The second pillar to actionable cloud security - Detection Controls

This post is the fourth in a series of eight on five pillars to actionable cloud security.  For the rest of the series, visit the Five Pillars blog page here.

This next step or pillar relies on first being able to determine who is allowed access and to what – and then detecting anomalies.  Typically, Detection Controls focus on intrusion, more commonly known as Intrusion Detection Systems (IDS).  These are automated, and are designed to monitor and analyze network traffic, and to generate an alert in response to activity that either matches known malicious patterns or is anomalous.  Some IDS controls go further:  they will trigger automated processes that can include recording suspicious activity or scanning the computers involved to try to find signs of compromise. 

An IDS differs from a firewall in that a firewall looks outwardly for intrusions to stop them from happening in the first place.  IDS looks for both intrusions that have already occurred (or are actively occurring), and for attacks that originate from within the network.

Because an IDS is watching the actual network traffic flow, it not only permits a more timely response to an active compromise, it also offers the capability to identify devices that are in imminent danger of compromise.  In layman’s terms, this means identifying devices – or resources – with similar access profiles as those where the intrusion took place.   IDS controls obviously require some kind of feedback loop with a security provider, to learn the latest malicious activities and recognize them when detected. 

The Intrusion Detection System is explained in more detail here.

To develop an actionable Detection Controls pillar, customers must:

• Deploy detective controls at Layer 4 to Layer 7 and protect applications


• Understand how IDS differs from Firewall protections


• Have a thorough understanding of all monitoring and logging activities that are performed as part of in-place detection systems