The ability to feed key security information
onto a big screen dashboard opens up many new opportunities for managing the day-to-day security and maintenance workload as well as providing a useful method of highlighting new incidents faster than “just another email alert.”
Most Security Operation Centres I’ve visited in recent years have embraced having a few dedicated big-screen displays, but most are restricted to monitoring the on-premise architecture such as local firewalls and servers rather than taking a more holistic approach and accounting for the increasing use of cloud hosted infrastructure and services.
Security no longer starts and ends at the “front door,” with cloud playing a bigger role in more and more organisations. Here’s four things I think every company that uses cloud infrastructure should consider surfacing on their security dashboards.
Inventory and Discovery
The traditional model of server provisioning started changing with the growth of virtualisation. No longer can you assume that new hardware would be purchased and entered into a CMDB
With the growth of cloud infrastructure, the provisioning of new virtual infrastructure became even easier, but with that comes new challenges for your security processes. For that reason, making sure that newly detected devices are highlighted front and center on a dashboard makes a lot of sense and can help to understand the changes going on during provisioning of a new or updated application during the DevOps cycle. Ensuring security coverage against these new devices is key to making sure that gaps don’t develop over time.
Vulnerabilities and Priorities
When vulnerabilities are detected, it’s important that they are presented in a practical fashion. Simply listing every missing patch or misconfiguration often isn’t a sensible approach to managing your workload. A good dashboard should help reveal the most common and highest risk vulnerabilities in an easy-to-read fashion
Tracking progress of investigations is important, too, in order to ensure you’re keeping on top of what’s been discovered as well as giving your security team a goal. Showing how old a vulnerability is, alongside its potential risk, can help provide a focus for teams as well as a sense of accomplishment when you clear down a challenging vulnerability from the dashboard.
If you’re carrying out regular scans of your cloud infrastructure via one or more scanning appliances and/or applications, it’s important to account not just for the health of the environment you're monitoring but also for the status of the tools you're using to provide the monitoring. Availability indicators for your monitoring architecture as well as alerting for whether or not scans are completing successfully ensures that you always have the full picture.
Alongside triaging vulnerabilities, ensuring compliance
to your internal security hardening requirements is key.
Making sure that you are proactively and consistently implementing security procedures helps to minimise your company's risk, and showing compliance levels (typically through a simple percentage score) can verify not just how secure your environment is today but also allow you to track your success over time, helping to demonstrate how everyday investment in your security configuration can help improve your security posture.
Getting the right information out and visible to your SOC team is key. Hopefully, these starting points will help you plan for your security dashboards to provide better overviews of your cloud security.
To learn more about how the Tripwire toolkit helps secure your cloud environments, click here