Six basic policies that need to be understood before building a cloud security system

Six basic policies that need to be understood before building a cloud security system

 

 

Cloud adoption is unstoppable, but an endless stream of security events also put an important issue in front of every CIO and Security Department-in a more open cloud service, threat events are also increasing exponentially, how to build the most effective risk detection technology?

Introduction

The answer from security vendors is cloud security solutions-a new generation of data-based security technologies, such as machine learning, threat intelligence, and situation analysis, the core is to help enterprises effectively improve the precision rate of threat detection (to reduce the false positive rate in a centralized manner), thus comprehensively improving the security level. Enterprises must have a basic understanding of the basic cloud security policies whether they accept third-party service providers or upgrade themselves.

Before starting a dizzy complex cloud security system, you must first determine which data needs to be monitored. Remember, threat boundaries are dynamic in the cloud work unit, so all activity sources need to be monitored, including configuration, APIs, end users, Administrator/privileged users, federated users, service accounts, and transaction types.

Secondly, we need to understand the importance of situation, because it is the only way to understand the severity of threats and determine whether a specific activity or user behavior is abnormal. A commercial user executes a large-scale object deletion command after work, a part-time contractor performs administrator operations on different cloud applications, and an engineer copies source code from an unknown address, these are simple examples of situation information.

Comprehensive monitoring and user behavior analysis combined with situation analysis can help enterprises determine the security status of cloud services. The following six basic policies should be considered before building a cloud security system.

1. Threat Analysis and detection Architecture

The starting point of the cloud security system is threat detection and analysis. It is used to collect all the source data mentioned above and process early clues, the analysis part should use machine learning technology to output identified exception events. Supervised Learning and unsupervised learning technologies should be used.

2. Security Configuration

The security service status depends on the security configuration. A weak security configuration opens the door for malicious users, the risks include weak user passwords, loose server connection restrictions, and the ability to allow anonymous users to access sensitive content. Strict security configuration and continuous monitoring of changes are important.

3. Situation Data Source

A specific risk event should be analyzed under the current situation. If there is no situation information, a high false positive rate will occur. For example, it is not enough to analyze abnormal user behaviors only the data in the active user logon directory. To improve the accuracy, the user logon behavior must be associated with other attributes in the logon session: transaction type, transaction sensitivity, user role, etc. situation data can help threat detection to be more accurate.

4. user behavior analysis

The user-centered behavior analysis system should cover privileged users and end users. High-privilege users and end users connected to multiple cloud services are at high risk, they must be added to the observation list to continuously monitor their behaviors, including password strength, authentication policies, and sensitive permissions.

5. Supervised and unsupervised Machine Learning Technology

Machine Learning is used to define baselines and detect exceptions. The specific method should be combined with supervised and unsupervised models to improve accuracy and reduce false positive rate. Many implementation methods only use one of them, resulting in a high false positive rate and poor scalability.

To improve the accuracy and scalability of threat detection, unsupervised learning can be used to model normal user behavior. Statistics and probability hybrid models can be used to verify normal user behavior, and screen abnormal behaviors of high-risk users. Supervised models need to be prompted from security experts and built based on these prompts to train, verify, and test the model maturity.

6. Threat intelligence source

Real-time cooperation with security communities and commercial threat intelligence sources can increase the success rate of hacker attack discovery in the early stages of the event. For example, if an external intelligence provides a blacklist of network information for an enterprise, when hackers use the blacklist IP address to select infected users to intrude into the application, they will be quickly detected and located.

With the acceleration of Enterprise cloud migration, the latest security technologies, including machine learning, threat intelligence, predictive analysis, and situation awareness, can be widely used to increase the threat detection response to a new height.