Wiz

SecOps for Cloud

Cloud telemetry

Cloud telemetry is a cornerstone of achieving comprehensive security visibility in modern cloud environments. It provides crucial data for detecting and mitigating security threats across various cloud services. Effective logging and telemetry are essential for maintaining a robust security posture, as they offer real-time insights into system behaviors, user activities, and potential security incidents. 

Securing the cloud control plane 

The control plane is the brain of cloud operations, managing and orchestrating resources across the environment. It's a critical component that requires robust security measures. 

 

Common control plane threats include: 

  • Unauthorized access attempts to modify cloud infrastructure 

  • Privilege escalation exploits to gain higher-level permissions 

  • Malicious API calls to manipulate cloud resources 

Best practices for logging and securing control plane activities: 

  • Enable comprehensive logging of all API calls and management actions 

  • Implement least privilege access principles for all users and roles 

  • Use role-based access control (RBAC) to limit who can perform sensitive operations 

  • Set up real-time alerting for suspicious control plane activities 

Data access telemetry 

Logging data access events is crucial for maintaining data integrity and detecting potential breaches or insider threats.   

Common data access threats include: 

  • Unauthorized access to sensitive data stores 

  • Data exfiltration attempts 

  • Unusual data access patterns indicating potential compromise 

Best practices for data access telemetry: 

  • Enable fine-grained logging for all data access events 

  • Implement data classification to prioritize monitoring of sensitive information 

  • Set up alerts for abnormal access patterns or volumes 

  • Regularly audit data access logs to ensure compliance and detect potential issues 

Network telemetry 

Network telemetry plays a vital role in identifying malicious activity and protecting cloud networks from various threats. 

Common network-based threats include: 

  • Distributed Denial of Service (DDoS) attacks 

  • Unauthorized attempts to access restricted network segments 

  • Lateral movement within the cloud environment 

Best practices for network logging and monitoring: 

  • Implement Cloud-Native Network Security tools for comprehensive visibility 

  • Enable traffic flow logs to monitor network traffic patterns 

  • Implement a solution for cloud detection and response, covering both runtime and cloud activity logs.  

  • Leverage cloud provider-native services like AWS GuardDuty or Azure Security Center for network threat detection 

Secrets management telemetry 

Proper logging of access to sensitive information like API keys and credentials is crucial for maintaining a secure cloud environment.   

Common threats related to secrets include: 

  • Exposed API keys or credentials in public repositories 

  • Hardcoded secrets in application code or configuration files 

  • Unauthorized access to secret management systems 

Best practices for secrets management telemetry: 

  • Use centralized secrets management tools like AWS Secrets Manager or HashiCorp Vault 

  • Enable comprehensive auditing of all access to secrets 

  • Implement automatic rotation of secrets and credentials 

  • Monitor for exposed secrets in code repositories and logs 

Compute telemetry 

Compute telemetry is essential for detecting vulnerabilities and monitoring cloud workloads. Modern cloud security solutions can provide this telemetry without the need for agents, offering a non-intrusive way to gather critical security data.   

Common compute-related threats include: 

  • Privilege escalation attempts on virtual machines 

  • Misconfigured container settings leading to vulnerabilities 

  • Unauthorized changes to compute resources 

Best practices for compute logging and monitoring: 

  • Implement agentless monitoring solutions for comprehensive visibility without operational overhead 

  • Enable instance-level monitoring for detailed insights into compute resource behavior 

  • Log all system activities and changes to compute resources 

  • Regularly perform vulnerability scanning on all compute instances 

Runtime telemetry 

Runtime telemetry provides critical insights into the behavior of live applications and systems. A hybrid approach combining agentless monitoring with selective use of sensors can offer the most comprehensive coverage. 

Common runtime threats include: 

  • Application hijacking attempts 

  • Runtime attacks exploiting vulnerabilities in running applications 

  • Abnormal application behavior indicating potential compromise 

Best practices for runtime telemetry: 

  • Implement real-time monitoring of application behavior 

  • Collect and analyze application logs for security insights 

  • Use a combination of agentless monitoring and strategic sensor deployment for comprehensive coverage 

  • Perform continuous runtime vulnerability scanning   

Identity Provider (IdP) Telemetry 

Monitoring activities related to identity and access management systems is crucial for detecting and preventing unauthorized access.   

Common IdP threats include: 

  • Credential theft and account takeover attempts 

  • Brute force attacks on user accounts 

  • Suspicious changes to user privileges or roles 

Best practices for IdP telemetry: 

  • Enable comprehensive auditing of all login attempts and authentication events 

  • Monitor and log all changes to user privileges and roles 

  • Enforce and monitor Multi-Factor Authentication (MFA) usage 

  • Set up alerts for suspicious activity patterns, such as multiple failed login attempts   

Infrastructure-as-a-Service (IaaS) telemetry 

Telemetry for IaaS resources provides visibility into the foundational components of cloud environments. This includes not only the infrastructure itself but also the Version Control Systems (VCS) and CI/CD pipelines that manage and deploy these resources. 

Common IaaS threats include: 

  • Unauthorized access to virtual machines or storage resources 

  • Misconfigurations leading to exposed services or data 

  • Resource abuse or unexpected usage patterns  

Best practices for IaaS telemetry: 

  • Implement comprehensive instance-level monitoring for all IaaS resources 

  • Log and analyze all API calls related to IaaS resource management 

  • Monitor resource usage patterns to detect anomalies 

  • Regularly audit IaaS configurations for security best practices 

  • Implement VCS telemetry: 

  • Monitor repository access and changes 

  • Track branch creation, merges, and deletions 

  • Log pull request activities and approvals 

  • Implement CI/CD pipeline telemetry: 

  • Monitor build and deployment processes 

  • Track changes to pipeline configurations 

  • Log all artifact generations and deployments 

  • Correlate telemetry data from IaaS, VCS, and CI/CD pipelines to detect potential security issues across the entire infrastructure lifecycle 

  • Additional considerations: 

  • Implement robust access controls and monitoring for infrastructure-as-code repositories 

  • Use signed commits and verified builds to ensure code integrity 

  • Regularly scan infrastructure-as-code for security misconfigurations before deployment 

  • Implement automated policy checks within CI/CD pipelines to prevent insecure configurations from being deployed 

By implementing these telemetry practices across various aspects of cloud environments, including VCS and CI/CD pipelines, organizations can significantly enhance their ability to detect, respond to, and mitigate security threats in real-time throughout the entire infrastructure lifecycle. 

Common cloud threatsIncident readiness