With a growing number of companies adopting cloud-only technology vs on-premises, last year saw a rise in cloud security breaches, as well as vulnerabilities exposed by simple user misconfiguration. Gaining valuable insight via machine learning and artificial intelligence through log collection is only the first step in detecting anomalies and potential cloud-based security threats.

Detecting insider threats via UEBA is one such strategy, as any user with access to cloud resources could quickly and easily exfiltrate data. This includes privileged users, as well as regular users with basic access to read and download sensitive documents, which may potentially result in exfiltration. Monitoring for any abnormal authentication activity, specifically unusual logins, and logins at irregular times of day or from suspicious locations should be performed, after a baseline for the cloud provider has been established.

The level of activity recorded in the relevant logs depends on the cloud provider or service. At a minimum, detection tools should be looking for any abnormal usage of elevated commands, including configuration changes that may result in system-wide changes. DLP technology that specifically works with cloud services should also be adopted to protect sensitive data. Using a SIEM to aggregate the various log files from all these technologies will enable increased visibility and faster detection rates. Establishing a baseline is key to reducing alarm fatigue, enabling your SOC analysts to concentrate on hunting for threats, rather than being the hunted!