Organizations that migrate their IT infrastructure to the cloud often find that their existing solutions for threat protection are inadequate. This is largely because security information and event management use a rule-based approach that requires significant human input to evolve. Even when using a practical approach for on-site cloud security, however, there will be limitations when it comes to the cloud.
The adoption of cloud services also introduces new cloud security threats based on changes in user behavior. This transition can prevent system administrators from using existing threat protection solutions on the cloud to their fullest potential. The following best practices are a few of the most important must-haves for implementing cloud security when it comes to your business.
Generate White Lists
Migrating to the cloud greatly increases the number of threat events in most cases. One way to address this problem is to create white lists for events from trusted sources you generate, since they have a low risk of being actual security threats. The general rule of thumb in network and cloud security is to lower the threshold for event generation. It’s important to do this to the point that the threshold generates as many threat events as you can reasonably investigate. This strategy can greatly reduce the number of events that are false positives, while still reducing the event threshold.
Look at the Big Picture
Security for an on-site infrastructure often focuses on individual occurrences or anomalies, but cloud security needs to consider threats with multiple dimensions. Consider the scenario in which a user logs in from a new IP address, changes a security setting within an application, and downloads a greater amount of data than usual. Each of these anomalies might not be indicative of a security incident if you consider them in isolation. The combination of these indicators together, however, provides strong evidence that a security incident is in progress.
Monitor Application Activity
Onsite systems typically have a smaller number of IT services that run continually than cloud platforms do. Cloud security requires greater monitoring of applications to ensure that administrators have authorized them. This is because multiple unauthorized applications across services often signal a threat. The practice of monitoring applications allows you to identify threats more effectively by correlating these activities, which is why it’s so important to obtain a high visibility of services on the cloud.
Use Machine-Defined Models at First
It’s difficult to implement threat protection on the cloud by configuring threshold rules for which there is no context. Start with machine-defined models, which you can then refine later. Software can create these models by analyzing user behavior and detecting threats based on this behavior. Fine tune this threat detection capability manually to reduce the number of false positives it generates.
Leverage the Existing Workflow
Businesses that migrate to the cloud often have well-developed SIEM solutions (security information and event management solutions) in a security operation center that’s already implemented for their onsite infrastructure. Use a standard feed to deliver the events generated by a cloud security and protection solution to the existing SIEM solution. This practice allows administrators to correlate cloud anomalies with on-premises anomalies. For more information and to see how we can help you visit our website.