Monitoring and Logging

Overview

Monitoring and logging provide visibility into cloud security posture, enable threat detection, and support compliance.

Learning Objectives

• Implement cloud monitoring strategies
• Configure comprehensive logging
• Detect security anomalies
• Integrate with SIEM systems
• Apply ISO 27017 monitoring controls

ISO 27017 Monitoring Controls

CLD.12.4.5 - Monitoring of Cloud Services

Customer Monitoring Requirements:

• Monitor cloud service usage
• Track security events
• Detect anomalies
• Alert on suspicious activity
• Regular review of logs

CLD.9.5.1 - Cloud Service Customer Monitoring

Monitoring Scope:

• Resource usage and costs
• Security configuration changes
• Access patterns
• Data access and transfers
• Compliance violations

Logging Architecture

Multi-Layer Logging

┌───────────────────────────────────────┐
│  Application Logs                     │
│  - Application errors                 │
│  - User actions                       │
│  - Business events                    │
├───────────────────────────────────────┤
│  Platform Logs (PaaS/SaaS)           │
│  - Service access                     │
│  - Configuration changes              │
│  - API calls                          │
├───────────────────────────────────────┤
│  Infrastructure Logs (IaaS)           │
│  - OS events                          │
│  - Network traffic                    │
│  - System logs                        │
├───────────────────────────────────────┤
│  Cloud Control Plane Logs            │
│  - IAM events                         │
│  - Resource creation/deletion         │
│  - Policy changes                     │
└───────────────────────────────────────┘

Critical Log Sources

AWS CloudTrail Example

{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDACKCEVSQ6C2EXAMPLE",
    "arn": "arn:aws:iam::123456789012:user/alice",
    "accountId": "123456789012",
    "userName": "alice"
  },
  "eventTime": "2024-01-15T12:34:56Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "GetObject",
  "sourceIPAddress": "203.0.113.12",
  "userAgent": "aws-cli/2.0",
  "requestParameters": {
    "bucketName": "sensitive-data-bucket",
    "key": "customers/data.csv"
  },
  "responseElements": null,
  "resources": [{
    "type": "AWS::S3::Object",
    "ARN": "arn:aws:s3:::sensitive-data-bucket/customers/data.csv"
  }]
}

Security Monitoring

Security Events to Monitor

Critical Security Events:

├─ Authentication Anomalies
│  ├─ Failed login attempts (> 5 in 5 min)
│  ├─ Login from unusual location
│  ├─ Login at unusual time
│  └─ MFA disable attempts
│
├─ Privilege Escalation
│  ├─ IAM policy modifications
│  ├─ Role assumption
│  ├─ Permission boundary changes
│  └─ Privilege elevation
│
├─ Data Exfiltration Indicators
│  ├─ Large data downloads
│  ├─ Unusual data access patterns
│  ├─ External data transfers
│  └─ After-hours data access
│
├─ Configuration Changes
│  ├─ Security group modifications
│  ├─ Encryption disable attempts
│  ├─ Logging disable attempts
│  └─ Public access enablement
│
└─ Resource Abuse
   ├─ Cryptocurrency mining
   ├─ Unexpected resource creation
   ├─ High network traffic
   └─ Unusual API calls

Automated Alerting

Alert Configuration:

# Example: CloudWatch Alarm for Failed Logins
MetricName: FailedLoginAttempts
Namespace: Security
Statistic: Sum
Period: 300  # 5 minutes
EvaluationPeriods: 1
Threshold: 5
ComparisonOperator: GreaterThanThreshold
AlarmActions:
  - arn:aws:sns:us-east-1:123456789012:security-alerts
AlarmDescription: "Alert on multiple failed login attempts"

SIEM Integration

Security Information and Event Management

┌──────────────────────────────────────┐
│  Cloud Logs                          │
│  ├─ AWS CloudTrail                   │
│  ├─ Azure Activity Log               │
│  ├─ GCP Cloud Audit Logs             │
│  └─ Application logs                 │
└──────────┬───────────────────────────┘
           │
           ▼
┌──────────────────────────────────────┐
│  Log Aggregation                     │
│  ├─ Normalization                    │
│  ├─ Enrichment                       │
│  └─ Correlation                      │
└──────────┬───────────────────────────┘
           │
           ▼
┌──────────────────────────────────────┐
│  SIEM Platform                       │
│  ├─ Splunk                           │
│  ├─ Elastic Security                 │
│  ├─ Microsoft Sentinel               │
│  └─ Custom solution                  │
└──────────┬───────────────────────────┘
           │
           ▼
┌──────────────────────────────────────┐
│  Analysis & Response                 │
│  ├─ Threat detection                 │
│  ├─ Incident creation                │
│  ├─ Automated response               │
│  └─ Dashboards & reports             │
└──────────────────────────────────────┘

Cloud Security Posture Management (CSPM)

Continuous Compliance Monitoring

CSPM Capabilities:

Configuration Monitoring
├─ CIS Benchmarks compliance
├─ Best practice validation
├─ Misconfiguration detection
├─ Drift detection
└─ Automatic remediation

Security Findings
├─ Open security groups
├─ Unencrypted resources
├─ Public S3 buckets
├─ Overly permissive IAM
└─ Missing security controls

Compliance Reporting
├─ PCI DSS compliance
├─ HIPAA compliance
├─ GDPR compliance
├─ ISO 27001 mapping
└─ Custom frameworks

CSPM Alert Example

FINDING: Public S3 Bucket Detected
Severity: HIGH
Resource: s3://company-data-bucket
Region: us-east-1
Account: 123456789012

Description:
S3 bucket has public read access enabled, potentially
exposing sensitive data.

Compliance Impact:
├─ CIS AWS Benchmark 2.1.5: FAIL
├─ NIST CSF PR.DS-5: FAIL
└─ GDPR Article 32: AT RISK

Recommendation:
1. Remove public access:
   aws s3api put-public-access-block \
     --bucket company-data-bucket \
     --public-access-block-configuration \
     BlockPublicAcls=true,IgnorePublicAcls=true,\
     BlockPublicPolicy=true,RestrictPublicBuckets=true

2. Review bucket policy
3. Enable bucket encryption
4. Configure access logging

Automated Remediation: AVAILABLE
[ ] Apply automatic fix

User and Entity Behavior Analytics (UEBA)

Anomaly Detection

Behavioral Baselines

Normal Behavior Profile:
├─ User: [email protected]
├─ Typical login times: 8am-6pm EST
├─ Typical locations: New York, USA
├─ Average data access: 50 MB/day
├─ Common resources: app-prod, db-prod
└─ API call patterns: Consistent

Anomaly Detected:
├─ Event: Data download
├─ Time: 2:00 AM EST ⚠
├─ Location: Romania ⚠
├─ Volume: 5 GB ⚠
├─ Resource: s3://customer-pii ⚠
└─ Risk Score: 95/100 - CRITICAL

Actions Taken:
├─ Alert sent to SOC
├─ User account suspended
├─ Manager notified
└─ Incident created (INC-2024-045)

Cost Monitoring

Financial Anomaly Detection

Unexpected Cost Alerts:

Cost Anomaly Detected

Service: Amazon EC2
Account: 123456789012
Region: us-east-1
Time Period: Last 24 hours

Anomaly:
├─ Expected: $500/day
├─ Actual: $5,000/day
├─ Variance: +900% ⚠

Root Cause Investigation:
├─ 50 new c5.24xlarge instances launched
├─ Launched by user: admin-john
├─ Time: 2024-01-15 03:00 UTC
├─ Purpose: UNKNOWN

Potential Issues:
├─ Unauthorized resource creation
├─ Cryptocurrency mining
├─ Account compromise
└─ Configuration error

Recommended Actions:
1. Verify legitimacy with user
2. Review instance activity
3. Terminate if unauthorized
4. Review IAM permissions

Dashboards and Reporting

Security Dashboard

┌─────────────────────────────────────────────┐
│  Cloud Security Dashboard                   │
├─────────────────────────────────────────────┤
│  Security Score: 85/100                     │
│                                              │
│  ┌──────────────┐  ┌───────────────────┐   │
│  │ Critical: 2  │  │ Active Incidents  │   │
│  │ High: 15     │  │ P1: 0   P2: 1     │   │
│  │ Medium: 47   │  │ P3: 3   P4: 12    │   │
│  └──────────────┘  └───────────────────┘   │
│                                              │
│  ┌──────────────────────────────────────┐  │
│  │ Recent Security Events (24h)         │  │
│  ├─ Failed logins: 145                  │  │
│  ├─ IAM changes: 12                     │  │
│  ├─ Config changes: 34                  │  │
│  └─ Data access violations: 3           │  │
│  └──────────────────────────────────────┘  │
│                                              │
│  ┌──────────────────────────────────────┐  │
│  │ Compliance Status                    │  │
│  ├─ PCI DSS: 98% ✓                      │  │
│  ├─ HIPAA: 95% ✓                        │  │
│  ├─ ISO 27001: 92% ⚠                    │  │
│  └─ CIS Benchmark: 88% ⚠                │  │
│  └──────────────────────────────────────┘  │
└─────────────────────────────────────────────┘

Log Retention and Protection

A.12.4.2 - Protection of Log Information

Log Protection Requirements:

Log Security Controls

├─ Write-Once Storage
│  ├─ Immutable log storage
│  ├─ Object lock (WORM)
│  └─ Prevents tampering
│
├─ Encryption
│  ├─ Encrypt logs at rest
│  ├─ Encrypt in transit
│  └─ Customer-managed keys
│
├─ Access Control
│  ├─ Separate from application access
│  ├─ Audit all log access
│  └─ Least privilege
│
├─ Integrity Verification
│  ├─ Log signing
│  ├─ Hash verification
│  └─ Tamper detection
│
└─ Retention
   ├─ Regulatory requirements
   ├─ Automated lifecycle
   └─ Secure deletion

Key Takeaways

1. Comprehensive logging enables security visibility
2. Automated monitoring detects threats early
3. SIEM integration centralizes analysis
4. CSPM ensures continuous compliance
5. UEBA identifies anomalous behavior
6. Log protection prevents tampering
7. Retention policies balance cost and compliance

Self-Assessment

1. What are critical log types to collect?
2. What is SIEM and why is it important?
3. What is CSPM?
4. How does UEBA detect threats?
5. How should logs be protected?