Co-authored by Colin Hay and Matt Rutkowski

A key feature of any cloud infrastructure is the ability to provide auditing capabilities for compliance with security, operational and business processes. Firms can verify this compliance by leveraging a solid auditing mechanism.

Enterprise customers today expect their computing environments to provide audit support, and their expectations for cloud environments are no different. Customers using data in a cloud environment rely on auditing support to build trust and ensure unauthorized access to their resources does not occur. Consistent and standard audit records enable the use of tools such as the IBM QRadar Security Intelligence Platform™ that can process these audit records and work at every layer of a cloud infrastructure.

Here’s a rundown of the enhancements made in a few recent OpenStack projects to support application programming interface (API) and security auditing through the Distributed Management Task Force’s Cloud Auditing Data Federation (CADF) standard. This new standard audit support works for public, private and hybrid clouds and prevents a reliance on auditing support from being used as an excuse for vendor lock-in. Take a look at how users can leverage the QRadar Security Intelligence Platform to process these standard audit records and perform threat and incident analysis on them.

CADF Overview

The CADF standard defines a full event model anyone can use to fill in the essential data needed to certify, self-manage and self-audit application security in cloud environments. The model answers the important questions about any activity or event that might happen in any OpenStack service.

The CADF standard provides guidance on how to answer these questions when filling out the event records and even provides the following consistent taxonomies used to name and classify events for better analysis:

  • Resource Taxonomy Used to classify the resources or services that initiated the event, were the target of the event or observed the event (e.g., admin, database, credential, etc.)
  • Action Taxonomy: Used to classify the event by the activity that caused the event’s creation (e.g., create, update, authorize, send, etc.)
  • Outcome Taxonomy Used to describe the outcome of the attempted action of the event (e.g., success, failure, pending, etc.)

Cloud customers can aggregate and analyze CADF event data from different OpenStack services using security intelligence tools such as QRadar to compile a complete and consistent picture of all employee and customer activities. They can also ensure their regional, industry and corporate policies are enforced by their OpenStack cloud provider. When anomalous activities are detected, the CADF event data contains all the necessary information to track down the offending sources and quickly take corrective action.


QRadar is a security intelligence platform that combines traditional security information and event management (SIEM) and log management capabilities with network behavior anomaly detection (NBAD), vulnerability assessment and management, risk analysis and simulation and forensic data inspection. It consumes events, flows, asset and vulnerability information and network topology by integrating with other products/applications/services/assets/endpoints in a client’s environment (on-premises or in the cloud), enabling users to view, analyze, understand and report on everything going on in their environment from many different angles and perspectives. Security posture can be improved, compliance requisites met and maintained and operational issues addressed and optimized.

QRadar has its own Normalized Event model, which allows event data from any number of sources to be normalized into a set of properties commonly applicable with all event data such that they can be analyzed or evaluated in a uniform fashion. When did the event occur? Who is the user that initiated it? If there are two systems/endpoints involved, which was the source and which was the destination/target?

This is the kind of information contained in a normalized event representation of raw event data. Because this data is normalized, out-of-the-box searches, custom-defined searches, reports and rules can all be defined in an event source-agnostic way; users do not need to understand how individual products, services and applications structure their logging or what terminology their events/logs use. QRadar can automatically identify behavioral anomalies and rule violations and alert security analysts and administrators to items requiring their attention.

The CADF audit records generated by OpenStack Ceilometer are perfectly suited for consumption by QRadar, due to their well-structured and prenormalized nature, and the use of the Initiator > Action > Target model. QRadar uses the event type, action and outcome values of the CADF record to identify the nature of an event (what activity was attempted and what the result was) and categorize it appropriately — which is another means of normalization. The event time, initiator and target values of the CADF records all map to properties of the Normalized Event model, allowing for an easy and accurate transformation from CADF OpenStack audit record to QRadar Normalized Event record.

At this point, the event data is ready to be used for all the security intelligence use cases QRadar provides. The end result of this is the ability to leverage all the benefits QRadar and its dashboard provide for monitoring OpenStack-based environments.

Watch a demo of QRadar’s new audit and security incident event monitoring for OpenStack

more from Cloud Security