This post is the fourth in a series of eight on five pillars to actionable cloud security. For the rest of the series, visit the Five Pillars blog page here.
This next step or pillar relies on first being able to determine who is allowed access and to what – and then detecting anomalies. Typically, Detection Controls focus on intrusion, more commonly known as Intrusion Detection Systems (IDS). These are automated, and are designed to monitor and analyze network traffic, and to generate an alert in response to activity that either matches known malicious patterns or is anomalous. Some IDS controls go further: they will trigger automated processes that can include recording suspicious activity or scanning the computers involved to try to find signs of compromise.
An IDS differs from a firewall in that the IDS looks for intrusions that 1) have already occurred 2) are currently underway, or 3) originate from within the network. ~ @rkturner1Click To Tweet
An IDS differs from a firewall in that a firewall looks outwardly for intrusions to stop them from happening in the first place. IDS looks for both intrusions that have already occurred (or are actively occurring), and for attacks that originate from within the network.
Because an IDS is watching the actual network traffic flow, it not only permits a more timely response to an active compromise, it also offers the capability to identify devices that are in imminent danger of compromise. In layman’s terms, this means identifying devices – or resources – with similar access profiles as those where the intrusion took place. IDS controls obviously require some kind of feedback loop with a security provider, to learn the latest malicious activities and recognize them when detected.
The Intrusion Detection System is explained in more detail here.
To develop an actionable Detection Controls pillar, customers must:
- Deploy detective controls at Layer 4 to Layer 7 and protect applications
- Understand how IDS differs from Firewall protections
- Have a thorough understanding of all monitoring and logging activities that are performed as part of in-place detection systems
In the next post we will discuss the third pillar, Network Security.
Rich Turner lays out the three steps to an actionable Detection Controls pillar for your Azure security framework Click To Tweet
Rich est directeur marketing pour les produits de cloud public chez Barracuda. Il a rejoint l'équipe dans le cadre de l'acquisition de C2C Systems en 2014. Rich est l'un des experts du cloud public de Barracuda. Il travaille directement sur les écosystèmes cloud et est cité dans des ebooks de Microsoft sur la sécurisation du cloud public. Il est également contributeur régulier des blogs thématiques sur le cloud de Barracuda. Dans le cadre de notre travail sur le cloud, il aide au développement de stratégies et à leur exécution avec nos partenaires et nos équipes commerciales.
Si vous souhaitez entrer en contact avec Rich, vous pouvez vous connecter avec lui sur LinkedIn et le suivre sur Twitter.
Vous pouvez contacter Rich par e-mail à l'adresse rturner@barracuda.com.
Billets associés :
L'évolution des bots, où comment je n'ai pas pu voir AC/DC en concert
Comment se défendre contre les identifiants utilisateurs faibles ou divulgués
Avez-vous imposé une politique d'utilisation acceptable sur votre VPN ?
Pour une réponse efficace en cas d'incident, utilisez une liste de contrôle des mesures correctives