Source: The Red Canary Blog: Information Security Insights Author: Brian Davis URL: https://redcanary.com/blog/threat-detection/cloud-threat-detection/
-
ONE SENTENCE SUMMARY: Red Canary presents a detailed six-phase process for detecting cloud threats within the control plane using telemetry data.
-
MAIN POINTS:
-
Threats to the cloud include unauthorized access, credential misuse, API abuse, and data exfiltration.
-
The cloud control plane manages deployed resources and maintains a record of activities via telemetry.
-
Red Canary processes billions of telemetry records daily to identify security threats.
-
The six phases of detection are Ingest, Standardize, Combine, Detect, Suppress, and Respond.
-
Ingestion focuses on moving relevant data to the processing system while filtering out unnecessary information.
-
Standardization ensures data is in a common format for easier integration of multiple data sources.
-
Combining data establishes a contextual overview for identifying behavioral trends indicative of threats.
-
Detection involves applying predefined analytics to the combined data to identify malicious behavior.
-
Effective telemetry monitoring aids in identifying high-noise data sources to reduce processing costs.
-
Using a standardized model simplifies downstream detection logic for various telemetry sources.
-
TAKEAWAYS:
-
Understanding the cloud control plane is essential for securing cloud environments.
-
Filtering telemetry data is crucial to manage costs and enhance detection efficiency.
-
Standardizing data formats streamlines the integration of diverse data sources in security analysis.
-
Creating a contextual overview helps detect trends that single events may not reveal.
-
Employing a structured detection process improves threat identification and response capabilities.