Cloud logging is a critical part of any cybersecurity strategy but can also be challenging. In our recent State of AWS Log Management report, 250 cybersecurity professionals shared their biggest AWS logging challenges. Here are the top issues they identified and tips to solve them.
AWS offers hundreds of different services that can produce a tsunami of log data. This data can be valuable for security professionals as it can help them to identify and track potential security threats. However, managing this flood of data can be a challenge. Our survey respondents identified copying, correlating, alerts, and segmentation as pain points. Let’s look at the numbers for each.
Copying AWS Logs
Nearly half of our respondents indicated that redirecting or copying logs was a top challenge. Of the 74% that tried copying records, 80% of them were successful in doing so. That could be a lot of log data. There’s nothing inherently wrong with consuming large amounts of log data if it doesn’t become a drag on your ability to respond quickly.
Tip 1: Begin with the basics. It is essential to quickly and efficiently ingest logs in any logging system. However, it is also vital to effectively process and create alerts on those logs. If you consume a large volume of records but fail to process them effectively, it can lead to missed alerts and delays in mitigation. Conversely, you are ahead of the game if you ingest fewer logs but process them quickly and efficiently. It’s more about priorities and efficiency than the total volume of records your team analyzes.
Log Correlation
Log correlation is the process of analyzing logs from different sources in order to identify a pattern of events. The information gathered is invaluable for gaining better visibility into the network’s activity and securing the network against vulnerabilities and threats. 40% of respondents said correlating related incident information from different log sources was a top challenge.
Tip 2: A SIEM is not magic. A SIEM can be a security team’s best friend, providing a centralized place to collect and analyze data from multiple sources. However, a SIEM is not a silver bullet; it takes continuous work to keep it up to date and correctly configured. This is because your threats and environment are constantly changing, so you need to be continually tweaking your SIEM to ensure it provides the most accurate and actionable data possible. However, the effort is well worth it, as a properly maintained SIEM can provide invaluable insights into your organization’s security posture.
Too Many Alerts
46% of respondents say operationalizing the log data to identify security risks or threats was something they struggle with, identifying it as a top challenge. Another 46% indicated that filtering log data or alerts to reduce false positives and benign incidents was difficult for them.
Alert fatigue is a common problem among security analysts. When this happens, they become less able to do their jobs effectively, and the risk of a serious security breach increases.
Tip 3: De-noise your security alerts. When analysts are inundated with alerts, they may only have time to investigate the most urgent ones, leading to less critical issues being ignored. By focusing more time, attention, and resources on de-noising your alerts, you can reduce alert fatigue and go a long way toward solving this pernicious problem.
First, understand the various type of data you collect. Make value judgments about your logs. Be liberal in how you deploy filters against your log data. If certain records provide little return on their effort-to-analyze investment because they contain too much useless information, do without them.
Missing Segmentation
The most fundamental tool for organizing and protecting cloud resources is the segmentation of accounts. Digging a little deeper into our survey results, you find that 65% of our respondents describe their organization as having only ever existed in the cloud and 50% of the entire group say their environments are very complex. However, less than 20% log data from more than 40 accounts.
Tip 4: Segment More AWS Accounts. You can protect your resources from unauthorized access by creating separate AWS accounts for each environment. Each environment, such as development, test, production, etc., will be better protected against unauthorized access. This strategy will help limit the scope of impact if something goes wrong.
Conclusion
Security practitioners responding to our State of AWS Log Management survey have identified the following top challenges with logging in AWS: redirecting AWS logs, log correlation, too many alerts, and missing segmentation. By addressing these challenges, you can improve your organization’s security posture and reduce the risk of a severe breach. In order to do this, it is crucial to begin with only the necessary logs, fine-tune your SIEM, pay attention to de-noising your alerts, and segmenting your accounts. Doing so will help you better protect your resources and respond to incidents.
Source: CPO Magazine
