Pulogalamu ya ProHoster > Blog > Ulamuliro > Cloud Security Monitoring

Cloud Security Monitoring

Kusuntha deta ndi mapulogalamu kumtambo kumapereka vuto latsopano kwa ma SOC amakampani, omwe sakhala okonzeka nthawi zonse kuyang'anira zomangamanga za anthu ena. Malinga ndi Netoskope, mabizinesi ambiri (mwachiwonekere ku US) amagwiritsa ntchito mautumiki osiyanasiyana amtambo 1246, omwe ndi 22% kuposa chaka chapitacho. 1246 ntchito zamtambo !!! 175 mwa iwo ndi okhudzana ndi ntchito za HR, 170 ndi okhudzana ndi malonda, 110 ali pantchito yolumikizirana ndipo 76 ndi azachuma ndi CRM. Cisco imagwiritsa ntchito "okha" 700 ntchito zakunja zamtambo. Chifukwa chake ndimasokonezeka pang'ono ndi manambala awa. Koma mulimonse momwe zingakhalire, vuto silili ndi iwo, koma chifukwa mtambo wayamba kugwiritsidwa ntchito mwachangu ndi kuchuluka kwamakampani omwe angafune kukhala ndi kuthekera kofananira pakuwunika magwiridwe antchito amtambo monga pa intaneti yawo. Ndipo izi zikukula - malinga ndi malinga ndi American Chamber of Accounts Pofika chaka cha 2023, malo okwana 1200 atsekedwa ku United States (6250 atsekedwa kale). Koma kusintha kwa mtambo sikungokhala "tiyeni tisunthire ma seva athu kwa wopereka wakunja." Zomangamanga zatsopano za IT, mapulogalamu atsopano, njira zatsopano, zoletsa zatsopano ... Zonsezi zimabweretsa kusintha kwakukulu kwa ntchito osati IT yokha, komanso chitetezo cha chidziwitso. Ndipo ngati opereka chithandizo aphunzira momwe angathanirane ndi kuonetsetsa chitetezo cha mtambo wokha (mwamwayi pali malingaliro ambiri), ndiye ndi kuyang'anira chitetezo cha mtambo, makamaka pa nsanja za SaaS, pali zovuta zazikulu, zomwe tidzakambirana.

Cloud Security Monitoring

Tinene kuti kampani yanu yasuntha gawo lazomangamanga zake kupita kumtambo... Imani. Osati motere. Ngati zowonongeka zasamutsidwa, ndipo mukungoganizira momwe mungayang'anire, ndiye kuti mwataya kale. Pokhapokha ngati Amazon, Google, kapena Microsoft (ndipo ndi kusungitsa), mwina simudzakhala ndi luso loyang'anira deta yanu ndi mapulogalamu. Ndibwino ngati mutapatsidwa mwayi wogwira ntchito ndi zipika. Nthawi zina zidziwitso zachitetezo zitha kupezeka, koma simungathe kuzipeza. Mwachitsanzo, Office 365. Ngati muli ndi chilolezo chotsika mtengo cha E1, ndiye kuti zochitika zachitetezo sizikupezeka kwa inu nkomwe. Ngati muli ndi chilolezo cha E3, deta yanu imasungidwa kwa masiku 90 okha, ndipo pokhapokha ngati muli ndi chilolezo cha E5, nthawi ya matabwa imakhalapo kwa chaka (komabe, izi zilinso ndi zizindikiro zake zokhudzana ndi kufunikira padera. pemphani ntchito zingapo zogwirira ntchito ndi zipika kuchokera ku chithandizo cha Microsoft). Mwa njira, chilolezo cha E3 ndi chofooka kwambiri potsata ntchito zowunikira kuposa Kusinthanitsa kwamakampani. Kuti mukwaniritse mulingo womwewo, mukufunikira laisensi ya E5 kapena laisensi yowonjezera ya Advanced Compliance, yomwe ingafunike ndalama zowonjezera zomwe sizinaphatikizidwe muzachuma chanu kuti musamukire kuzinthu zamtambo. Ndipo ichi ndi chitsanzo chimodzi chokha chochepetsera nkhani zokhudzana ndi kuwunika kwa chitetezo cha mtambo. M'nkhaniyi, popanda kudziyesa wokwanira, ndikufuna kuyang'ana ma nuances ena omwe ayenera kuganiziridwa posankha wopereka mtambo kuchokera kumalo otetezera. Ndipo kumapeto kwa nkhaniyo, mndandanda udzaperekedwa womwe uyenera kukwaniritsidwa musanaganizire kuti nkhani yowunika chitetezo cha chidziwitso cha mtambo yathetsedwa.

Pali zovuta zingapo zomwe zimapangitsa kuti pakhale zochitika zamtambo, zomwe chitetezo chazidziwitso sichikhala ndi nthawi yoyankha kapena kusawona konse:

  • Zipika zachitetezo kulibe. Izi ndizofala kwambiri, makamaka pakati pa osewera atsopano pamsika wamayankho amtambo. Koma simuyenera kuwasiya nthawi yomweyo. Osewera ang'onoang'ono, makamaka apakhomo, amakhudzidwa kwambiri ndi zomwe makasitomala amafuna ndipo amatha kukhazikitsa ntchito zina zofunika posintha mapu ovomerezeka azinthu zawo. Inde, izi sizikhala zofanana ndi GuardDuty kuchokera ku Amazon kapena gawo la "Proactive Protection" kuchokera ku Bitrix, koma osachepera chinachake.
  • Chitetezo cha chidziwitso sichidziwa komwe mitengoyo imasungidwa kapena palibe mwayi wopeza. Apa ndikofunikira kukambirana ndi wopereka chithandizo chamtambo - mwina adzapereka chidziwitso chotere ngati akuwona kuti kasitomala ndi wofunikira kwa iye. Koma nthawi zambiri, sizabwino kwambiri ngati mwayi wopeza zipika umaperekedwa "ndi chisankho chapadera."
  • Zimachitikanso kuti wopereka mtambo ali ndi zipika, koma amapereka kuwunika kochepa komanso kujambula zochitika, zomwe sizokwanira kuzindikira zochitika zonse. Mwachitsanzo, mutha kungolandira zipika zakusintha patsamba kapena zipika zamayesero otsimikizira ogwiritsa ntchito, koma osati zochitika zina, monga kuchuluka kwa maukonde, zomwe zingabisike kwa inu mndandanda wonse wa zochitika zomwe zikuwonetsa kuyesa kuthyolako mtambo wanu.
  • Pali zipika, koma kuzifikira ndikovuta kuzisintha, zomwe zimawakakamiza kuti aziyang'aniridwa mosalekeza, koma pandandanda. Ndipo ngati simungathe kutsitsa zipika zokha, ndiye kuti kutsitsa zipika, mwachitsanzo, mumtundu wa Excel (monga momwe zimakhalira ndi opereka mayankho amtambo wapakhomo), zitha kupangitsa kuti achitetezo azidziwitso akampani asamachite nawo.
  • Palibe chipika chowunika. Ichi mwina ndiye chifukwa chosadziwika bwino chomwe chimapangitsa kuti zidziwitso zizichitika mumtambo. Zikuwoneka kuti pali zipika, ndipo ndizotheka kuzipeza zokha, koma palibe amene amachita izi. Chifukwa chiyani?

Malingaliro ogawana chitetezo chamtambo

Kusintha kwa mtambo nthawi zonse kumayang'ana bwino pakati pa chikhumbo chofuna kukhalabe ndi ulamuliro pa zowonongeka ndikuzitumiza ku manja a akatswiri a mtambo omwe amadziwika kwambiri powasamalira. Ndipo m'munda wachitetezo chamtambo, izi ziyeneranso kufunidwa. Kuphatikiza apo, kutengera mtundu woperekera ntchito zamtambo womwe umagwiritsidwa ntchito (IaaS, PaaS, SaaS), kuchuluka kumeneku kudzakhala kosiyana nthawi zonse. Mulimonsemo, tiyenera kukumbukira kuti onse opereka mitambo masiku ano amatsatira zomwe zimatchedwa udindo wogawana ndikugawana nawo chitetezo chazidziwitso. Mtambo umayang'anira zinthu zina, ndipo kwa ena kasitomala ali ndi udindo, kuyika deta yake, mapulogalamu ake, makina ake enieni ndi zinthu zina mumtambo. Zingakhale zosasamala kuyembekezera kuti popita kumtambo, tidzasintha udindo wonse kwa wothandizira. Koma sikulinso kwanzeru kumanga chitetezo chonse nokha mukasamukira kumtambo. Chiyembekezo chimafunika, chomwe chidzadalira pazinthu zambiri: - njira yoyendetsera zoopsa, chitsanzo chowopseza, njira zotetezera zomwe zimapezeka kwa wopereka mitambo, malamulo, ndi zina zotero.

Cloud Security Monitoring

Mwachitsanzo, kugawika kwa deta yomwe imasungidwa mumtambo nthawi zonse ndi udindo wa kasitomala. Wopereka mtambo kapena wothandizira kunja angangomuthandiza ndi zida zomwe zingathandize kuyika deta mumtambo, kuzindikira zophwanya, kuchotsa zomwe zimaphwanya malamulo, kapena kuzibisa pogwiritsa ntchito njira imodzi. Kumbali ina, chitetezo chakuthupi nthawi zonse chimakhala ndi udindo wa wopereka mtambo, womwe sungathe kugawana ndi makasitomala. Koma chirichonse chomwe chiri pakati pa deta ndi zowonongeka zakuthupi ndizo zomwe tikambirana m'nkhaniyi. Mwachitsanzo, kupezeka kwa mtambo ndi udindo wa wothandizira, ndipo kukhazikitsa malamulo a firewall kapena kuthandizira kubisa ndi udindo wa kasitomala. M'nkhaniyi tiyesa kuyang'ana njira zowunikira zidziwitso zomwe zimaperekedwa masiku ano ndi opereka mitambo osiyanasiyana otchuka ku Russia, ndi mawonekedwe otani omwe amawagwiritsa ntchito, ndipo ndi liti pamene kuli koyenera kuyang'ana njira zowunikira zakunja (mwachitsanzo, Cisco E- mail Security) yomwe imakulitsa kuthekera kwa mtambo wanu malinga ndi cybersecurity. Nthawi zina, makamaka ngati mukutsatira njira yamitundu yambiri, simungachitire mwina koma kugwiritsa ntchito njira zowunikira zachitetezo chakunja m'malo angapo amtambo nthawi imodzi (mwachitsanzo, Cisco CloudLock kapena Cisco Stealthwatch Cloud). Chabwino, nthawi zina mudzazindikira kuti wopereka mtambo womwe mwasankha (kapena wakupatsani) sapereka kuthekera konse kowunikira chitetezo. Izi ndizosasangalatsa, komanso osati pang'ono, chifukwa zimakupatsani mwayi wowunika moyenera kuchuluka kwa chiopsezo chokhudzana ndi kugwira ntchito ndi mtambowu.

Cloud Security Monitoring Lifecycle

Kuwunika chitetezo cha mitambo yomwe mumagwiritsa ntchito, muli ndi njira zitatu zokha:

  • dalirani zida zoperekedwa ndi mtambo wanu,
  • gwiritsani ntchito mayankho ochokera kwa anthu ena omwe angayang'anire nsanja za IaaS, PaaS kapena SaaS zomwe mumagwiritsa ntchito,
  • pangani zowunikira zanu zamtambo (zokha za nsanja za IaaS/PaaS).

Tiyeni tiwone mbali zonse za njirazi. Koma choyamba, tiyenera kumvetsetsa dongosolo lonse lomwe lidzagwiritsidwe ntchito poyang'anira nsanja zamtambo. Ndikuwonetsa zigawo zazikulu 6 za njira yowunikira chitetezo pamtambo:

  • Kukonzekera kwa zomangamanga. Kusankha zofunikira zogwiritsira ntchito ndi zomangamanga zosonkhanitsira zochitika zofunika pachitetezo chazidziwitso posungira.
  • Zosonkhanitsa. Pakadali pano, zochitika zachitetezo zimasonkhanitsidwa kuchokera kuzinthu zosiyanasiyana kuti zitha kutumizidwa kuti zikonzedwe, kusungidwa ndi kusanthula.
  • Chithandizo. Panthawiyi, deta imasinthidwa ndikulemeretsedwa kuti zithandize kusanthula kotsatira.
  • Kusungirako. Chigawochi chimayang'anira kusungirako kwakanthawi kochepa komanso kwakanthawi kosonkhanitsidwa komanso kusungidwa kwanthawi yayitali.
  • Kusanthula. Pakadali pano, mutha kuzindikira zomwe zikuchitika ndikuziyankha nokha kapena pamanja.
  • Lipoti. Gawoli limathandizira kupanga zizindikiro zazikulu za ogwira nawo ntchito (otsogolera, owerengera, opereka mitambo, makasitomala, ndi zina zotero) zomwe zimatithandiza kupanga zisankho zina, mwachitsanzo, kusintha wopereka kapena kulimbikitsa chitetezo cha chidziwitso.

Kumvetsetsa zigawozi kudzakuthandizani kusankha mwamsanga m'tsogolomu zomwe mungatenge kuchokera kwa wothandizira wanu, ndi zomwe muyenera kuchita nokha kapena kutengapo mbali kwa alangizi akunja.

Ntchito zomangidwa mumtambo

Ndalemba kale pamwambapa kuti mautumiki ambiri amtambo masiku ano sapereka chidziwitso chilichonse chowunikira chitetezo. Nthawi zambiri, salabadira kwambiri mutu wachitetezo chazidziwitso. Mwachitsanzo, imodzi mwa ntchito zodziwika bwino zaku Russia zotumiza malipoti ku mabungwe aboma kudzera pa intaneti (sinditchula dzina lake). Gawo lonse lonena za chitetezo cha ntchitoyi likukhudzana ndi kugwiritsa ntchito CIPF yovomerezeka. Gawo lachitetezo chazidziwitso chautumiki wina wamtambo wakunyumba wowongolera zolemba zamagetsi siwosiyana. Imalankhula za ziphaso zachinsinsi zapagulu, zolemba zotsimikizika, kuchotsa ziwopsezo zapaintaneti, kutetezedwa ku DDoS, kugwiritsa ntchito ma firewall, zosunga zobwezeretsera, komanso kuwunika pafupipafupi kwachitetezo chazidziwitso. Koma palibe mawu okhudza kuwunika, kapenanso mwayi wopeza zochitika zachitetezo chazidziwitso zomwe zingakhale zosangalatsa kwa makasitomala a wothandizira uyu.

Nthawi zambiri, momwe woperekera mtambo amafotokozera nkhani zachitetezo chazidziwitso patsamba lake ndi zolemba zake, mutha kumvetsetsa momwe zimatengera nkhaniyi mozama. Mwachitsanzo, mukawerenga zolemba za "Ofesi Yanga", palibe mawu okhudzana ndi chitetezo, koma pazolembedwa zamtundu wina "Ofesi Yanga. KS3 ", yopangidwa kuti iteteze ku mwayi wosaloledwa, pali mndandanda wanthawi zonse wa mfundo za dongosolo la 17 la FSTEC, lomwe "My Office.KS3" limagwiritsa ntchito, koma silinafotokoze momwe limagwiritsira ntchito ndipo, chofunika kwambiri, momwe angagwiritsire ntchito. kuphatikiza njira izi ndi chitetezo chidziwitso chamakampani. Mwina zolembedwa zotere zilipo, koma sindinazipeze pagulu la anthu, patsamba la "Ofesi Yanga". Ngakhale mwina sindingathe kudziwa zachinsinsi izi? ..

Cloud Security Monitoring

Kwa Bitrix, zinthu zili bwino kwambiri. Zolembazo zikufotokozera mawonekedwe a zipika za zochitikazo ndipo, chochititsa chidwi, chipika cholowera, chomwe chili ndi zochitika zokhudzana ndi zoopsa zomwe zingatheke pa nsanja yamtambo. Kuchokera pamenepo mutha kutulutsa IP, dzina la ogwiritsa ntchito kapena alendo, gwero la zochitika, nthawi, Wothandizira, mtundu wa zochitika, ndi zina zambiri. Zowona, mutha kugwira ntchito ndi zochitika izi mwina kuchokera pagulu lowongolera lamtambo womwe, kapena kukweza deta mumtundu wa MS Excel. Tsopano ndizovuta kupanga ntchito ndi zipika za Bitrix ndipo muyenera kugwira ntchito ina pamanja (kukweza lipoti ndikulikweza mu SIEM yanu). Koma ngati tikumbukira kuti mpaka posachedwapa mwayi woterewu unalibe, ndiye kuti ndikupita patsogolo kwakukulu. Nthawi yomweyo, ndikufuna kudziwa kuti opereka mitambo ambiri akunja amapereka magwiridwe antchito ofanana "kwa oyamba kumene" - mwina yang'anani zipika ndi maso anu kudzera pagulu lowongolera, kapena kwezani zomwe zili kwa inu nokha (komabe, ambiri amatsitsa deta mu . csv mtundu, osati Excel).

Cloud Security Monitoring

Popanda kuganizira za njira yopanda zipika, opereka mtambo nthawi zambiri amakupatsirani njira zitatu zowunikira zochitika zachitetezo - ma dashboards, kukweza kwa data ndi kupeza API. Yoyamba ikuwoneka kuti ikuthetserani mavuto ambiri kwa inu, koma izi sizowona kwathunthu - ngati muli ndi magazini angapo, muyenera kusinthana pakati pa ziwonetsero zomwe zikuwonetsa, kutaya chithunzi chonse. Kuphatikiza apo, wopereka mtambo sangathe kukupatsirani kuthekera kolumikizana ndi zochitika zachitetezo ndikuzisanthula kuchokera pachiwonetsero chachitetezo (nthawi zambiri mumachita ndi data yaiwisi, yomwe muyenera kumvetsetsa nokha). Pali zosiyana ndipo tidzakambirana zambiri za izo. Pomaliza, ndikofunikira kufunsa kuti ndi zochitika ziti zomwe zimalembedwa ndi omwe akukupatsani mtambo, mumtundu wanji, ndipo zimagwirizana bwanji ndi njira yanu yowunikira chitetezo? Mwachitsanzo, chizindikiritso ndi kutsimikizika kwa ogwiritsa ntchito ndi alendo. Bitrix yemweyo amakulolani, kutengera zochitika izi, kuti mulembe tsiku ndi nthawi ya chochitikacho, dzina la wogwiritsa ntchito kapena mlendo (ngati muli ndi gawo la "Web Analytics"), chinthu chomwe mwapeza ndi zinthu zina zofananira patsamba. . Koma mabizinesi achitetezo azidziwitso amakampani angafunikire zambiri ngati wogwiritsa ntchito adapeza mtambo kuchokera pazida zodalirika (mwachitsanzo, mumaneti wamabizinesi ntchitoyi imayendetsedwa ndi Cisco ISE). Nanga bwanji ntchito yosavuta ngati geo-IP ntchito, yomwe ingathandize kudziwa ngati akaunti ya ogwiritsa ntchito pamtambo yabedwa? Ndipo ngakhale wopereka mtambo atakupatsani, izi sizokwanira. Cisco CloudLock yomweyi sikuti imangosanthula geolocation, koma imagwiritsa ntchito kuphunzira pamakina pa izi ndikusanthula mbiri yakale ya wogwiritsa aliyense ndikuwunika zolakwika zosiyanasiyana pakuyesa kuzindikira ndi kutsimikizira. Ndi MS Azure yokha yomwe ili ndi magwiridwe antchito ofanana (ngati muli ndi zolembetsa zoyenera).

Cloud Security Monitoring

Palinso vuto lina - popeza kwa ambiri opereka mitambo kuyang'anira chitetezo chazidziwitso ndi mutu watsopano womwe akungoyamba kuthana nawo, akusintha nthawi zonse munjira zawo. Lero ali ndi mtundu umodzi wa API, mawa wina, mawa lachitatu. Muyeneranso kukonzekera izi. N'chimodzimodzinso ndi ntchito, zomwe zingasinthe, zomwe ziyenera kuganiziridwa mu dongosolo lanu lowunikira chitetezo. Mwachitsanzo, Amazon poyambirira inali ndi ntchito zowunikira zochitika pamtambo-AWS CloudTrail ndi AWS CloudWatch. Kenako ntchito ina yowunikira zochitika zachitetezo chazidziwitso idawonekera - AWS GuardDuty. Patapita nthawi, Amazon inayambitsa dongosolo latsopano loyang'anira, Amazon Security Hub, lomwe limaphatikizapo kusanthula deta yomwe inalandira kuchokera ku GuardDuty, Amazon Inspector, Amazon Macie ndi ena angapo. Chitsanzo china ndi chida chophatikizira chipika cha Azure ndi SIEM - AzLog. Anagwiritsidwa ntchito mwakhama ndi ogulitsa ambiri a SIEM, mpaka mu 2018 Microsoft idalengeza za kutha kwa chitukuko ndi chithandizo chake, chomwe chinayang'anizana ndi makasitomala ambiri omwe adagwiritsa ntchito chida ichi ndi vuto (tidzakambirana momwe zinathetsedwera pambuyo pake).

Chifukwa chake, yang'anirani mosamala zonse zowunikira zomwe wopereka mtambo wanu akukupatsani. Kapena dalirani opereka mayankho akunja omwe adzakhale ngati mkhalapakati pakati pa SOC yanu ndi mtambo womwe mukufuna kuunikira. Inde, zidzakhala zokwera mtengo (ngakhale osati nthawi zonse), koma mudzasamutsa udindo wonse pamapewa a wina. Kapena si zonse? .. Tiyeni tikumbukire lingaliro lachitetezo chogawana ndikumvetsetsa kuti sitingasunthire kalikonse - tidzayenera kumvetsetsa paokha momwe operekera mitambo osiyanasiyana amaperekera kuwunika kwachitetezo chazidziwitso za data yanu, mapulogalamu, makina enieni ndi zinthu zina. wolandiridwa mumtambo. Ndipo tiyamba ndi zomwe Amazon imapereka mu gawo ili.

Chitsanzo: Kuwunika kwachitetezo chazidziwitso ku IaaS kutengera AWS

Inde, inde, ndikumvetsa kuti Amazon si chitsanzo chabwino kwambiri chifukwa chakuti uwu ndi utumiki wa ku America ndipo ukhoza kutsekedwa ngati gawo lolimbana ndi nkhanza komanso kufalitsa uthenga woletsedwa ku Russia. Koma m'bukuli ndikufuna kusonyeza momwe mapulaneti amtambo amasiyana mosiyana ndi momwe angayang'anire chitetezo chazidziwitso ndi zomwe muyenera kuziganizira mukamasamutsa njira zanu zazikulu kumitambo kuchokera kumalo achitetezo. Chabwino, ngati ena mwa omwe aku Russia opanga njira zothetsera mitambo aphunzirapo kanthu kena kothandiza kwa iwo okha, ndiye kuti zikhala zabwino.

Cloud Security Monitoring

Choyambirira kunena ndikuti Amazon si linga losatheka kulowamo. Zochitika zosiyanasiyana zimachitika pafupipafupi kwa makasitomala ake. Mwachitsanzo, mayina, maadiresi, masiku obadwa, ndi manambala a telefoni a ovota 198 miliyoni anabedwa ku Deep Root Analytics. Kampani yaku Israeli ya Nice Systems idaba ma rekodi 14 miliyoni a olembetsa a Verizon. Komabe, mphamvu zomangidwira za AWS zimakulolani kuti muzindikire zochitika zosiyanasiyana. Mwachitsanzo:

  • zotsatira pa zomangamanga (DDoS)
  • node compromise (kulamula jakisoni)
  • kusokoneza akaunti ndi mwayi wosaloledwa
  • kasinthidwe kolakwika ndi zofooka
  • malo osatetezedwa ndi ma API.

Kusiyanasiyana kumeneku ndi chifukwa chakuti, monga tafotokozera pamwambapa, kasitomala mwiniwakeyo ali ndi udindo woteteza deta yamakasitomala. Ndipo ngati sanavutike kuyatsa njira zodzitetezera komanso osatsegula zida zowunikira, ndiye kuti angophunzira za zomwe zachitikazo kuchokera kwa atolankhani kapena kwa makasitomala ake.

Kuti muzindikire zomwe zachitika, mutha kugwiritsa ntchito njira zingapo zowunikira zomwe zimapangidwa ndi Amazon (ngakhale izi nthawi zambiri zimathandizidwa ndi zida zakunja monga osquery). Chifukwa chake, mu AWS, zochita zonse za ogwiritsa ntchito zimayang'aniridwa, mosasamala kanthu za momwe zimachitikira - kudzera pamayendedwe oyang'anira, mzere wolamula, SDK kapena ntchito zina za AWS. Zolemba zonse za zochita za akaunti ya AWS iliyonse (kuphatikiza dzina lolowera, zochita, ntchito, zoyendera, ndi zotsatira) komanso kugwiritsa ntchito API zimapezeka kudzera pa AWS CloudTrail. Mutha kuwona zochitika izi (monga AWS IAM console logins) kuchokera ku CloudTrail console, kuwasanthula pogwiritsa ntchito Amazon Athena, kapena "kutulutsa" kumayankho akunja monga Splunk, AlienVault, ndi zina zambiri. Mitengo ya AWS CloudTrail imayikidwa mu chidebe chanu cha AWS S3.

Cloud Security Monitoring

Ntchito zina ziwiri za AWS zimaperekanso zofunikira zina zowunikira. Choyamba, Amazon CloudWatch ndi ntchito yowunikira zothandizira za AWS ndi mapulogalamu omwe, mwa zina, amakulolani kuti muzindikire zolakwika zosiyanasiyana pamtambo wanu. Ntchito zonse za AWS zomangidwa, monga Amazon Elastic Compute Cloud (maseva), Amazon Relational Database Service (databases), Amazon Elastic MapReduce (kusanthula deta), ndi mautumiki ena a 30 a Amazon, amagwiritsa ntchito Amazon CloudWatch kusunga zolemba zawo. Madivelopa atha kugwiritsa ntchito API yotseguka kuchokera ku Amazon CloudWatch kuti awonjezere magwiridwe antchito owunikira pamapulogalamu ndi ntchito, kuwalola kukulitsa kuchuluka kwa kusanthula zochitika mkati mwachitetezo.

Cloud Security Monitoring

Kachiwiri, ntchito ya VPC Flow Logs imakupatsani mwayi wowunika kuchuluka kwa ma network omwe amatumizidwa kapena kulandiridwa ndi ma seva anu a AWS (kunja kapena mkati), komanso pakati pa ma microservices. Pamene chilichonse mwazinthu zanu za AWS VPC chilumikizana ndi netiweki, VPC Flow Logs imalemba zambiri za kuchuluka kwa magalimoto pa netiweki, kuphatikiza gwero ndi kopita netiweki mawonekedwe, komanso ma adilesi a IP, madoko, protocol, kuchuluka kwa ma byte, ndi kuchuluka kwa mapaketi omwe inu. anaona. Iwo omwe ali ndi chitetezo cham'deralo adzazindikira kuti izi ndizofanana ndi ulusi NetFlow, yomwe imatha kupangidwa ndi ma switch, ma routers ndi ma firewall amabizinesi. Ma log awa ndi ofunikira pazifukwa zowunikira chitetezo chifukwa, mosiyana ndi zochitika za ogwiritsa ntchito ndi ogwiritsa ntchito, amakulolani kuti musaphonye kuyanjana kwa netiweki mumtambo wamtambo wachinsinsi wa AWS.

Cloud Security Monitoring

Mwachidule, mautumiki atatuwa a AWS-AWS CloudTrail, Amazon CloudWatch, ndi VPC Flow Logs-pamodzi amapereka chidziwitso champhamvu pakugwiritsa ntchito akaunti yanu, machitidwe a ogwiritsa ntchito, kasamalidwe ka zomangamanga, ntchito ndi ntchito zapaintaneti. Mwachitsanzo, angagwiritsidwe ntchito kuzindikira anomalies zotsatirazi:

  • Kuyesa kuyang'ana tsambalo, fufuzani zakumbuyo, fufuzani zofooka kudzera pakuphulika kwa "404 zolakwika".
  • Kuwukira kwa jekeseni (mwachitsanzo, jekeseni wa SQL) kupyolera mu "zolakwika 500".
  • Zida zodziwika bwino ndi sqlmap, nikto, w3af, nmap, etc. kudzera mukuwunika gawo la User Agent.

Amazon Web Services yapanganso ntchito zina pazachitetezo cha cybersecurity zomwe zimakupatsani mwayi wothana ndi mavuto ena ambiri. Mwachitsanzo, AWS ili ndi ntchito yomangidwira yowunikira mfundo ndi masinthidwe - AWS Config. Ntchitoyi imapereka kuwunika kosalekeza kwa zida za AWS ndi masanjidwe ake. Tiyeni titenge chitsanzo chophweka: Tiyerekeze kuti mukufuna kuonetsetsa kuti mawu achinsinsi atsekedwa pa maseva anu onse ndipo kuti mwayiwu ndi wotheka potengera satifiketi. AWS Config imapangitsa kukhala kosavuta kuyang'ana izi pa maseva anu onse. Palinso ndondomeko zina zomwe zingagwiritsidwe ntchito pa ma seva anu amtambo: "Palibe seva yomwe ingagwiritse ntchito doko 22", "Oyang'anira okha ndi omwe angasinthe malamulo a firewall" kapena "Wogwiritsa ntchito Ivashko yekha ndi amene angapange ma akaunti atsopano, ndipo akhoza kuchita Ndi Lachiwiri lokha. " M'chilimwe cha 2016, ntchito ya AWS Config idakulitsidwa kuti iwonetsetse kuti anthu akuphwanya malamulo opangidwa. Malamulo a AWS Config ndi zopempha mosalekeza za ntchito za Amazon zomwe mumagwiritsa ntchito, zomwe zimapanga zochitika ngati mfundo zofananira zikuphwanyidwa. Mwachitsanzo, m'malo mongoyendetsa mafunso a AWS Config nthawi ndi nthawi kuti muwonetsetse kuti ma disks onse pa seva ali ndi encrypted, Malamulo a AWS Config angagwiritsidwe ntchito kuyang'ana mosalekeza ma disks a seva kuti muwonetsetse kuti vutoli lakwaniritsidwa. Ndipo, chofunika kwambiri, m'nkhani ya bukhuli, kuphwanya kulikonse kumapanga zochitika zomwe zingathe kufufuzidwa ndi chitetezo chanu chachinsinsi.

Cloud Security Monitoring

AWS ilinso ndi zofanana ndi njira zamabizinesi achitetezo azidziwitso, zomwe zimapanganso zochitika zachitetezo zomwe mungathe komanso muyenera kuzisanthula:

  • Kuzindikira kwa Intrusion - AWS GuardDuty
  • Information Leak Control - AWS Macie
  • EDR (ngakhale ikukamba za mapeto mumtambo modabwitsa) - AWS Cloudwatch + osquery open source or GRR solutions
  • Kusanthula kwa Netflow - AWS Cloudwatch + AWS VPC Flow
  • Kusanthula kwa DNS - AWS Cloudwatch + AWS Route53
  • AD - AWS Directory Service
  • Kuwongolera Akaunti - AWS IAM
  • SSO - AWS SSO
  • kusanthula chitetezo - AWS Inspector
  • kasamalidwe kasinthidwe - AWS Config
  • WAF - AWS WAF.

Sindidzalongosola mwatsatanetsatane ntchito zonse za Amazon zomwe zingakhale zothandiza pachitetezo chazidziwitso. Chinthu chachikulu ndikumvetsetsa kuti onsewa amatha kupanga zochitika zomwe tingathe ndipo tiyenera kuzisanthula pokhudzana ndi chitetezo chazidziwitso, pogwiritsa ntchito izi zonse zomwe zinamangidwa ndi Amazon yokha ndi zothetsera zakunja, mwachitsanzo, SIEM, tengerani zochitika zachitetezo kumalo anu owunikira ndikuwunika momwemo pamodzi ndi zochitika zamitundu ina yamtambo kapena kuchokera kuzinthu zamkati, zozungulira kapena zida zam'manja.

Cloud Security Monitoring

Mulimonsemo, zonse zimayamba ndi magwero a data omwe amakupatsirani zochitika zachitetezo chazidziwitso. Magwerowa akuphatikizapo, koma samangokhalira ku:

  • CloudTrail - Kugwiritsa Ntchito API ndi Zochita Zogwiritsa Ntchito
  • Mlangizi Wodalirika - fufuzani chitetezo motsutsana ndi machitidwe abwino
  • Config - kufufuza ndi kasinthidwe ka akaunti ndi zoikamo zautumiki
  • VPC Flow Logs - zolumikizana ndi zolumikizira zenizeni
  • IAM - ntchito yozindikiritsa ndi kutsimikizira
  • ELB Access Logs - Load Balancer
  • Inspector - zofooka za ntchito
  • S3 - kusungirako mafayilo
  • CloudWatch - Ntchito Yogwiritsa Ntchito
  • SNS ndi ntchito yodziwitsa.

Amazon, ngakhale ikupereka mitundu yosiyanasiyana ya zochitika ndi zida za mbadwo wawo, ndizochepa kwambiri pakutha kusanthula deta yomwe yasonkhanitsidwa pokhudzana ndi chitetezo cha chidziwitso. Muyenera kuphunzira paokha zipika zomwe zilipo, kuyang'ana zisonyezo zoyenera za kunyengerera mwa iwo. AWS Security Hub, yomwe Amazon idayambitsa posachedwa, ikufuna kuthetsa vutoli pokhala mtambo SIEM wa AWS. Koma mpaka pano ndi kumayambiriro kwa ulendo wake ndipo ndi malire onse ndi chiwerengero cha magwero ndi ntchito ndi zoletsa zina zokhazikitsidwa ndi zomanga ndi kulembetsa zolembetsa za Amazon palokha.

Chitsanzo: Kuwunika kwachitetezo chazidziwitso ku IaaS kutengera Azure

Sindikufuna kulowa mkangano wautali wokhudza kuti ndi ndani mwa atatu omwe amapereka mitambo (Amazon, Microsoft kapena Google) ali bwino (makamaka popeza aliyense wa iwo akadali ndi zenizeni zake zenizeni ndipo ali woyenera kuthetsa mavuto ake); Tiyeni tiyang'ane pa luso lowunika chitetezo chomwe osewerawa amapereka. Tiyenera kuvomereza kuti Amazon AWS inali imodzi mwa oyamba mu gawoli ndipo chifukwa chake yapita patsogolo kwambiri potengera ntchito zake zoteteza zidziwitso (ngakhale ambiri amavomereza kuti ndizovuta kugwiritsa ntchito). Koma izi sizikutanthauza kuti tidzanyalanyaza mwayi umene Microsoft ndi Google amatipatsa.

Zogulitsa za Microsoft nthawi zonse zimasiyanitsidwa ndi "kutseguka" kwawo ndipo ku Azure zinthu ndi zofanana. Mwachitsanzo, ngati AWS ndi GCP nthawi zonse zimachokera ku lingaliro lakuti "zosaloledwa ndizoletsedwa," ndiye kuti Azure ili ndi njira yosiyana. Mwachitsanzo, popanga makina ochezera pamtambo ndi makina enieni momwemo, madoko onse ndi ma protocol amatsegulidwa ndikuloledwa mwachisawawa. Chifukwa chake, mudzafunika kuyeserera pang'ono pakukhazikitsa koyambirira kwa makina owongolera mumtambo kuchokera ku Microsoft. Ndipo izi zimakupatsiraninso zofunika zolimba pa inu potsata ntchito yowunikira mumtambo wa Azure.

Cloud Security Monitoring

AWS ili ndi mawonekedwe ake okhudzana ndi mfundo yakuti mukamayang'anitsitsa zomwe muli nazo, ngati zili m'madera osiyanasiyana, ndiye kuti mumavutika kuphatikiza zochitika zonse ndi kusanthula kwawo kogwirizana, kuti muchotse zomwe muyenera kuchita zachinyengo zosiyanasiyana, monga Pangani khodi yanu ya AWS Lambda yomwe imayendetsa zochitika pakati pa zigawo. Azure ilibe vutoli - makina ake a Activity Log amatsata zochitika zonse m'bungwe lonse popanda zoletsa. Zomwezo zimagwiranso ntchito ku AWS Security Hub, yomwe posachedwapa inapangidwa ndi Amazon kuti aphatikize ntchito zambiri zachitetezo mkati mwa malo amodzi otetezera, koma mkati mwa dera lake, zomwe, komabe, sizoyenera ku Russia. Azure ili ndi Security Center yake, yomwe siyimangika ndi zoletsa zachigawo, zomwe zimapereka mwayi wopezeka pazinthu zonse zachitetezo cha nsanja yamtambo. Komanso, kwa magulu osiyanasiyana am'deralo imatha kupereka zida zake zodzitetezera, kuphatikiza zochitika zachitetezo zomwe zimayendetsedwa ndi iwo. AWS Security Hub ikadali panjira yofanana ndi Azure Security Center. Koma ndikofunikira kuwonjezera ntchentche mumafuta - mutha kufinya mu Azure zambiri zomwe zidafotokozedwa kale mu AWS, koma izi zimangochitika mosavuta ku Azure AD, Azure Monitor ndi Azure Security Center. Njira zina zonse zachitetezo cha Azure, kuphatikiza kusanthula zochitika zachitetezo, sizikuyendetsedwa m'njira yosavuta kwambiri. Vutoli limathetsedwa pang'ono ndi API, yomwe imalowa mu mautumiki onse a Microsoft Azure, koma izi zidzafunika kuyesetsa kowonjezera kuchokera kwa inu kuti muphatikize mtambo wanu ndi SOC yanu komanso kukhalapo kwa akatswiri oyenerera (m'malo mwake, monga SIEM ina iliyonse yomwe imagwira ntchito ndi mtambo. API). Ma SIEM ena, omwe tidzakambidwe pambuyo pake, amathandizira kale Azure ndipo amatha kuwongolera ntchito yoyang'anira, koma ilinso ndi zovuta zake - si onse omwe angathe kutolera zipika zonse zomwe Azure ali nazo.

Cloud Security Monitoring

Kutolera ndi kuwunika zochitika ku Azure kumaperekedwa pogwiritsa ntchito ntchito ya Azure Monitor, yomwe ndi chida chachikulu chopezera, kusunga ndi kusanthula deta mumtambo wa Microsoft ndi zothandizira zake - nkhokwe za Git, zotengera, makina enieni, mapulogalamu, ndi zina zambiri. Zonse zomwe zasonkhanitsidwa ndi Azure Monitor zimagawidwa m'magulu awiri - ma metrics, omwe amasonkhanitsidwa munthawi yeniyeni ndikufotokozera zisonyezo zazikulu za mtambo wa Azure, ndi zipika, zomwe zili ndi data yokonzedwa m'mawu owonetsa mbali zina za ntchito za Azure zothandizira ndi ntchito. Kuphatikiza apo, pogwiritsa ntchito Data Collector API, ntchito ya Azure Monitor imatha kusonkhanitsa deta kuchokera kugwero lililonse la REST kuti ipange zochitika zake zowunikira.

Cloud Security Monitoring

Nawa magwero angapo achitetezo omwe Azure amakupatsirani komanso kuti mutha kulowa kudzera pa Azure Portal, CLI, PowerShell, kapena REST API (ndipo ena kudzera mu Azure Monitor/Insight API):

  • Zolemba Zochita - chipikachi chikuyankha mafunso akale a "ndani," "chiyani," ndi "liti" okhudza zolemba zilizonse (PUT, POST, DELETE) pazamtambo. Zochitika zokhudzana ndi mwayi wowerengera (GET) sizinaphatikizidwe mu chipikachi, monganso ena angapo.
  • Ma Diagnostic Logs - ali ndi data pamachitidwe omwe ali ndi chida china chomwe chikuphatikizidwa pakulembetsa kwanu.
  • Lipoti la Azure AD - lili ndi zochitika za ogwiritsa ntchito ndi machitidwe okhudzana ndi kasamalidwe kamagulu ndi ogwiritsa ntchito.
  • Windows Event Log ndi Linux Syslog - ili ndi zochitika kuchokera pamakina enieni omwe amakhala pamtambo.
  • Metrics - ili ndi telemetry yokhudzana ndi magwiridwe antchito komanso thanzi la ntchito zanu zamtambo ndi zothandizira. Kuyeza mphindi iliyonse ndikusungidwa. mkati mwa masiku 30.
  • Network Security Group Flow Logs - ili ndi deta pazochitika zachitetezo pamaneti zomwe zimasonkhanitsidwa pogwiritsa ntchito ntchito ya Network Watcher ndikuwunika kwazinthu pamanetiweki.
  • Zosungirako Zosungira - zili ndi zochitika zokhudzana ndi kupeza malo osungiramo zinthu.

Cloud Security Monitoring

Pakuwunika, mutha kugwiritsa ntchito ma SIEM akunja kapena Azure Monitor yomangidwa ndi zowonjezera zake. Tidzakambirana za machitidwe oyendetsera zochitika zachitetezo pambuyo pake, koma pakadali pano tiyeni tiwone zomwe Azure imatipatsa kuti tiwunikenso deta pachitetezo. Chophimba chachikulu cha chilichonse chokhudzana ndi chitetezo mu Azure Monitor ndi Log Analytics Security ndi Audit Dashboard (mtundu waulere umathandizira kusungirako zochitika kwa sabata imodzi yokha). Dashboard iyi yagawidwa m'malo akuluakulu 5 omwe amawonera mwachidule ziwerengero za zomwe zikuchitika mumtambo womwe mukugwiritsa ntchito:

  • Magawo a Chitetezo - zizindikiro zazikulu zokhudzana ndi chitetezo chazidziwitso - kuchuluka kwa zochitika, kuchuluka kwa ma node osokonekera, ma node osasinthika, zochitika zachitetezo pamaneti, ndi zina zambiri.
  • Zodziwika bwino - zikuwonetsa kuchuluka ndi kufunikira kwa zovuta zachitetezo chazidziwitso
  • Kuzindikira - kumawonetsa machitidwe akuwukira omwe amagwiritsidwa ntchito motsutsana nanu
  • Threat Intelligence - imawonetsa zidziwitso zamagawo akunja omwe akukuukirani
  • Mafunso wamba achitetezo - mafunso omwe angakuthandizeni kuyang'anira chitetezo chanu bwino.

Cloud Security Monitoring

Zowonjezera za Azure Monitor zikuphatikiza Azure Key Vault (chitetezo cha makiyi a cryptographic mumtambo), Kuwunika kwa Malware (kuwunika kwachitetezo pamakina oyipa pamakina enieni), Azure Application Gateway Analytics (kuwunika, mwa zina, zipika zozimitsa moto), ndi zina zambiri. . Zida izi, zomwe zimalemeretsedwa ndi malamulo ena opangira zochitika, zimakulolani kuti muwone mbali zosiyanasiyana za ntchito zamtambo, kuphatikizapo chitetezo, ndikuzindikira zolakwika zina kuchokera kuntchito. Koma, monga nthawi zambiri, magwiridwe antchito ena aliwonse amafunikira kulembetsa komwe kuli kofananako, komwe kumafunikira ndalama zofananira ndi inu, zomwe muyenera kukonzekera pasadakhale.

Cloud Security Monitoring

Azure ili ndi zida zingapo zowunikira zowopseza zomwe zimaphatikizidwa mu Azure AD, Azure Monitor, ndi Azure Security Center. Mwa iwo, mwachitsanzo, kuzindikira kuyanjana kwa makina omwe ali ndi ma IP odziwika bwino (chifukwa cha kukhalapo kwa kuphatikizika ndi mautumiki a Threat Intelligence kuchokera ku Microsoft), kuzindikira kwa pulogalamu yaumbanda mumtambo wamtambo polandila ma alarm pamakina omwe amakhala mumtambo, mawu achinsinsi. kuukira ” pamakina enieni, zofooka pakukonza makina ozindikiritsa ogwiritsa ntchito, kulowa mudongosolo kuchokera kwa osadziwika kapena ma node omwe ali ndi kachilombo, kutayikira kwa akaunti, kulowa mudongosolo kuchokera kumalo osazolowereka, ndi zina zambiri. Azure lero ndi amodzi mwaopereka mtambo ochepa omwe amakupatsirani luso la Threat Intelligence kuti mulemere zomwe zasonkhanitsidwa zachitetezo.

Cloud Security Monitoring

Monga tafotokozera pamwambapa, ntchito zachitetezo ndipo, chifukwa chake, zochitika zotetezedwa zomwe zimapangidwira sizipezeka kwa ogwiritsa ntchito onse mofanana, koma zimafuna kulembetsa kwina komwe kumaphatikizapo ntchito zomwe mukufunikira, zomwe zimapanga zochitika zoyenera zowunikira chitetezo cha chidziwitso. Mwachitsanzo, zina mwazinthu zomwe zafotokozedwa m'ndime yapitayi zowunikira zolakwika m'maakaunti zimapezeka mu chilolezo cha P2 premium cha ntchito ya Azure AD. Popanda izo, inu, monga momwe zilili ndi AWS, mudzayenera kusanthula zochitika zachitetezo zomwe zasonkhanitsidwa "pamanja". Ndipo, komanso, kutengera mtundu wa chilolezo cha Azure AD, sizochitika zonse zomwe zidzapezeke kuti ziwunikidwe.

Pa portal ya Azure, mutha kuyang'anira mafunso onse osakira zipika zomwe zingakusangalatseni ndikukhazikitsa ma dashboard kuti muwonetsetse zizindikiro zazikulu zachitetezo. Kuphatikiza apo, mutha kusankha zowonjezera za Azure Monitor, zomwe zimakupatsani mwayi wokulitsa magwiridwe antchito a zipika za Azure Monitor ndikupeza kusanthula kozama kwa zochitika kuchokera pachitetezo.

Cloud Security Monitoring

Ngati simukusowa luso lotha kugwira ntchito ndi zipika, koma malo otetezeka achitetezo cha nsanja yanu yamtambo ya Azure, kuphatikiza kasamalidwe ka chitetezo chazidziwitso, ndiye kuti mutha kuyankhula zakufunika kogwira ntchito ndi Azure Security Center, ntchito zambiri zothandiza zomwe zilipo ndi ndalama zina, mwachitsanzo, kuzindikira ziwopsezo, kuyang'anira kunja kwa Azure, kuwunika kutsata, ndi zina. (mu mtundu waulere, mumangopeza kuwunika kwachitetezo ndi malingaliro ochotsa zovuta zomwe zadziwika). Imaphatikiza nkhani zonse zachitetezo pamalo amodzi. M'malo mwake, titha kulankhula zachitetezo chazidziwitso chapamwamba kuposa momwe Azure Monitor imakupatsirani, popeza pakadali pano zomwe zasonkhanitsidwa pamtambo wanu wamtambo zimalemeretsedwa pogwiritsa ntchito magwero ambiri, monga Azure, Office 365, Microsoft CRM pa intaneti, Microsoft Dynamics AX. , outlook .com, MSN.com, Microsoft Digital Crimes Unit (DCU) ndi Microsoft Security Response Center (MSRC), pomwe makina apamwamba kwambiri ophunzirira makina ndi ma analytics algorithms amapangidwa, omwe pamapeto pake amayenera kuwongolera luso lozindikira ndikuyankha zowopseza. .

Azure ilinso ndi SIEM yake - idawonekera koyambirira kwa 2019. Iyi ndi Azure Sentinel, yomwe imadalira zambiri kuchokera ku Azure Monitor ndipo imatha kuphatikizanso ndi. njira zachitetezo zakunja (mwachitsanzo, NGFW kapena WAF), mndandanda womwe ukukula nthawi zonse. Kuphatikiza apo, kudzera mu kuphatikiza kwa Microsoft Graph Security API, mumatha kulumikiza ma feed anu a Threat Intelligence ku Sentinel, zomwe zimakulitsa luso losanthula zochitika mumtambo wanu wa Azure. Titha kutsutsa kuti Azure Sentinel ndiye SIEM yoyamba "yachibadwidwe" yomwe idawonekera kuchokera kwa omwe amapereka mitambo (Splunk yemweyo kapena ELK, yomwe imatha kuchitidwa pamtambo, mwachitsanzo, AWS, sinapangidwebe ndi opereka chithandizo chamtambo). Azure Sentinel ndi Security Center imatha kutchedwa SOC yamtambo wa Azure ndipo imatha kukhala kwa iwo (ndi kusungitsa kwina) ngati mulibenso zomangamanga ndipo mutasamutsa zida zanu zonse zamakompyuta kumtambo ndipo ungakhale Microsoft mtambo Azure.

Cloud Security Monitoring

Koma popeza mphamvu zomangidwira za Azure (ngakhale mutalembetsa ku Sentinel) nthawi zambiri sizokwanira pazolinga zowunikira chitetezo chazidziwitso ndikuphatikiza izi ndi magwero ena achitetezo (onse amtambo ndi amkati), pali ayenera kutumiza deta yosonkhanitsidwa ku machitidwe akunja, omwe angaphatikizepo SIEM. Izi zimachitika pogwiritsira ntchito API komanso kugwiritsa ntchito zowonjezera zapadera, zomwe zilipo panopa kwa ma SIEM otsatirawa - Splunk (Azure Monitor Add-On for Splunk), IBM QRadar (Microsoft Azure DSM), SumoLogic, ArcSight ndi ELK. Mpaka posachedwa, panali ma SIEM enanso, koma kuyambira Juni 1, 2019, Microsoft idasiya kuthandizira Chida cha Azure Log Integration (AzLog), chomwe m'bandakucha kukhalapo kwa Azure komanso pakalibe kuyimitsidwa kwanthawi zonse kugwira ntchito ndi zipika (Azure). Monitor panalibenso) idapangitsa kuti ikhale yosavuta kuphatikiza SIEM yakunja ndi mtambo wa Microsoft. Tsopano zinthu zasintha ndipo Microsoft ikulimbikitsa nsanja ya Azure Event Hub ngati chida chachikulu chophatikizira ma SIEM ena. Ambiri akhazikitsa kale kuphatikiza koteroko, koma samalani - mwina sangagwire zipika zonse za Azure, koma zina (yang'anani pazolembedwa za SIEM yanu).

Pomaliza ulendo wachidule wopita ku Azure, ndikufuna kupereka malingaliro onse okhudza ntchito yamtambo iyi - musananene chilichonse chokhudza ntchito zowunikira zidziwitso ku Azure, muyenera kuzikonza mosamala kwambiri ndikuyesa kuti zimagwira ntchito monga zolembedwa muzolemba ndi monga alangizi adakuwuzani Microsoft (ndipo atha kukhala ndi malingaliro osiyanasiyana pa magwiridwe antchito a Azure). Ngati muli ndi ndalama, mutha kufinya zidziwitso zambiri kuchokera ku Azure motsata kuwunika kwachitetezo. Ngati chuma chanu chili chochepa, ndiye, monga momwe zilili ndi AWS, mudzangodalira mphamvu zanu zokha komanso data yaiwisi yomwe Azure Monitor imakupatsirani. Ndipo kumbukirani kuti ntchito zambiri zowunikira zimawononga ndalama ndipo ndi bwino kudziwiratu ndondomeko yamitengo. Mwachitsanzo, kwaulere mutha kusunga masiku 31 a data mpaka 5 GB pa kasitomala aliyense - kupitilira izi kudzafunika kuti mupereke ndalama zowonjezera (pafupifupi $ 2+ posungira GB iliyonse yowonjezera kwa kasitomala ndi $ 0,1 ya kusunga 1 GB mwezi uliwonse wowonjezera). Kugwira ntchito ndi telemetry ndi ma metrics kungafunikenso ndalama zowonjezera, komanso kugwira ntchito ndi zidziwitso ndi zidziwitso (malire ena amapezeka kwaulere, omwe sangakhale okwanira pazosowa zanu).

Chitsanzo: Kuyang'anira zidziwitso mu IaaS kutengera Google Cloud Platform

Google Cloud Platform ikuwoneka ngati yachinyamata poyerekeza ndi AWS ndi Azure, koma izi ndizabwino. Mosiyana ndi AWS, yomwe inawonjezera mphamvu zake, kuphatikizapo chitetezo, pang'onopang'ono, kukhala ndi mavuto ndi centralization; GCP, monga Azure, imayendetsedwa bwino pakati, zomwe zimachepetsa zolakwika ndi nthawi yokhazikitsa bizinesi yonse. Kuchokera pamalingaliro achitetezo, GCP ili, modabwitsa, pakati pa AWS ndi Azure. Alinso ndi kalembera wa chochitika chimodzi cha bungwe lonse, koma ndi chosakwanira. Ntchito zina zikadali mumtundu wa beta, koma pang'onopang'ono kupereΕ΅eraku kuyenera kuthetsedwa ndipo GCP idzakhala nsanja yokhwima kwambiri potsata chitetezo chazidziwitso.

Cloud Security Monitoring

Chida chachikulu chodula mitengo mu GCP ndi Stackdriver Logging (yofanana ndi Azure Monitor), yomwe imakupatsani mwayi wosonkhanitsa zochitika pamtambo wanu wonse (komanso kuchokera ku AWS). Kuchokera pachitetezo cha GCP, bungwe lililonse, projekiti kapena foda ili ndi zipika zinayi:

  • Ntchito Yoyang'anira - ili ndi zochitika zonse zokhudzana ndi mwayi wotsogolera, mwachitsanzo, kupanga makina enieni, kusintha ufulu wofikira, ndi zina. chipikachi chimalembedwa nthawi zonse, mosasamala kanthu za zomwe mukufuna, ndikusunga deta yake kwa masiku 400.
  • Data Access - ili ndi zochitika zonse zokhudzana ndi kugwira ntchito ndi deta ndi ogwiritsa ntchito mitambo (kulenga, kusintha, kuwerenga, etc.). Mwachikhazikitso, chipikachi sichinalembedwe, chifukwa voliyumu yake imakula mofulumira kwambiri. Pachifukwa ichi, moyo wake wa alumali ndi masiku 30 okha. Komanso, si zonse zimene zalembedwa m’magazini ino. Mwachitsanzo, zochitika zokhudzana ndi zothandizira zomwe zimafikiridwa ndi anthu onse kapena zomwe zingatheke popanda kulowa mu GCP sizinalembedwe kwa izo.
  • Chochitika Chadongosolo - chimakhala ndi zochitika zadongosolo zomwe sizikugwirizana ndi ogwiritsa ntchito, kapena zochita za woyang'anira yemwe amasintha kasinthidwe kazinthu zamtambo. Nthawi zonse imalembedwa ndikusungidwa kwa masiku 400.
  • Access Transparency ndi chitsanzo chapadera cha chipika chomwe chimagwira ntchito zonse za ogwira ntchito pa Google (koma osakhala pa mautumiki onse a GCP) omwe amapeza zida zanu monga gawo la ntchito zawo. chipikachi chimasungidwa kwa masiku 400 ndipo sichipezeka kwa kasitomala aliyense wa GCP, koma pokhapokha ngati zinthu zingapo zakwaniritsidwa (kaya Gold kapena Platinum level support, kapena kukhalapo kwa maudindo a 4 amtundu wina monga gawo la chithandizo chamakampani). Ntchito yofananira imapezekanso, mwachitsanzo, mu Office 365 - Lockbox.

Chitsanzo cha chipika: Access Transparency

{
 insertId:  "abcdefg12345"
 jsonPayload: {
  @type:  "type.googleapis.com/google.cloud.audit.TransparencyLog"
  location: {
   principalOfficeCountry:  "US"
   principalEmployingEntity:  "Google LLC"
   principalPhysicalLocationCountry:  "CA"
  }
  product: [
   0:  "Cloud Storage"
  ]
  reason: [
    detail:  "Case number: bar123"
    type:  "CUSTOMER_INITIATED_SUPPORT"
  ]
  accesses: [
   0: {
    methodName: "GoogleInternal.Read"
    resourceName: "//googleapis.com/storage/buckets/[BUCKET_NAME]/objects/foo123"
    }
  ]
 }
 logName:  "projects/[PROJECT_NAME]/logs/cloudaudit.googleapis.com%2Faccess_transparency"
 operation: {
  id:  "12345xyz"
 }
 receiveTimestamp:  "2017-12-18T16:06:37.400577736Z"
 resource: {
  labels: {
   project_id:  "1234567890"
  }
  type:  "project"
 }
 severity:  "NOTICE"
 timestamp:  "2017-12-18T16:06:24.660001Z"
}

Kufikika kwa zipikazi ndizotheka m'njira zingapo (mofanana ndi zomwe takambirana kale za Azure ndi AWS) - kudzera mu mawonekedwe a Log Viewer, kudzera mu API, kudzera pa Google Cloud SDK, kapena kudzera patsamba la Ntchito la projekiti yanu yomwe mumachitira. ali ndi chidwi ndi zochitika. Momwemonso, amatha kutumizidwa ku mayankho akunja kuti afufuzenso. Zomalizazi zimachitika potumiza zipika ku BigQuery kapena Cloud Pub/Sub storage.

Kuphatikiza pa Stackdriver Logging, nsanja ya GCP imaperekanso magwiridwe antchito a Stackdriver Monitoring, omwe amakulolani kuyang'anira ma metrics ofunikira (machitidwe, MTBF, thanzi lonse, ndi zina) za mautumiki amtambo ndi mapulogalamu. Zomwe zakonzedwa komanso zowoneka bwino zitha kukhala zosavuta kupeza zovuta mumtambo wanu, kuphatikiza pachitetezo. Koma ziyenera kukumbukiridwa kuti ntchitoyi sikhala yolemera kwambiri pachitetezo chazidziwitso, popeza lero GCP ilibe mawonekedwe a AWS GuardDuty omwewo ndipo sangathe kuzindikira zoyipa pakati pazochitika zonse zolembetsedwa (Google yapanga Kuzindikira kwa Zochitika Zowopsa, koma ikupangidwabe mu beta ndipo ndikoyambirira kwambiri kuti tilankhule za phindu lake). Stackdriver Monitoring itha kugwiritsidwa ntchito ngati njira yodziwira zolakwika, zomwe zimafufuzidwa kuti zipeze zomwe zidayambitsa. Koma chifukwa cha kusowa kwa ogwira ntchito oyenerera pachitetezo cha chidziwitso cha GCP pamsika, ntchitoyi ikuwoneka yovuta.

Cloud Security Monitoring

Ndikoyeneranso kupereka mndandanda wamamodule achitetezo azidziwitso omwe angagwiritsidwe ntchito mumtambo wanu wa GCP, omwe ali ofanana ndi zomwe AWS imapereka:

  • Cloud Security Command Center ndi analogue ya AWS Security Hub ndi Azure Security Center.
  • Cloud DLP - Kudzipeza ndikusintha zokha (monga kubisa nkhope) kwa data yomwe imasungidwa mumtambo pogwiritsa ntchito mfundo zopitilira 90 zodziwikiratu.
  • Cloud Scanner ndi sikani yazovuta zodziwika (XSS, Flash Injection, malaibulale osasindikizidwa, ndi zina zotero) mu App Engine, Compute Engine ndi Google Kubernetes.
  • Cloud IAM - Sinthani mwayi wopezeka pazinthu zonse za GCP.
  • Cloud Identity - Sinthani ogwiritsa ntchito a GCP, maakaunti a chipangizo ndi pulogalamu kuchokera pakompyuta imodzi.
  • Cloud HSM - chitetezo cha makiyi a cryptographic.
  • Cloud Key Management Service - kasamalidwe ka makiyi a cryptographic mu GCP.
  • VPC Service Control - Pangani malo otetezeka kuzungulira zinthu zanu za GCP kuti muteteze ku kutayikira.
  • Titan Security Key - chitetezo ku chinyengo.

Cloud Security Monitoring

Ambiri mwa ma modulewa amapanga zochitika zachitetezo zomwe zingatumizedwe ku BigQuery yosungirako kuti ifufuze kapena kutumiza ku machitidwe ena, kuphatikizapo SIEM. Monga tafotokozera pamwambapa, GCP ndi nsanja yomwe ikukula mwachangu ndipo Google tsopano ikupanga ma module angapo otetezedwa papulatifomu yake. Zina mwazo ndi Event Threat Detection (yomwe ikupezeka mu beta), yomwe imayang'ana zipika za Stackdriver posaka zotsalira za zochitika zosaloleka (zofanana ndi GuardDuty mu AWS), kapena Policy Intelligence (yopezeka mu alpha), yomwe imakupatsani mwayi wopanga mfundo zanzeru za mwayi wopeza zinthu za GCP.

Ndinapanga mwachidule za luso loyang'anira lomwe linamangidwa pamapulatifomu otchuka amtambo. Koma kodi muli ndi akatswiri omwe amatha kugwira ntchito ndi zipika za "yaiwisi" za IaaS (osati aliyense ali wokonzeka kugula luso lapamwamba la AWS kapena Azure kapena Google)? Kuwonjezera apo, ambiri amadziΕ΅a mwambi wakuti β€œkukhulupirira, koma tsimikizirani,” umene uli woona kuposa kale lonse pankhani ya chitetezo. Kodi mumakhulupirira bwanji luso lopangidwa ndi opereka mtambo omwe amakutumizirani zochitika zokhudzana ndi chitetezo? Kodi amayang'ana kwambiri bwanji chitetezo chazidziwitso konse?

Nthawi zina ndikofunikira kuyang'ana njira zowunikira zowunikira pamtambo zomwe zimatha kuthandizira chitetezo chamtambo, ndipo nthawi zina mayankho otere ndi njira yokhayo yodziwira chitetezo cha deta yanu ndi mapulogalamu omwe amakhala mumtambo. Kuphatikiza apo, ndizosavuta, chifukwa amatenga ntchito zonse zowunikira zipika zofunika zopangidwa ndi mautumiki osiyanasiyana amtambo kuchokera kwa opereka mtambo osiyanasiyana. Chitsanzo cha njira yowonjezera yotereyi ndi Cisco Stealthwatch Cloud, yomwe imayang'ana pa ntchito imodzi - kuyang'anira zovuta zokhudzana ndi chitetezo m'madera amtambo, kuphatikizapo Amazon AWS, Microsoft Azure ndi Google Cloud Platform, komanso mitambo yachinsinsi.

Chitsanzo: Kuwunika kwachitetezo chazidziwitso pogwiritsa ntchito Stealthwatch Cloud

AWS imapereka nsanja yosinthika yamakompyuta, koma kusinthasintha kumeneku kumapangitsa kuti makampani azipanga zolakwika zomwe zimayambitsa zovuta zachitetezo. Ndipo chitsanzo chachitetezo chogawana chidziwitso chimangothandizira izi. Kuthamanga mapulogalamu pamtambo ndi zofooka zosadziwika (odziwika akhoza kulimbana, mwachitsanzo, ndi AWS Inspector kapena GCP Cloud Scanner), mawu achinsinsi ofooka, masanjidwe olakwika, olowera mkati, ndi zina zotero. Ndipo zonsezi zikuwonetsedwa mumayendedwe azinthu zamtambo, zomwe zitha kuyang'aniridwa ndi Cisco Stealthwatch Cloud, yomwe ndi njira yowunikira chitetezo chazidziwitso ndikuwunika. mitambo yapagulu ndi yachinsinsi.

Cloud Security Monitoring

Chimodzi mwazinthu zazikulu za Cisco Stealthwatch Cloud ndikutha kutsanzira mabungwe. Ndi iyo, mutha kupanga mtundu wa pulogalamu (ndiko kuti, kuyerekezera kwanthawi yeniyeni) kwa chilichonse mwazinthu zanu zamtambo (zilibe kanthu kaya ndi AWS, Azure, GCP, kapena china chake). Izi zitha kuphatikiza ma seva ndi ogwiritsa ntchito, komanso mitundu yazida zomwe zimagwirizana ndi mtambo wanu, monga magulu achitetezo ndi magulu odziyimira pawokha. Mitundu iyi imagwiritsa ntchito mitsinje ya data yokhazikika yoperekedwa ndi mautumiki apamtambo ngati zolowetsa. Mwachitsanzo, kwa AWS awa angakhale VPC Flow Logs, AWS CloudTrail, AWS CloudWatch, AWS Config, AWS Inspector, AWS Lambda, ndi AWS IAM. Kujambula kwamakampani kumangodziwiratu ntchito ndi machitidwe a chilichonse mwazinthu zanu (mutha kuyankhula za mbiri yonse yamtambo). Maudindowa akuphatikiza chipangizo cham'manja cha Android kapena Apple, seva ya Citrix PVS, seva ya RDP, chipata cha makalata, kasitomala wa VoIP, seva yomaliza, woyang'anira madambwe, ndi zina zambiri. Imawunika mosalekeza machitidwe awo kuti adziwe ngati zinthu zowopsa kapena zowopseza chitetezo zimachitika. Mutha kuzindikira kulosera kwa mawu achinsinsi, kuwukira kwa DDoS, kutayikira kwa data, kupita kutali kosaloledwa, ma code oyipa, kuyang'ana pachiwopsezo ndi ziwopsezo zina. Mwachitsanzo, izi ndi zomwe kuzindikira kuyesa kwakutali kuchokera kudziko lofanana ndi gulu lanu (South Korea) kupita ku gulu la Kubernetes kudzera pa SSH kumawoneka ngati:

Cloud Security Monitoring

Ndipo izi ndi zomwe akuti kutulutsa kwa chidziwitso kuchokera ku nkhokwe ya Postgress kupita kudziko lomwe sitinakumanepo nalo kumawoneka ngati:

Cloud Security Monitoring

Pomaliza, izi ndizomwe zidalephera zambiri za SSH kuchokera ku China ndi Indonesia kuchokera pazida zakunja zakutali zikuwoneka ngati:

Cloud Security Monitoring

Kapena, tiyerekeze kuti seva mu VPC, mwa mfundo, siyenera kukhala kolowera kutali. Tiyerekezenso kuti kompyuta iyi idakumana ndi logon yakutali chifukwa chakusintha kolakwika kwa malamulo a firewall. Mbali ya Entity Modeling izindikira ndikunena za chochitikachi ("Unusual Remote Access") pafupi ndi nthawi yeniyeni ndikulozera ku AWS CloudTrail, Azure Monitor, kapena GCP Stackdriver Logging API call (kuphatikiza dzina lolowera, tsiku ndi nthawi, pakati pazambiri zina. ) zomwe zidapangitsa kusintha kwa lamulo la ITU. Kenako chidziwitsochi chikhoza kutumizidwa ku SIEM kuti aunike.

Cloud Security Monitoring

Kuthekera kofananirako kumayendetsedwa pamtambo uliwonse wothandizidwa ndi Cisco Stealthwatch Cloud:

Cloud Security Monitoring

Entity modelling ndi njira yapadera yodzitetezera yomwe imatha kuvumbulutsa vuto lomwe silikudziwika kale ndi anthu anu, njira kapena ukadaulo. Mwachitsanzo, zimakupatsani mwayi wozindikira, mwa zina, zovuta zachitetezo monga:

  • Kodi pali winawake wapeza backdoor mu pulogalamu yomwe timagwiritsa ntchito?
  • Kodi pali pulogalamu kapena chipangizo china pamtambo wathu?
  • Kodi wololedwa akugwiritsa ntchito molakwika mwai?
  • Kodi panali vuto la kasinthidwe lomwe limalola kuti munthu apite kutali kapena kugwiritsa ntchito zinthu zina mosakonzekera?
  • Kodi pali kutayikira kwa data kuchokera ku maseva athu?
  • Kodi pali winawake amene akuyesera kutilumikizana nafe kuchokera kudera lachilendo?
  • Kodi mtambo wathu uli ndi code yoyipa?

Cloud Security Monitoring

Chochitika chachitetezo chazidziwitso chodziwika chikhoza kutumizidwa ngati tikiti yofananira ku Slack, Cisco Spark, dongosolo loyang'anira zochitika za PagerDuty, komanso kutumizidwa ku ma SIEM osiyanasiyana, kuphatikiza Splunk kapena ELK. Mwachidule, titha kunena kuti ngati kampani yanu imagwiritsa ntchito njira yamitundu yambiri ndipo ilibe malire kwa wopereka mtambo m'modzi, mphamvu zowunikira zidziwitso zomwe zafotokozedwa pamwambapa, kugwiritsa ntchito Cisco Stealthwatch Cloud ndi njira yabwino yopezera gulu logwirizana. kuthekera kwa osewera otsogola amtambo - Amazon, Microsoft ndi Google. Chosangalatsa kwambiri ndichakuti mukayerekeza mitengo ya Stealthwatch Cloud ndi zilolezo zapamwamba zowunikira chitetezo chazidziwitso ku AWS, Azure kapena GCP, zitha kuwoneka kuti yankho la Cisco likhala lotsika mtengo kwambiri kuposa luso lopangidwa ndi Amazon, Microsoft. ndi mayankho a Google. Ndi zododometsa, koma ndi zoona. Ndipo mitambo yambiri ndi mphamvu zomwe mumagwiritsa ntchito, ndizodziwikiratu ubwino wa yankho lophatikizidwa lidzakhala.

Cloud Security Monitoring

Kuphatikiza apo, Stealthwatch Cloud imatha kuyang'anira mitambo yachinsinsi yomwe imayikidwa m'gulu lanu, mwachitsanzo, kutengera zotengera za Kubernetes kapena kuyang'anira mayendedwe a Netflow kapena kuchuluka kwa ma network omwe amalandilidwa kudzera pagalasi pazida zamagetsi (ngakhale zopangidwa kunyumba), data ya AD kapena ma seva a DNS ndi zina zotero. Deta yonseyi idzalemeretsedwa ndi zidziwitso za Threat Intelligence zomwe zasonkhanitsidwa ndi Cisco Talos, gulu lalikulu kwambiri padziko lonse lapansi losakhala laboma la ofufuza akuwopseza za cybersecurity.

Cloud Security Monitoring

Izi zimakupatsani mwayi wogwiritsa ntchito njira yowunikira yolumikizana pamtambo wapagulu komanso wosakanizidwa womwe kampani yanu ingagwiritse ntchito. Zomwe zasonkhanitsidwa zitha kuwunikidwa pogwiritsa ntchito luso la Stealthwatch Cloud kapena kutumizidwa ku SIEM yanu (Splunk, ELK, SumoLogic ndi ena angapo amathandizidwa ndi kusakhazikika).

Ndi izi, tidzatsiriza gawo loyamba la nkhaniyi, momwe ndinayang'ana zida zomangidwa ndi zakunja zowunikira chitetezo cha chidziwitso cha nsanja za IaaS / PaaS, zomwe zimatilola kuzindikira ndi kuyankha mwamsanga pazochitika zomwe zimachitika mumtambo kampani yathu yasankha. Mu gawo lachiwiri, tidzapitiriza mutuwo ndikuyang'ana njira zowunikira nsanja za SaaS pogwiritsa ntchito chitsanzo cha Salesforce ndi Dropbox, ndipo tidzayesetsanso kufotokozera mwachidule ndikuyika zonse pamodzi popanga dongosolo logwirizana la chitetezo cha chidziwitso kwa opereka mitambo osiyanasiyana.

Source: www.habr.com

Kuwonjezera ndemanga