4 Strategies for Improving Visibility into Your Cloud Data

These techniques can help security teams gain visibility of data across multi-cloud environments and generate new business opportunities.

aerial view pedestrians

“You can’t protect what you can’t see,” goes the saying about security. The reverse is also true: When you can see data, you can protect it. The challenge is seeing data that’s in the cloud, an increasingly popular place for enterprises to store critical information. Cloud adoption continues to accelerate in the enterprise, as does the complexity of cloud infrastructure. Ninety-three percent of enterprises now have a multi-cloud strategy, while 87% have a hybrid cloud strategy, according to the Flexera 2020 State of the Cloud Report.

To protect data in the cloud, security teams need to see and analyze threats to these complex storehouses of data, as well as understand what’s normal baseline behavior – and what is potentially malicious and dangerous. The four strategies here can help increase visibility into your cloud data to reduce risk, respond to threats faster, and continually mature security programs.

Strategy #1: Establish baselines

Baselines help create consistency. Teams need consistent tools and processes for establishing normal activity in the cloud in order to identify potentially malicious activity. For example, they may come across alerts for anomalous activity, which appears when AWS CloudTrail logs show a user conducting activities they haven’t done before, including unusual user access, denies, API calls, or commands after authentication.

Learn how to recognize insider threat activity in the cloud in the blog: Top 3 Indicators of Data Exfiltration from Your Organization’s Cloud Applications.

Strategy #2: Normalize data into a single standard

A sort of “Tower of Babel” situation can interfere with visibility into cloud data – that is, the familiarity with the syntax for different cloud platforms such as AWS, Google

Cloud Platform, and Microsoft Azure. While it would be nice to assume that every member of a security team has deep knowledge of syntax, query languages, and alert logic across best-of-breed security tools, this consistent level of expertise is unlikely.

The easier approach is to train analysts on a single standard, and enable access

to many different data sources in a single view, normalizing tool-specific fields across integrated technologies to correlate and query across technologies. This approach can include a translation engine to map and normalize fields, giving analysts not only a unified view across

technologies, but also a mechanism to query across tools in their preferred syntax, or in a language such as JSON. With this unified view of data, security teams can perform analysis and threat hunts faster without the need for extensive knowledge of each technology’s field names or search language.

Strategy #3: Adopt automation

No one wants security teams spending hours every day on “low brain, high repetition” tasks, which take time away from the strategic work of assessing threats. Automation allows teams to skip the data-gathering phase and go straight to investigations. With more time to analyze data, experts can train their colleagues on the differences between normal and abnormal user behavior. In addition, teams can re-classify severity and dynamic scores based on additional context learned over time.

On a high level, automation can also be applied to enrichment, triage, and remediation actions. Enrichment plays can save time as well as apply consistent intelligence to activities like threat hunting. Instead of relying on team members’ varying skill and experience levels, security analysts can use automation to minimize errors and missteps.

Strategy #4: Track and measure visibility changes

Visibility can and should be measured. These security metrics are valuable in several ways: They can help security leaders benchmark strengths, demonstrate ROI, identify gaps, and make the case for additional budget. By continually tracking your visibility levels in the cloud, you can prioritize integrations to close these gaps over times.

The four strategies listed here can help security teams baseline, tune, and continuously monitor systems, ensuring that teams are applying the controls needed to gain visibility across cloud environments and generate new business opportunities.

Four more information, get the white paper: How to Increase Cloud Visibility to Power New Business Opportunities.

Joe Partlow, ReliaQuest CTO, currently oversees all new research and development efforts and new product initiatives. He has been involved with Infosec in some capacity or role for over 20 years, mostly on the defensive side but always impressed by offensive tactics. Current projects and interests include data analytics at scale, forensics, threat, security metrics and automation, red/purple teaming, and artificial intelligence. Outside of Information Security, he has been involved in many other areas of the business including Web Development, Business Intelligence, Database Administration, Project Management, IT, and Operations. He has experience in many different business verticals including retail, healthcare, financial, state/local government, and the Department of Defense. He is also a regular speaker and contributor at security conferences, groups, and associations.

Copyright © 2021 IDG Communications, Inc.