blog

Once more unto the breach…

|By Craig Tunstall|

Another day, another data breach. On the 21st September 2020, gaming behemoth, Activision were reportedly compromised, and sources suggest that over half a million account records have been leaked. The ITRC (https://notified.idtheftcenter.org/s) who monitor such data breaches annually had until that point registered relatively low incident levels of data breach for 2020 compared to previous years (ITRC estimate in 2019 the number was circa 164 million records) however recent headlines suggest that the year-end total might keep pace with past years. 

It’s Not You, It’s Me

It is a stark but unavoidable fact that the majority of security breaches that have and will take place over the next couple of years in the Public Cloud will not be due to failings of the Cloud Service Provider (CSP); the fault lays with the organisation. As more and more organisations consider migrating to the public cloud executives tasked with ensuring the on-going security and compliance posture of cloud hosted systems face significant challenges translating on-premise security into actionable mitigation controls that can manifest in the Cloud. Attracted by the promise of the Cloud’s economies of scale and dynamic scalability many organisations are simultaneously drawn towards cloud adoption whilst also being fearful of falling victim to cyber-crime in what some consider to be a wild new frontier. 

The security of the Cloud is the responsibility of the CSP whereas security in the Cloud is the organisations’ responsibility. Despite offloading a large proportion of the responsibility to the CSP roughly 30% of all organisations have said they will refrain from public cloud adoption because of a primal fear of data loss and overall security. The most commonly cited challenges in Cyber security include: 

  • There is a significant skills gap in cyber security (54% UK businesses sampled in 2019 acknowledge this (UK HM Government, May 2019 National Cyber Security Skills Strategy, https://www.gov.uk/government/publications/cyber-security-skills-strategy  )
  • There has been a significant increase in malicious activity globally; from data breaches to ransomware organised criminal gangs are making large sums of money from these activities which means they are unlikely to end soon. 
  • The volume of data organisations hold is increasing exponentially; more to track and manage.  
  • The pace of innovation in CSP’s like AWS means organisations workloads are constantly evolving. 

For many organisations, the key challenge is closing the skills gap and acquiring the necessary skills to ensure that their cloud hosted systems are secure and remain compliant. 

The consequence of such inaction is that many organisations are losing out on the significant increases in productivity afforded by the Cloud as well as its inherent cost savings and the benefits of automation. 

Detection 

To quote the Sans Institute (https://www.sans.org/ ) HeleCloud believes that, ‘prevention is ideal, but detection is a must’. Perimeter-based security is no longer considered to be a cogent approach to protecting computer systems and has been replaced by the belief that organisations must operate on the assumption that they will be breached at some point and proactively take steps to detect compromise. 

The ability to detect activity that might compromise an organisation’s compliance or security posture relies heavily upon its ability to:

  • Gather the right type of behavioural data; 
  • Baseline normal behaviour so it is possible to detect abnormal patterns of behaviour;
  • Monitor and alert in response to anomalous behaviour and where possible automate remediation. 

A badly configured Security Information and Event Monitoring system (SIEM) is nearly as bad as no SIEM at all. It’s good to always consider that, ‘the absence of evidence is not evidence of absence’ (i.e. inductive reasoning). If your SIEM draws a conclusion based upon data which might be non-representative or incomplete it can lead to a false sense of assurance that your systems are secure and compliant when they aren’t or it can raise so many false positives that your security system  becomes the ‘boy who cried wolf’ (which didn’t end well for the sheep). It requires expertise to determine the information that is required and takes a detailed knowledge of the system under scrutiny. Getting it wrong undermines confidence in the system and lowers productivity. Inductive reasoning is expedient in scientific activities because the problem domain is often infinite and indefinite however in AWS Public Cloud environments this is not the case; it is possible to capture and automate a comprehensive detection and remediation capability to provide assurance that your system is secure and compliant. 

The Four Key Areas of AWS Cloud Security 

Four main areas should be addressed when securing an AWS workload. 

  • Identity and Access Management: controlling who has access to your infrastructure should be the cornerstone of your security. 
  • Network Security Management: monitoring and controlling the flow of traffic in and out of your AWS VPC’s, subnets and EC2 instances should be an integral part of securing your system. 
  • Compliance Management: organisational governance and regulatory compliance require constant vigilance. It is important to monitor the current activity but also to be able to audit historical activity and follow the paper trail to determine the root cause of non-compliance.  
  • Vulnerability Management: this is of particular concern for those components of your system that aren’t part of a managed service by AWS e.g. RDS. For example, EC2 instances in your workload are the responsibility of the organization to manage and ensure they are patched, have anti-malware installed and monitoring agents. 

Introducing the HeleCloud Security and Compliance Managed Service

HeleCloud Professional Services teams have been working with customers and partners for the last three years to help them design and implement security solutions. Our solutions ensure comprehensive coverage of the four areas described above and make extensive use of automation to remediate or alert in response to findings. We have pooled all of our real-world experience to develop the Managed Security and Compliance service.

The Whole is Greater than the Sum of its Parts 

The HeleCloud Managed Security and Compliance service combines technology, network engineering and consultancy to provide cyber security solutions that can give your business assurance it is operating securely.  

  • Automation: we use custom built technology to remove the risk of human error in response to security threats. 
  • Monitoring tools: we install and configure Security Information and Event Monitoring (SIEM) tooling to monitor, report and alert on activity within your workload. 
  • Third Party Security tools: we can also install and configure 3rd party firewall technology, IPS monitoring or IDS control systems into your environment and integrate them with the SIEM. 
  • AWS Security Tuning: we configure CloudWatch, AWS Config, Security Hub and enable automated Inspector scanning of EC2 instances. 
  • Expertise: staffed by our AWS certified engineers 24×7/365 we learn about your system and then tune the monitoring and alerting tools. Our engineers are also on hand to remediate immediately against threats where automation is not possible. 

Engagement Process 

Figure 1. The HeleCloud Landing Zone (HLZ). SIEM typically deployed into Shared Services Account.

We work with what you already have deployed in AWS and augment it to support a fully configured Security Information and Event Monitoring system based on ElasticSearch and Kibana. ElasticSearch provides the search capability of your log and metric data and Kibana provides a powerful single pane of glass dashboard. We configure the monitoring and alerting capabilities to align with your organisational governance and regulatory compliance requirements. For example, if your AWS workload must be PCI compliant our security and management service will ensure that action is taken in response to any activity that fails PCI criteria.

We also ensure adequate log coverage. HeleCloud’s SIEM solution has general log streams for every AWS account that are ingested by default. Every additional log producer e.g. third-party applications, custom firewalls etc. can be ingested and visualised in the SIEM. 

For HeleCloud customers who are already using the HeleCloud Landing Zone (HLZ) (see Figure 1.), the environment is preconfigured to support integration with the SIEM module. For new customers, we will enable all the required AWS Services and deploy some additional custom HeleCloud integrations including:

  • Security Hub
  • GuardDuty
  • IAM Access Analyzer 
  • Amazon Inspector
  • AWS Config
  • AWS CloudTrail
  • Web Application Firewall logs
  • Custom Integration between ECR and Security Hub
  • Custom Integration between Config and Security Hub
  • CloudWatch logs export function to centralized S3 bucket

We keep you informed through regular automated reporting and since we build and run the service you get 24 x 7 x 365 coverage without employing any extra staff. This removes the hard work from security freeing you up to concentrate on your core business. Any potential issues with data residency can be forgotten as all data stays within your AWS account and region. The service can be up and running in a matter of weeks and so you get fast adoption. Because the service is cloud-native, we have been able to create automation for incident response and keep the service at the cutting edge to address evolving threats. 

We at HeleCloud specialise in helping organisations transform their businesses in the Cloud. Do get in touch and we’d be happy to help improve your security and compliance and ensure your business continuity.