Cloud Log Capture and Analysis
- many cloud services provide log creation, monitoring, and analysis tools
- but may want to use your own services
- Cloud native tools:
- Amazon: CloudWatch
- provides monitoring for Elastic Compute Cloud (EC2) instances and other services
- Azure: Azure Monitor
- provides analysis, monitoring, alerting, visualization
- Google: GCP operations suite
- Amazon: CloudWatch
Event Sources and Attributes
- understanding where log entries are coming from and what the information in the logs mean is critical
- Basic elements of logs for CCSP:
- Identity
- system, user, or service identity
- IP address
- source and destination
- Geolocation of events and IP
- Time stamps
- Identity
- Events contain information about what occurred
- service log entry, event ID, or simply the query or request processed
- security analysts should know which events are malicious
- cloud storage events have their own specific log entries, event IDs, and related details
- when designing cloud data security models, need to identify:
- what to log
- what events are important
- what should be alerted on
- where logs are stored and analyzed
- how long to retain logs
- how to secure logs
- when designing cloud data security models, need to identify:
Best Practices for Cloud Logging and Analysis
Log Management
- Logging generates massive amounts of logs
- takes up large amount of storage space, increasing costs
- need to sort and filter important logs
- SIEMs help with log management
- collect, manage, analyze, and display log data