Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Reports
System Design & Architecture
Technology & Solutions
Threat Landscape

NSA urges cloud service providers to prioritize security through effective logging practices

March 25, 2024
NSA urges cloud service providers to prioritize security through effective logging practices

The U.S. National Security Agency (NSA) issued a document urging cloud service providers (CSPs) to prioritize security for maintaining robust business models and safeguarding cloud infrastructure. Organizations must understand the importance of logging, effective management, storage, and analysis of logs. Security logs play a vital role in threat hunting, security incident investigations, and compliance adherence.

“Defense of a cloud tenant hinges on maintaining logs that record the right level of detail on security-relevant events,” the NSA said in the document. “It also depends on logs that cannot be modified by actors to cover their tracks, even when they can act as administrators. Cloud access policies, system logs, and administrative audits must be controlled and monitored by security engineers and system administrators to prevent access abuse.”

Effective cloud logging offers numerous advantages for organizations, such as enhancing threat hunting operations, facilitating security incident investigations, and meeting compliance and audit requirements.

The document identified that cloud security logs provide a detailed record of activity, which can be used to detect security threats early on. “Under MITRE’s D3FEND matrix, the use of logs is broadly applicable under the Detect category. By monitoring security logs, organizations can identify suspicious activity, such as command and control activity, lateral movement, or other techniques as described in MITRE’s ATT&CK matrix. Detection would then allow network defenders to take appropriate mitigation actions against the threat,” it added.

It also detailed that cloud security logs can provide context about a potential security incident and the root cause. Logs can be used to reconstruct the sequence of events leading up to the incident, identify sources, and determine the extent of the exposure. 

Lastly, it covered that regulatory and compliance requirements are prevalent, and cloud security logs can help organizations comply with regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), PCI Data Security Standard (PCI-DSS), and European Union’s General Data Protection Regulation (GDPR). 

During the SolarWinds incidents, Russian hackers were able to use cloud APIs to exfiltrate data from their targets’ cloud environments. They were also able to add credentials, authenticate to cloud services, add permissions to applications, and move laterally throughout the cloud using specific cloud APIs, which prevented their activity from being logged in conventional web console logs. The SolarWinds incident served as a wake-up call to the industry on how malicious agents might exploit cloud operations in ways that are difficult to detect.

The document detailed that to help detect similar breaches in cloud networks, organizations need to enable or add logging capabilities for business-critical applications, hosts, networks, and cloud API calls. Cloud logs for the security of infrastructure include Authentication and authorization, network and security, system and application, audit and compliance, application programming interface (API), and short-term cloud resources. 

Analyzing these logs helps to identify security risks, detect incidents and anomalies, and respond to events quickly. However, many applications and data sources that handle critical information produce logs with few details and security context. Organizations must prioritize logs based on their value and completeness. 

Cloud event types typically depend on the services and actions being performed, including user and resource actions; security, error, and performance events; and compliance and billing events. Logging of these event types is critical for understanding actions within a cloud environment and for detecting and responding to threats, performance issues, compliance violations, and other important events. 

Due to the potential for an immense amount of data to come in from logs, a robust log management strategy is vital. The use of Security Information and Event Management (SIEM) and/or Security Orchestration, Automation, and Response (SOAR) tools to manage and process the data into actionable alerts will likely prove to be imperative.

The NSA documents detailed that logs stored in a centralized location make log monitoring and analysis easier. “Retention guidelines vary among organizations based on what is logged and the regulations that the data is subject to. Limits may be placed on a CSP’s log retention based on policy or pricing,” it added. 

Managing cloud logs correctly can prevent inundation by implementing various strategies, including log filtering, log sampling, log aggregation, log compression, log streaming, and log retention. This can reduce the amount of log data being stored over time. These strategies should be applied differently to different log sources and event types as appropriate.

Preventing inundation requires strategies that balance the need for capturing important events while reducing the log volume. The location and storage method of security logs can vary depending on the cloud platform and the logging service being used, but some common storage options include cloud-based storage service, cloud-native logging services, and third-party log management.

Cloud logs play a crucial role in network protection by offering insight into network activities and identifying and alerting potential security threats. Cloud administrators should prioritize logging as much security-relevant data as feasible, establish a log management strategy, utilize SIEM and/or SOAR tools to analyze logs, enhance hunting and forensic operations, and protect the logs. 

In conclusion, the NSA document said that cloud logs are an essential tool for defending networks by providing visibility into network activity, identifying security threats, and supporting swift incident response. By using cloud logs effectively, organizations can develop their security posture and defend their networks from cyber threats.

Earlier this month, the NSA published a cybersecurity information sheet (CSI) that details curtailing adversarial lateral movement within an organization’s network to access sensitive data and critical systems. The zero trust network and environment pillar curtails adversarial lateral movement by employing controls and capabilities to logically and physically segment, isolate, and control access (on-premises and off-premises) through granular policy restrictions. It also strengthens internal network control and contains network intrusions to a segmented portion of the network using zero-trust principles.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation