In our weekly Top 5 RSA Conference Resources blog series, we’ve asked speakers, “If you were to present your session today, instead of several weeks ago, what would you change/add/do differently (particularly in the apply slide)?
Many have said they would make no changes, but they have made important comments about the universality of their topics. When I asked Jonathon Poling, Principal Security Transformation Consultant, Threat Detection/Incident Response, at Amazon Web Services (AWS), what he would have done differently in his session, Logging in the Cloud: From Zero to (Incident Response) Hero, he said that while he wouldn’t change anything, he did have a lot to say.
“The beautiful thing about my presentation was that I specifically built it to be evergreen and applicable no matter the circumstances, business or goals,” Poling said. He didn’t stop there, though. Recognizing that things are indeed very different now, Poling added, “People will likely want to ramp up their focus/pursuits in properly instrumenting logging across their entire enterprise amidst the substantial increase in remote operations—an adjustment of which likely requires both increased usage of existing services and establishment of new services in support of the operational shift.”
Given this ramping up, logging will now be more imperative than ever, both for security and operations. “The attack surface for your company traditionally increases with remote work (especially when allowing off-VPN or split traffic), and in turn requires further defense-in-depth, which (no surprise) relies on further/better instrumented logging and monitoring,” Poling added. Cloud security professionals can no longer rely on specific egress monitoring points in their on-premise network if all their employees are now working from home on a system that doesn't employ and enforce a VPN solution to force all traffic back through the on-premise network, according to Poling, who added, “You'll need to figure out how you're going to be monitoring that traffic now.”
The VPN example served as a good segue for Poling to discuss the new operational considerations of a largely remote workforce. He noted that even if you are technically able to force all traffic back through your on-premise network, important questions remain as to whether your network is even able to handle the increased traffic and whether you would know how well (or not) it is all working—thus reinforcing the criticality of logging (and preparation).
“As companies implement technical/architectural changes to their networks and begin employing new services,” Poling said, “operational logging is going to be critical in not only reactively identifying the root cause of an issue but more importantly proactively monitoring and identifying possible issues before they have a chance to propagate or even occur.” It’s also important to keep in mind that while employees may be forgiving if sites are taking longer to load and services are going down and coming back up, the public may not be.
Also worth mentioning, Poling said, is that attackers are taking no breaks in leveraging this pandemic as a massive opportunity to fly under the radar. “They are well aware that many companies are substantially consumed with technological changes and transitions and may not even bat an eye to a system going down or a bunch of errors/alerts starting to pop up across the network. Probably due to the ‘change/service’ we've just implemented, right? Maybe. Maybe not,” he added.
The truth is, it takes time to find the root cause of all of these things, and time is an asset that people often don't have these days as they are focusing on just keeping the business afloat. “Again, this is another argument for the importance of comprehensive logging across your infrastructure. The more targeted logging you have, the more accurate and useful information you'll have to search/reference, and the quicker you'll be able to determine the (possible) root cause(s) of an issue and get back to business,” Poling said. “A return to operations should be well-informed from your operational and security logging data—otherwise, it’s more of a return to repeating history.”