Many organizations have limited resources (time, personnel, and money) for IT, and oftentimes only a small portion of that is devoted to security. Given the limited resources available to create and execute a best practice security plan, you will need to face up to these constraints and prioritize security tasks.
But how, exactly, should you go about strategically prioritizing your security needs? How can you determine which aspects need to be addressed first and which can be dealt with later? After all, aren’t they all important?
To work through this, we recommend adopting a cloud security maturity model. Simply put, this means taking an objective look at where your organization stands today and tackling the best practices that go along with your stage of security maturity.
In this post, we will discuss a framework for assessing where you are on your cloud security journey today and which aspects of your security posture you should prioritize now.
Step One: Know Where You Stand
A recent study completed by Threat Stack shows that 73% of companies have critical AWS misconfigurations, so we believe the first and most important step you can take is to audit your current cloud environment against a baseline of accepted third-party standards. If you don’t have visibility into what is happening in your environment, it will be extremely difficult to prioritize next steps for establishing an effective cloud security program.
Using a tool like Threat Stack’s Configuration Auditing, you can take stock of your environment. Configuration Auditing is specifically designed for AWS users and will compare your configuration settings to AWS Security Best Practices and CIS Foundations Benchmark. It will show you, service by service, (from CloudTrail to EC2 to S3), where your systems are meeting standards and where they are falling short. The result will be a set of values that will let you know what to take action on so you can make specific security improvements.
Regardless of the tool you choose, the goal is to determine where your environment is falling short and to produce a prioritized list of action items to make sure you can resolve and optimize your configuration settings.
In addition to showing how securely your environment is configured, an audit should also let you define a baseline of “normal” activity for your environment. This is invaluable when it comes to security, because each organization is different, and no two companies have precisely the same security policies. What’s perfectly normal and safe for your company might be a red-alert indicator of compromise for another. While Threat Stack comes with a set of default Configuration Auditing rules that cover the CIS Benchmark and other security best practices for AWS, it also allows you — via the Guided Rules Editor — to tailor these and to add new rules to match the exact security policies of your organization. Creating your own custom baseline allows you to set alerts that aren’t just a generic, out-of-the-box rule (that create false alarms) but are, rather, tailored notifications that will alert you only when necessary.
The combination of auditing your settings against a defined baseline and then customizing the baseline itself, to match your organization’s situation, is a great place to start on any cloud security journey.
Step Two: Ensure Complete Visibility
Got best practices locked down? All set with a clear baseline for your organization? Awesome. Now it’s time to ensure that you have complete visibility throughout your workloads and environment. When folks first started moving from private servers to the public cloud, there was some concern that this shift would inherently reduce visibility. But that’s simply not true; in fact, it’s quite the opposite.
Continuous monitoring that focuses on the workload (not logs) is the key to gaining complete visibility in the cloud — and it is 100% possible even with complex hybrid cloud and on-premise environments. With host-based intrusion detection providing continuous monitoring in place, you will know in real time what is happening across your entire infrastructure. You’ll have real-time actionable information providing the who, what, when, where, and why at your fingertips. In an effort to ensure that critical communications are received by your DevOps and security teams, alerts can be sent through the communication tools you already have in place, such as Slack, email, PagerDuty, and other integrations.
This initiative is key on two fronts: security and compliance. Just like security, compliance is dependent on visibility. That’s because your ability to know about what is happening in your environment is directly tied to your ability to provide controls for compliance requirements such as PCI DSS, HIPAA, and SOC 2. All of these compliance frameworks demand complete visibility.
On the security front, visibility means that when it comes time to investigate a security incident, you can get all the information you need in order to understand what really happened. No more guessing or flying blind. And if you do it right, you also won’t need to do it all manually (more on that in a moment.)
Bottom line, visibility should be your immediate goal after auditing and baselining have taken place. It’s really the heart of any good security strategy.
Step Three: Automate Analysis
About those security incidents… Statistically, it’s only a matter of time before an incident happens, and when it does, you’ll want to deal with it as swiftly and accurately as possible in a clear and highly targeted manner. The best way to make sure you can respond to an incident before it spirals into a major problem is to rely on automation to minimize Mean Time to Resolution (MTTR).
Ideally, you should be able to analyze security events — whether it be user privilege escalation or a phishing attempt — and be able to determine the root cause without having to dig through logs.
Logs take too long to comb through, the process doesn’t scale, and it doesn’t provide enough of the right kind of information to be effective. There is no context. In the cloud, it’s all about host-based continuous monitoring (you’re sensing a trend, right?)
When you get to this stage of security maturity, it’s all about streamlining your workflows to ensure efficiency and minimize MTTR. Automated and continuous monitoring at the host level will make it simple for your security team to investigate an incident, analyze root causes, and get systems back to normal in the shortest possible time.
No Excuses: Security Matters
Most organizations have limited dollars or bodies to throw at security. But even with limited resources, you don’t have a legitimate reason for not taking security seriously.
If you adopt a security maturity model, you will be able to see cloud security as less of a destination and more of a journey, and this will enable you to define and prioritize next steps based on your current maturity level and your organization’s unique needs and goals. Remember that perfect security should not be the enemy of effective security, and continuous improvement is the name of the game.
Want more tips on getting started with your cloud security journey, no matter the size of your team or budget? Download your free copy of the Jump Starting Cloud Security Playbook.