Co-authored by Colin Hay and Matt Rutkowski

A key feature of any cloud infrastructure is the ability to provide auditing capabilities for compliance with security, operational and business processes. Firms can verify this compliance by leveraging a solid auditing mechanism.

Enterprise customers today expect their computing environments to provide audit support, and their expectations for cloud environments are no different. Customers using data in a cloud environment rely on auditing support to build trust and ensure unauthorized access to their resources does not occur. Consistent and standard audit records enable the use of tools such as the IBM QRadar Security Intelligence Platform™ that can process these audit records and work at every layer of a cloud infrastructure.

Here’s a rundown of the enhancements made in a few recent OpenStack projects to support application programming interface (API) and security auditing through the Distributed Management Task Force’s Cloud Auditing Data Federation (CADF) standard. This new standard audit support works for public, private and hybrid clouds and prevents a reliance on auditing support from being used as an excuse for vendor lock-in. Take a look at how users can leverage the QRadar Security Intelligence Platform to process these standard audit records and perform threat and incident analysis on them.

CADF Overview

The CADF standard defines a full event model anyone can use to fill in the essential data needed to certify, self-manage and self-audit application security in cloud environments. The model answers the important questions about any activity or event that might happen in any OpenStack service.

The CADF standard provides guidance on how to answer these questions when filling out the event records and even provides the following consistent taxonomies used to name and classify events for better analysis:

  • Resource Taxonomy Used to classify the resources or services that initiated the event, were the target of the event or observed the event (e.g., admin, database, credential, etc.)
  • Action Taxonomy: Used to classify the event by the activity that caused the event’s creation (e.g., create, update, authorize, send, etc.)
  • Outcome Taxonomy Used to describe the outcome of the attempted action of the event (e.g., success, failure, pending, etc.)

Cloud customers can aggregate and analyze CADF event data from different OpenStack services using security intelligence tools such as QRadar to compile a complete and consistent picture of all employee and customer activities. They can also ensure their regional, industry and corporate policies are enforced by their OpenStack cloud provider. When anomalous activities are detected, the CADF event data contains all the necessary information to track down the offending sources and quickly take corrective action.

QRadar

QRadar is a security intelligence platform that combines traditional security information and event management (SIEM) and log management capabilities with network behavior anomaly detection (NBAD), vulnerability assessment and management, risk analysis and simulation and forensic data inspection. It consumes events, flows, asset and vulnerability information and network topology by integrating with other products/applications/services/assets/endpoints in a client’s environment (on-premises or in the cloud), enabling users to view, analyze, understand and report on everything going on in their environment from many different angles and perspectives. Security posture can be improved, compliance requisites met and maintained and operational issues addressed and optimized.

QRadar has its own Normalized Event model, which allows event data from any number of sources to be normalized into a set of properties commonly applicable with all event data such that they can be analyzed or evaluated in a uniform fashion. When did the event occur? Who is the user that initiated it? If there are two systems/endpoints involved, which was the source and which was the destination/target?

This is the kind of information contained in a normalized event representation of raw event data. Because this data is normalized, out-of-the-box searches, custom-defined searches, reports and rules can all be defined in an event source-agnostic way; users do not need to understand how individual products, services and applications structure their logging or what terminology their events/logs use. QRadar can automatically identify behavioral anomalies and rule violations and alert security analysts and administrators to items requiring their attention.

The CADF audit records generated by OpenStack Ceilometer are perfectly suited for consumption by QRadar, due to their well-structured and prenormalized nature, and the use of the Initiator > Action > Target model. QRadar uses the event type, action and outcome values of the CADF record to identify the nature of an event (what activity was attempted and what the result was) and categorize it appropriately — which is another means of normalization. The event time, initiator and target values of the CADF records all map to properties of the Normalized Event model, allowing for an easy and accurate transformation from CADF OpenStack audit record to QRadar Normalized Event record.

At this point, the event data is ready to be used for all the security intelligence use cases QRadar provides. The end result of this is the ability to leverage all the benefits QRadar and its dashboard provide for monitoring OpenStack-based environments.

Watch a demo of QRadar’s new audit and security incident event monitoring for OpenStack

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today