Security monitoring and intelligence allows an organization to proactively monitor, track, and react to security violations. You need end-to-end visibility and integration of security processes and tooling throughout your organization. Security monitoring and intelligence creates a complete audit history for triage and compliance purposes, as well as providing reports and APIs for external consumption and integration.
Security measures vary depending on your cloud deployment model. In this document, we will explain how to implement security monitoring and intelligence in:
- Public cloud environment: A multi-tenant public cloud instance (IBM® SoftLayer® and IBM® Bluemix® Public)
- Dedicated cloud environment: A single-tenant cloud computing instance (Bluemix Dedicated)
- Local cloud environment: An on-premises private cloud deployment (Bluemix Local)
- Hybrid cloud environment — An environment where public and private clouds are used together
In addition, we will discuss security incident response management and how IBM responds to security incidents in its cloud offerings.
Security information and event management
To get visibility about the strength of your environment’s security, you must regularly collect logs and events. Depending on how your cloud environment is set up, you may need to obtain security information from different layers of the environment, including infrastructure, platform, and applications.
Security information and event management for your infrastructure and platform
When looking at your infrastructure and platform, you need to collect and monitor the following set of security logs:
- Firewall authentications and denials
- OS authentications
- OS administrator (admin) operations
- Platform authentication
- Key management operations
- Platform admin operations
- Platform database admin operations
- Admin console operations
- Operating system hardening health check deviations
IBM Bluemix Public
In IBM Bluemix Public, all security logs are sent automatically to an internal Security Operations Center powered by IBM Security QRadar®. Bluemix uses the IBM Security QRadar tools to consolidate Linux logs to monitor privileged access on Linux. Tenable Network Security’s vulnerability scanning tool, Nessus, detects any issues with network and host configurations so issues can be resolved.
Bluemix administrators ensure that fixes for operating systems are applied at appropriate frequencies. IBM Endpoint Manager enables automated fixes. Bluemix also uses IBM QRadar security information and event management (SIEM) to monitor successful and unsuccessful login attempts by application developers.
All Bluemix platforms come with built-in intrusion detection. Intrusion detection is enabled through a combination of SoftLayer-provided capabilities (for Bluemix Public and Bluemix Dedicated environments), capabilities at the perimeter level within the firewall or IBM Security Access Manager for DataPower®, and by monitoring Bluemix security logs that are consolidated within the QRadar SIEM tool.
IBM Bluemix Dedicated and IBM Bluemix Local
In Bluemix Dedicated and Bluemix Local, you can configure the following QRadar reports:
- Firewall authentication
- Firewall denials
- Administration events (OS)
- Administration events (DB)
- Administration events (Bluemix Platform)
- Authentication events (OS)
- Authentication events (Login Server)
- Bluemix Platform Ops Directory User List report
- Bluemix Platform IP Address Details report
- Bluemix Platform User List report
- Admin Console security reports management events
- Admin Console catalog management events
- Admin Console user management events
- Access reviews
- Change management
- Key management
- Patch management
- Security Incident management
Read the Bluemix security documentation for more information about these reports.
Security information and event management for applications and services
For applications and services, consider the following steps for implementing security information and event management:
- Drain logs over syslog, syslog-tls, or HTTPS
- Assess all events related to the app, including events in staging and deployment
- Distinguish the logs from different instances of the application
- Parse events
Loggregator, the Cloud Foundry component responsible for logging, provides a stream of log output from your application and from Cloud Foundry system components that interact with your app during updates and execution. By default, Loggregator streams logs to your terminal.
To persist more than the limited amount of logging information that Loggregator can buffer, you can drain logs to a third-party log management service. Cloud Foundry gathers and stores logs in a best-effort manner. If a client is unable to consume log lines quickly enough, the Loggregator buffer may need to overwrite some lines before the client has consumed them. A syslog drain can usually keep up with the flow of application logs. Get more information about monitoring and logging in the Bluemix documentation.
User authentication and access logs
Bluemix uses Cloud Foundry mechanisms to ensure that each application developer has access only to the applications and service instances that they created. External users cannot to access Bluemix Platform internal endpoints.
Audit logs are created for all successful and unsuccessful authentication attempts of application developers. Audit logs are created also for privileged access to Linux systems that host the containers where Bluemix applications run. Bluemix uses the QRadar tools also for monitoring privileged access on Linux systems running the Cloud Foundry and Bluemix Platform components. These logs can be consumed by any third-party SIEM products. The BM QRadar SIEM also monitors successful and unsuccessful login attempts by application developers. Learn more about logging in the Bluemix documentation.
Having a way to track and record API calls by users and applications within your cloud environment is imperative for implementing secure monitoring and intelligence. Having a single place to filter, monitor, and archive API calls allows you to analyze patterns and trends that may pose as a security risk.
IBM Bluemix Public
IBM Access Trail captures and records API call logs made by users and applications within the IBM Cloud. The Access Trail service is a foundational cloud security service provided by IBM Cloud that enables you to view, search, and export API access logs for IBM cloud runtimes and services.
In a single place, security system administrators can gain visibility into API call activities on the cloud platform runtimes and services. A single UI management console collects API call logs and stores them for filtering, monitoring, and archiving. Security administrators will be able to detect when abnormalities occur. Immediate investigation of these deviations from the benchmark can assist in detecting security intrusions or unauthorized access requests.
Maintaining an API call log data repository provides for on-demand access to support:
- Data security compliance audits
- Investigation of cybersecurity incidents
- Forensic analysis
- Establishing benchmarks for user behavior patterns
The API call log files can be exported to a third-party SIEM solution for extensive security analysis. Read the Bluemix documentation for more information about how to leverage Access Trail for enhanced visibility to your cloud services and runtimes. Refer to the Bluemix documentation for more information.
Security Operations Center (SOC) analysts must inspect incoming events in real time. Analysts quickly evaluate and prioritize these events using information from other assets and not based solely on the vendor’s predetermined event severity. SOC analysts use various methods to thoroughly investigate anomalous or suspicious activity. You can use security information and event management (SIEM) tools to analyze security alerts in application logs. At IBM, we have numerous products and services that help you analyze security alerts in your cloud environment. These include:
- IBM Security QRadar SIEM provides security intelligence in cloud environments.
- IBM Security Intelligence on Cloud enables you to acquire flexible threat protection and compliance reporting capabilities quickly without large capital expenditures and offers a cost-efficient initial step toward IT security.
- IBM X-Force® Threat Analysis Service (XFTAS) proactively manages daily security threats, providing an evaluation of global online threat conditions and detailed, tailored analysis. This powerful combination of SIEM, security research, and data clarifies the nature and severity of Internet-based threats and provides intelligence to stay ahead of the threats.
Integrated view across hybrid deployments
The image below depicts the overall architecture view on how you can use IBM products and your own SOC or SIEM solutions to get better visibility into your cloud resources.
Architecture overview — Security information and event management
Figure 1 depicts a representative architecture that shows a SIEM solution based on QRadar at the customer SOC. The starts in the diagram demonstrate that the chain of custody of security logs and access to all these systems are governed and need approval, continued business need revalidation, and revocation of rights when an employee is terminated.
Security logs for all privileged accesses to these systems are sent to the SIEM for archiving, monitoring, reporting, and alerts. The resulting logs are based on the deployment model that the customers use, whether Bluemix Public, Bluemix Dedicated, or Bluemix Local.
IBM Managed Security Services
IBM Managed Security Services (MSS) allow you to secure and monitor your resources on the cloud. The services perform policy configuration, management, and monitoring of security devices deployed in the IBM cloud, including public, private, and “bare metal” cloud services.
The security incident classification and escalation area of IBM MSS focuses on incident-related processes performed as part of network intrusion detection and prevention system (IDPS) event monitoring. IBM X-Force intelligence provides the basis for the initial triage of events. Using information about how the exploits work, SOC analysts correlate activity patterns with signature severity to associate the behavior with known attacks. This allows the SOC analyst to determine the potential risks associated with the events. X-Force delivers research information directly through the MSS Customer Portal to ensure that your security team is always connected to the most recent developments in security intelligence. To more fully engage in this process, IBM encourages customers to subscribe to the X-Force Threat Analysis Service (XFTAS) to get access to the latest security intelligence.
Security incident response management
When a security incidence happens, how you respond to the incident and how you communicate the severity of the incident and possible next steps to your customers is important. Security incident response management is an integral part of security monitoring and intelligence.
IBM uses various methods to communicate security vulnerability information to customers. The company uses security bulletins to publicly disclose security vulnerabilities discovered in IBM offerings. Alternative tools and processes are used, where appropriate, for more targeted and discrete communications.
IBM maintains two related security incident response efforts: The Product Security Incident Response Team and the Computer Security Incident Response Team. The combined function of the PSIRT and CSIRT is to record and resolve the business impacts of incidents that have security implications, as well as any technical or process-related causes and underpinnings.
IBM Product Security Incident Response Team (PSIRT)
The PSIRT is a global team that manages the receipt, investigation, and internal coordination of security vulnerability information related to IBM offerings. Security researchers, industry groups, government organizations, and vendors should report potential IBM product security vulnerabilities to the IBM PSIRT.
The IBM PSIRT is focused on identifying, tracking, and resolving vulnerabilities in software and products. The PSIRT is a community of developers across IBM who use a collaborative software system to route vulnerability notices to the affected products and track the response to completion based on independently assigned severity as defined by the Common Vulnerability Scoring System (CVSS). For more information, see the IBM security vulnerability management information and the IBM Product Security Incident Response Team Blog.
Computer Security Incident Response Team (CSIRT)
The CSIRT is focused on identifying, tracking, and resolving security incidents that could impact business. The CSIRT is a core team from the IBM CIO office who work with stakeholders and parties with a vested interest in a particular incident. Bluemix supports web services integrations for notifications. Read more about incident event subscription.
Incident response and support
IBM Bluemix Public
For Bluemix Public, you can sign up for platform notifications, which are optional email alerts for incident and maintenance events. Learn more about how to set up these notifications.
IBM Bluemix Dedicated
Refer to the Bluemix documentation for more information about the process for customer-detected and IBM-detected issues and incidents for IBM Bluemix Dedicated.
IBM Bluemix Local
Refer to the Bluemix documentation for more information about the process for customer-detected and IBM-detected issues and incidents for IBM Bluemix Local environments.
Security intelligence and monitoring resources
- ISO/IEC DIS 19086-1 — Service level agreement (SLA) framework and technology
- Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- Reference architecture
- How do you scale a logging infrastructure to accept a billion messages a day?
- Access Trail
- Get started with Access Trail
- Monitoring and logging with Cloud Foundry