With many enterprises now a few weeks into fully remote operations, security leaders are shifting their focus to different areas of the business that now require more visibility to protect against evolving threats – including cloud and SaaS applications.
How can you gain visibility into cloud and SaaS applications? In the third webinar in our series on securing your remote workforce, Brian Philip Murphy, Chief Architect at ReliaQuest, moderated a lively discussion with Greg Foss, Senior Threat Researcher at VMWare Carbon Black, and James Berthoty, Cloud Security Engineer at ReliaQuest. The panel provided the following best practices to increase visibility:
1. Explore new solutions to gather data, including cloud proxy, data loss prevention, and open API integrations.
Traditional methods security leaders relied on for gathering information, such as firewalls, are no longer effective in a remote work model. It’s important to look at different solutions that will provide adequate visibility into your cloud and SaaS applications. However, you must be strategic when choosing solutions, as you can easily end up with too many products and spend too much time trying to gather the data across them. To determine what new security controls will help you get the visibility you need, start by assessing where your critical data resides and working backwards from there.
A few options to consider are cloud-based proxies, which are essentially firewalls in the cloud; Cloud Access Security Brokers (CASBs), for data loss prevention; and products that have open API access, so you can get granular with the data you see. Additionally, user awareness training is a critical part in your security strategy to protect your remote workforce. Educate your team on the risks and best practices when using cloud and SaaS applications – and focus on the user benefits of SaaS platforms like SharePoint and Office 365.
2. Focus your security monitoring efforts on alerts that provide insight into user activity.
Cloud activity logs from providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) are essential since they generate actionable alerts that allow you to see user logins and activity in the cloud environment. One benefit of using cloud providers is the granularity of their access logs. For example, AWS CloudTrail surfaces not only user access, but user commands after authentication. One drawback of using these built-in logs is the substantial lift of building custom content around them due to their granularity and complexity; however, if your content team is up to the task, cloud provider log sources provide unparalleled granularity from a single source.
To give an example, AWS CloudTrail logs can offer the username, what role was assumed, what exact commands were attempted from what IP address, and against which specific resources. They even provide granularity down to whether or not the user used multi-factor authentication when running the command. In this way, not only do cloud activity events provide insights to keep your organization secure, they also increase visibility between departments, therefore aiding in business continuity.
3. Prioritize ways to integrate your technologies – including SIEM, EDR, Cloud, and SaaS applications.
As more businesses shift to cloud and SaaS applications, it’s essential that these integrate into your SIEM and EDR to provide a centralized view of your entire environment – it only takes one unintegrated tool to create major inefficiencies in your business. For example, if a health monitoring tool cannot ingest one of your log sources, then visibility and alerting must live in separate places, decreasing the likelihood of proper configuration and maintenance. Similarly, log sources that are not optimized through a SIEM will decrease security posture.
When looking at new tool purchases, prioritize integrations to reduce the amount of technology pivots needed to complete investigations, thereby accelerating threat detection and response and improving threat hunts.
ReliaQuest’s customers are increasing visibility through GreyMatter, ReliaQuest’s platform that unifies and integrates existing SIEM, EDR, multi-cloud, and third-party apps to deliver a centralized, transparent view across your environment.
ReliaQuest believes security is a team sport, so we are sharing use cases, automation plays, and threat intel research powering our GreyMatter platform to help protect your organization. Sign-up for our Rapid Response Resources Series to receive specific use case queries to optimize in your SIEM, attack overviews, and recommended automation plays.