for normal vs. abnormal activity to weed out alert noise. But baselines alone are not enough to eliminate noise if we do not understand the relationships between upstream and downstream assets and identities and the privileges that facilitate lateral movement.

What’s needed for better incident response?

Security teams seeking to improve their anomaly detection and incident response need an integrated approach that can address gaps in their incident response data and processes. This starts with centralized visibility across multi-cloud environments. A detailed inventory of assets and identities — including modern cloud architectures such as containers and Kubernetes as well as people and machine identities — lays the foundation for identifying all possible targets and entry points in the attack surface. Mapping of assets and identity relationships, including privileges, provides a contextual understanding of feasible attack paths that may be taken. With this deeper context, it is possible to establish better baselines into normal and abnormal behavior, enrich log data, and significantly reduce alert noise by aggregating and contextualizing related alerts.

Cloud Native Application Protection Platforms (CNAPP) like Tenable Cloud Security enrich cloud activity logs with resource-specific identity threat data. Tenable Cloud Security provides continuous risk analysis that checks for anomalies against behavioral baselines. To accelerate anomaly detection and incident response Tenable Cloud Security taps into a cloud's inner logs to analyze all activity in the environment. By providing insights into escalated privileges, changes to network configuration and unauthorized use or theft of access keys, Tenable Cloud Security speeds anomaly detection and response by giving users contextualized and actionable information.

For more information on how Tenable can enrich CSP data with relevant information, check out our open source tool, AWS Access Undenied or Tenable Cloud Security.

Learn more

• Read the blogs: Beyond the Horizon: Top 5 Cloud Security Trends to Watch in 2024 and Learning to Love Audit and Compliance: It’s Possible
• Visit the Tenable Cloud Security product page to learn more or request a demo: https://www.tenable.com/products/tenable-cloud-security