Cloud security monitoring - Fighting a war or thwarting spies?



Our friends at EalsticSearch have published an eye opening white paper with SANS on modern security monitoring. We encourage everyone in the security and cloud community to give it a read.



This blog is an attempt at how we’d explain this article to a 5th grader.


Key points:

  • Most organisations think of cyber & cloud security as preparing for war. Big aircraft carriers, tanks and the like are thrown in for offence and defence. i.e a dependency on tools like end-point protection (aka anti-virus / anti-malware detection) as the focus of their security strategy.

  • This leaves large surface areas unprotected allowing bad actors to sneak in. And once they’re past these point defence tools, they have a free rein within the network.

  • We at SquareShift believe that modern cyber security is more of a counter spy operation.

  • Listen in to all the signals being generated by your servers, networks and apps.

  • Let machine learning and anomaly detection surface unusual activity.

  • Conduct investigations & collect proof to locate the site of breach and bad actors.

  • Protect, defend and remedy with pinpoint accuracy and speed.

  • This strategy shifts the focus from point-defence and tools to one that is reliant on data and visibility across the landscape.

  • This is a subtle but profound shift in the way we think about cyber and cloud security.

With that layman’s explanation now out of the way, let us give you some insightful excerpts from the white paper.

Just as threat actors can switch tactics when needed, defenders also have a vast toolbox and access to data. The problem is that many seldom use what is available to them or know the multiple ways in which to use that data.

Translation: Bad actors are constantly probing. Why are your organisation’s cyber security defences static?


When multiple data sources come together, an organisation can write better-contextualized, less-brittle detections and detect, possibly even stop, threat actors earlier in a breach. Multisource detections also provide excellent audit trails for incident response, allowing you to conduct and conclude investigations faster.

Translation: Your infrastructure, network and apps are generating tons of log data and signals. If you string them together properly, you get a wealth of insights to defend & protect better.


Visibility, however, encompasses much more than simply “seeing” a particular asset or asset class. Visibility also facilitates identification of the data sources the security team can use to detect and respond to incidents within the environment—along with how easily an attacker can evade a particular source of telemetry. Security teams that base both their visibility and detections on a single source of telemetry risk creating an exponential single point of failure.

Translation: Identify gaps, deploy data collection agents, bring them to a central location, identify anomalies across these data sets. There, you have a powerful detection capability already


There is so much more in this white paper above and beyond what we have captured here. Read it, enjoy it, and share your thoughts with us. If you need help with anything cyber security or cloud security, just call us. Nothing excites us like helping organisations strengthen their security posture and build better security practices.


Here is a quick list of some of the awesome security services SquareShift provides:

  • Security posture assessment for cloud workloads.

  • Security strategy to meet compliance and regulatory requirements and cyber security frameworks (MAS TRM, ISO 27001, SOC2, PCI-DSS, GDPR, NIST CSF and the like).

  • Security event monitoring (SIEM) and Security operations center (SOC)

  • DevSecOps to strengthen software supply chain security.

Talk to us at aananth@squareshift.co, Elango@squareshift.co (Asia & Singapore), venky@squareshift.co (North America). You can always visit our website - www.squareshift.co to know more about us.