Hybrid Cloud Security, Part III: A New Approach to Threat Detection in the Cloud

March 21, 2017  |  Danielle Russell

I started rock climbing about five years ago with top ropes. I learned how to belay, how to tie knots, and how to trust my harness, rope, and belay partner to keep me from falling whenever I missed a hold. So, last year, when a new bouldering gym opened in my neighborhood, I was stoked—except for one small problem: no ropes.

In bouldering, you don’t use any ropes or harness. And, without those, everything changes. You don’t have the luxury to lean back in the harness half way up a wall to rest your arms, chalk up, and analyze the problem. Your moves have to be quicker and more calculated, because if you do misstep, you have a 15-foot fall to deal with. In short, you have to take a new approach to a familiar challenge.

In that sense, it’s a lot like hybrid cloud security monitoring:

Regardless of the environment—whether cloud or on-premises—the goal of threat detection is the same: to prevent data loss, financial loss, and business disruption. Yet, as the environment and the infrastructure changes, you need a new approach—and perhaps new tools—to tackle this familiar challenge.

In this blog, we’ll examine how and why you should approach hybrid cloud security with different methods, tools, and best practices from those in the data center.

This is Part Three of a three-part blog series that explores the security challenges surrounding cloud and hybrid cloud security. The blog series covers the following:

  • Part One: How security challenges persist, are amplified, or are mitigated in public cloud and hybrid cloud environments
  • Part Two: New security challenges that are introduced by cloud environments
  • Part Three: Best practices for securing your hybrid cloud environment

Develop good identity and access management practices

In Part Two of this series, we looked at how mismanaging your cloud credentials can be an expensive mistake. It’s also a common pitfall in cloud security. According to Gartner analysts Neil MacDonald and Greg Young, “Through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.” They recommend building your cloud security on a solid foundation of identity and access management (IAM) practices, and I agree.

Cloud identity and access management best practices include both the use of cloud provider IAM services as well as establishing organizational policies around those services. For example, in AWS, you can use IAM groups to more easily manage cloud users who need the same permissions to AWS resources to do their jobs, and, you should define IAM groups based on the principle of least privilege.

Whether you’re just starting out with public cloud computing or you already have production systems in play, make the effort now to establish your IAM guidelines and policies and establish a routine to ensure that your IAM services are continually configured and working accordingly.

You can find more in-depth best practices on AWS and Azure identity and access management below, respectively.

Furthermore, for your hybrid cloud environment, you can streamline identity and access management with cloud provider services that either synchronize, consolidate, or federate your cloud identity management with your on-premises directory. These include services like Azure AD Connect, Azure AD Federated Services, AWS Directory Service, and AWS AD Connector. As one Microsoft Azure article points out, integrating your on-premises identity and cloud identity not only reduces administrative overhead, but also decreases the likelihood of mistakes and security breaches.

IAM is not a “set it and forget it” configuration. Rather, it’s important to constantly monitor your hybrid cloud environment for suspicious root account logins, changes in security policies and privileges, and other anomalous account activities. By enabling a cloud-native SIEM solution to collect and analyze your cloud access logs and API calls, you can identify compromised account credentials sooner to prevent or mitigate the damage of a cloud breach.

Know what security data to look for in the cloud and where to find it

In Part One of this series, we looked at common threats, like DDoS and brute force attacks, and how they persist across on-premises and public cloud environments. In fact, many of the threats facing the cloud today are not unique to public cloud environments. Rather, attackers use many of the same attack methods and infrastructure in cloud-based attacks as they do in on-premises attacks. You just need a new approach to recognize indicators of threat in the cloud and to know where to look for them.

Log Collection in the Cloud

To detect threats in your public cloud environments, first you need to know what log data sources are available to you and may be “interesting” or useful from a security standpoint. Then, you must be able to collect and send the log data to your SIEM for correlation and security analysis.

As with on-premises infrastructure, cloud log data sources include system logs and the log files of the assets and applications that you launch in the cloud. As an additional layer of information, you can collect access logs from your cloud infrastructure (e.g., AWS EC2, ELB, S3) to know -

  • What users are accessing my cloud resources and workloads?
  • Where and when are they signing in?
  • What resources or instances are being spun up or down?
  • Has anyone altered my security groups or IAM roles?

These logs can be collected through cloud services like AWS CloudWatch and CloudTrail, and in Azure, Diagnostics and Monitor. A cloud-native security monitoring solution, AlienVault USM Anywhere directly hooks into these services to collect log data from your AWS and Azure environments, ensuring the most comprehensive set of data for security analysis while significantly reducing the complexity of cloud log collection.

Intrusion Detection in the Cloud

Once you’ve established a centralized cloud log management solution, your cloud is secure, right? Not quite. Cloud log management is only a prerequisite to complete hybrid cloud security. After you’ve gathered your log data, you still need a way to perform cloud intrusion detection—to correlate and analyze your cloud log data in context of the latest threat intelligence to identify intrusions in your cloud environment. This requires a SIEM that’s built to natively perform cloud intrusion detection.

AlienVault USM Anywhere is continuously updated with cloud-specific correlation rules based on the latest threat intelligence, so even without having to write your own correlation rules, you have the assurance of up-to-date cloud security analytics and alarms that give you actionable insight about threats and intrusions in your cloud infrastructure.

For example, the creation of an AWS EBS snapshot could mean that someone within your organization is taking an incremental data backup. However, attackers can use data replication services like EBS snapshot to get access to production data. In another example, if your cloud access credentials are used from an IP address that’s external to your cloud environment, it may indicate that your credentials have been compromised and are being used by a malicious user. In both examples, USM Anywhere would generate alarms to alert you to these activities.

Dismantle siloes between your cloud and on-premises security monitoring

For today’s resource-constrained IT teams, the explosion of public cloud services has only increased the complexity of securing critical infrastructure. IT professionals who are tasked with deploying and managing security monitoring and threat detection tools across dynamic cloud and on-premises may take one of many approaches. You might try to extend the use of your legacy on-premises security tools to monitor your public cloud environments. However, as discussed in Part II of this series, many legacy security tools are not readily adaptable or optimized for cloud environments. Another approach—to maintain separate, siloed security monitoring solutions for public cloud and on-premises environments—is fraught with extra costs, complexity, and potential security blind spots.

A better approach is to centralize your public cloud, private cloud, virtual and physical on-premises security monitoring on a single cloud-based, SaaS-delivered security solution. Cloud-native security monitoring tools like AlienVault USM Anywhere take full advantage of cloud architectures, services, and APIs in ways that legacy solutions were not built for, while also providing complete threat detection for on-premises physical and virtual infrastructure.

By centralizing your security monitoring, you can effectively reduce the cost, time, effort, and complexity of managing your security posture across your multiple IT environments. In addition, this can help you to eliminate your security blind spots and ensure continuous monitoring as you migrate services from the data center to the cloud.

Take a unified approach to hybrid cloud security

Finally, consider a unified approach to your hybrid cloud security. Security operations centers traditionally worked to weave together multiple point security solutions for asset management, vulnerability scanning, intrusion detection, SIEM and event correlation, behavioral monitoring, and log management in their on-premises networks. This typically required an extensive amount of integration, fine-tuning, and management to create a single source of threat detection and incident response. Recreating this process in hybrid cloud environments is often too cumbersome and error-prone for most IT teams.

AlienVault disrupted this piecemeal approach with the introduction of Unified Security Management (USM), first for on-premises networks via USM Appliance, and today for hybrid cloud and on-premises environments via USM Anywhere. USM brings together multiple essential security capabilities onto a unified platform, so it can be launched quickly, cost effectively, and without complex integration requirements. With a built-in library of correlation rules that are continuously updated by the AlienVault Labs Security Research Team, USM starts detecting threats within minutes of installation and continues to detect emerging threats as they appear “in the wild.”

In short, a unified approach to hybrid cloud security can significantly reduce the amount of resources needed (time, budget, staffing) to monitor your security posture across your cloud and on-premises critical infrastructure.

Check out USM Anywhere in an online demo or use it for free for 14 days.


*Gartner, Best Practices for Securing Workloads in Amazon Web Services, Neil MacDonald and Greg Young, 15 April 2015, Foundational

Share this with others

Featured resources



2024 Futures Report

Get price Free trial