CSF: Cloud Services

Today's organizations are increasingly making use of cloud-based services in their normal operations. There are cloud services for file storage and sharing, e-mail, webinars, customer relationship management (CRM), resource planning, human resources, and more. Using cloud services requires less infrastructure and maintenance and can result in cost savings to the organization. However, by using cloud services, the organization gives up visibility and control. What vulnerabilities do cloud-based applications have? How often are they patched? How are credentials managed? How is the organization's data encrypted and isolated from other users of the cloud service? What about availability and redundancy? 

The increased use of cloud services may lead to data security, availability, and access control issues. An organization should make an informed decision to move services to the cloud. An organization should also then be able to track and monitor the cloud services it is using. The organization should be able to discover if any unauthorized cloud service interactions are occurring and determine any potential vulnerabilities associated with the use of cloud services. This dashboard can help an organization understand and monitor its interactions with cloud services. 

This dashboard aligns with the NIST Cybersecurity Framework (CSF) subcategory ID.AM-4 that recommends cataloging external information systems, including those in the cloud. The CSF provides guidance based on existing standards, guidelines, and practices, which can be tailored to specific organizational needs.

This dashboard presents detections of network interactions with cloud services such as file storage and sharing services, customer relationship management (CRM) services, resource planning services, and more. These interactions are primarily detected through passive traffic analysis or via logged events; however, some cloud applications and vulnerabilities are also detected through active scans. Since some components in this dashboard are only event-based, while others include passive detections, and still others also include active detections, there may be some services that are only detected by certain components. Additional components on the dashboard present cloud service interactions by service type, track cloud service sessions, and display which subnets on the network interact most with cloud services.

This dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The dashboard requirements are: 

• Tenable.sc 5.2.0
• Nessus 8.5.0
• LCE 6.0.0
• NNM 5.9.0

Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with the Nessus Network Monitor (NNM), as well as log correlation with the Log Correlation Engine (LCE). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network and the cloud services it is using.

This dashboard contains the following components: 

• Cloud Services - Services Detected: This table presents a list of passive detections of network interactions with cloud services. The list is sorted so that the cloud service most often detected is at the top. This information can be used to determine which cloud services are most used and if any unauthorized services are being used.
• Cloud Services - Service Types Detected: This matrix presents indicators that highlight the different types of cloud services detected. A service type field is included in many of the LCE plugins that detect network interactions with cloud services; a purple indicator means that services of that particular type were detected. Clicking on an indicator will bring up the analysis screen to display details on the detections. In the analysis screen, setting the tool to IP Summary will display the systems that interacted with the cloud services. Some of the cloud service types included within the component include File Sharing (such as Dropbox and iCloud), Note Sharing (such as Evernote and Todoist), Email (such as Gmail and Outlook.com), Infrastructure (such as Microsoft Azure), and many more.
• Cloud Services - Popular Services: This matrix presents indicators for 15 popular cloud services. A purple indicator means that the service was actively or passively detected; clicking on the indicator will bring up the analysis screen to display details on the detection and any associated vulnerabilities. In the analysis screen, setting the tool to IP Summary will display the systems that interacted with that cloud service. Indicators can be removed or new indicators added as desired.
• Cloud Services - SSL Sessions Over Last 7 Days: This chart presents a 7-day trend graph of SSL sessions initiated to various cloud storage services. Note that this component relies on PVS detections being forwarded to the LCE. Make sure that the PVS is configured to send syslog messages to the LCE: in Configuration > PVS Settings > Syslog, include the LCE host (with port 514) in the Realtime Syslog Server List. The LCE listens for syslog messages by default.
• Cloud Services - Subnets Interacting with Cloud Services: This chart presents the top Class C subnets that have passively detected interactions with cloud services. This information can be used to determine which subnets are interacting with cloud services the most and if any unauthorized interactions are occurring.