CCSK Domain 6 – Security Monitoring

1. Cloud Monitoring – Why It’s Hard

Monitoring is more complex in the cloud due to:

A. Management Plane

• Most critical layer—console/API/CLI control everything.
• Must monitor closely because management plane actions = highest risk.

B. High Velocity

• Cloud changes rapidly → need automation & real-time detection.

C. Distribution & Segregation

• Resources are spread everywhere.
• Need centralization of logs for effective monitoring.

D. Cloud Sprawl

• Multiple CSPs, multiple workloads → complexity increases.

E. Shared Responsibility Model

• Some monitoring tasks = CSP
• Some = CSC
• Varies by service model (IaaS vs PaaS vs SaaS)

2. Logs vs Events

A. Logs

• Full detailed records (CRUD operations)
• Stored long-term
• May have delivery delays

B. Events

• Only key changes (CUD)
• Short-lived
• Faster (seconds) → ideal for rapid response

3. Security Posture Management

Goes beyond logs by analyzing the configuration state of cloud environments.

Includes:

A. Management Plane Logs

• Console/API/CLI changes
• Examples: AWS CloudTrail, Azure Audit Logs

B. Service Logs

• Service-specific (e.g., Load Balancer logs, storage access logs)

C. Resource Logs

• Show provisioning, config changes, system events
• VM, DB, SDN logs

4. Cloud-Native Tools (CNAPP Components)

A. CSPM – Cloud Security Posture Management

• Detects misconfigurations
• Compliance monitoring
• Continuous scanning

B. CWPP – Cloud Workload Protection Platform

• Scans VMs, containers, Kubernetes, serverless for vulnerabilities

C. DSPM – Data Security Posture Management

• Data discovery, classification
• Encryption enforcement
• Detects excessive permissions on data

D. ASPM – Application Security Posture Management

• Integrates security across SDLC
• Supports Dev/Sec/Ops collaboration

E. CIEM – Cloud Infrastructure Entitlement Management

• Manages permissions & least privilege
• Ideal for controlling identity sprawl

F. CDR – Cloud Detection & Response

• Detects cloud-specific threats
• Uses analytics, threat intel, ML

G. SSPM – SaaS Security Posture Management

• Manages SaaS app configuration & access

5. Critical Events to Monitor

(From CIS AWS Benchmarks)

A. Access Management

• Unauthorized API calls
• Console login without MFA
• IAM policy changes
• Root account usage
• Key deletion/scheduling deletion

B. Resource Management

• S3 bucket policy changes
• Security group changes
• NACL changes
• VPC changes
• Gateway changes

C. Logging & Monitoring

• Logging configuration changes
• Console authentication failures

6. Cloud Telemetry Sources

Telemetry includes:

• Management plane logs
• Service logs
• Resource logs
• Network logs
• Application telemetry
• Performance metrics

Purpose: Visibility, detection, response, audit, compliance

7. Log Collection Architectures

A. Challenges

• Storage cost
• Export/egress cost
• CSP retention limits
• Need integration into SIEM

B. Solutions

• Option 1: Keep logs in CSP
  • Cheaper
  • But limited analytics
  • Harder to correlate with on-prem logs

• Option 2: Export logs
  • Enables better SIEM correlation
  • Expensive due to egress + storage

8. Cascading Log Architecture

A hierarchical log management model where:

• Dev / Test / Prod send logs → Centralized Log System
• Central system sends relevant logs → Security/Audit Account
• Then forwarded into SIEM

Benefits:

• Centralization
• Segregation of environments
• Better visibility and incident response

9. AI for Security Monitoring

AI/ML enhances:

A. Anomaly Detection

• Behavioral analysis
• Detects unusual patterns quickly

B. Threat Intelligence/Hunting

• Correlates huge data volumes
• Identifies emerging threats

C. Automated Response

• Faster containment
• Reduced human workload

D. Analyst Assistance

• Enrich logs
• Patch vulnerabilities
• Simulate attacks
• Reduce alert fatigue

Flashcards: https://quizlet.com/in/1108708280/ccsk-domain-6-security-monitoring-flash-cards/?i=4jehw4&x=1qqt