Cloud Anomaly Detection and Vulnerability Assessment Needs to Yield Actionable Alerts
August 13, 2019
Continuous real-time anomaly detection and behavioral analysis must be capable of monitoring all event activity in your cloud environment, correlate activity among containers, applications, and users, and log that activity for analysis after containers and other ephemeral workloads have been recycled. This monitoring and analysis must be able to trigger automatic alerts. Behavioral analytics make it possible to perform non-rules-based event detection and analysis in an environment that is adapting to serve continuously changing operational demands.
Traditionally with monitoring tools – whether security, application, or infrastructure – it’s necessary to invest considerable time configuring the product and writing rules that are specific to your environment. This is done so your team gets the right alerts on issues that run counter to your requirements and environmental setup. With innovations in machine learning and AI technology, we now have the ability to apply solutions that are built to understand behaviors, detect anomalies in those behaviors, and report based on actual activity that might pose a threat.
In the area of security, this is a huge benefit as it can be difficult to predict the behaviors of bad actors and write the appropriate rules. Using anomaly detection delivers a more accurate assessment of the vulnerabilities in a cloud environment, and ultimately gives security teams fewer and more actionable alerts.
Actionable alerts have four important characteristics:
- Prioritizes level of urgency . Notifies correct people . Provides recommended steps for remediation. Enables deliberate tasks to be performed through automation.
- Prioritization is the first line of defense. Knowing when to escalate and when to suppress an alert helps you and your team direct energy and resources to where they will be most effective at combating true threats to security.
- Making sure that the appropriate person receives the alert as quickly as possible is critical. This requires a schedule specifying who is on-call and when, the rules for escalations, and defining who to reach if on-call is not available or does not know what to do.
- Once the right person is engaged they need all available contextual information on the alert, including details like the service and region affected, paired with recommended steps for remediation. Essentially, instructions that explain what to do next.
Reducing response and resolve time of an incident either before it compromises the system or remains as a vulnerability is vital to avoid any further damage. By enabling automation in the security alert workflow, organizations can initiate their response as soon as the vulnerability is detected.