Forensic analysis using CloudTrail logs

Protecting your cloud infrastructure against every attack is practically impossible. In the event of an attack on your cloud environment, you need to immediately swing into action to spot the clues left behind by the attacker. After that, you need to perform forensic analysis to string the clues together and find the cause of the attack.

In a cloud environment, logs will give you all the clues you need. For example, CloudTrail records every event occurring in your Amazon Web Services (AWS) platform. But when it comes to log analysis, you can't do it alone—to extract the maximum amount of information from CloudTrail logs, you need a cloud log management tool.

Cloud Security Plus for AWS log management

Our very own cloud management tool, Cloud Security Plus, helps you keep a tight leash on your entire cloud environment. After it retrieves your AWS CloudTrail logs and S3 server access logs, Cloud Security Plus analyzes them to give you critical insight into your AWS environment.

Cloud Security Plus also saves you from the cumbersome configuration process required for any log management tool to start retrieving CloudTrail logs. It has an auto-configuration feature that performs all the AWS configuration steps for you.

Cloud Security Plus' role in forensic analysis

Manually performing forensic analysis is back-breaking. However, with flexible log storage and an efficient search mechanism, Cloud Security Plus changes the game.

• Store collected logs for as long as you need. Archived logs are a great reference for identifying threats.
• Drill down through log data to retrieve the info you're looking for using Cloud Security Plus' lightning fast search. (Thanks Elasticsearch!)
• Identify who led the attack, and see all activities that user has performed in AWS.

To understand how important CloudTrail logs can be, let's look at an example: A multinational cloud computing company hosts its critical applications in AWS. The root user credentials, which they failed to delete after initial configurations, somehow fell into the hands of a rogue employee. This employee decided to wreak havoc by terminating all the servers the company's applications run on.

In this case, Cloud Security Plus' reports could help this company find the cause of the attack. The Recent EC2 Instance State Changes report in particular would provide all the necessary details regarding the termination of the EC2 instances. They could also retrieve the rogue employee's username from the log corresponding to the termination activity, and use Cloud Security Plus' search tab to get a detailed list of all the activities that user performed in AWS.