System activities refer to events and actions related to the underlying cloud infrastructure of CSPM tools and their components. Some examples include IT captures, system-level activities, including system startup and shutdown, data synchronization processes, data backups, and system health monitoring.
Note
As mentioned previously, most modern CSPM tools are offered as a SaaS version, and hence, as a customer, you are not responsible for the health of the inline infrastructure of the CSPM tool. It is the CSPM vendor’s responsibility to maintain and secure online infrastructure such as system activities. Based on mutual agreement or for transparency, vendors can and should share the high-level penetration testing report or System and Organizations Controls 2 (SOC 2)-type report of their infrastructure. However, read on to understand the full context.
Let’s look at this in more detail:
- System startup and shutdown: Recording when cloud services, VMs, or containers start or stop running
- Resource allocation and deallocation: Logging events related to the allocation and deallocation of computing resources, such as VM instances, storage volumes, or network resources
- Network traffic and communication: Capturing network-related activities, including incoming and outgoing traffic, communication between different cloud resources, and network security events such as port scanning or suspicious network connections
- Performance monitoring: Tracking system performance metrics such as CPU utilization, memory usage, disk I/O, or network latency to identify potential bottlenecks, resource constraints, or anomalies
Security events
Security events represent activities or incidents that have potential security implications or indicate a breach or violation. It also monitors and logs security-related events and incidents, such as policy violations, unauthorized access attempts, potential breaches, or changes to security configurations. Let’s look at some examples:
- Intrusion attempts: Logging activities such as failed login attempts, brute-force attacks, or unauthorized access attempts to systems or applications
- Malware or virus detection: Recording events related to the detection or quarantine of malware, viruses, or other malicious software within the cloud environment
- Security policy violations: Capturing events that indicate violations of security policies, such as attempts to bypass security controls, unauthorized changes to configurations, or non-compliance with regulatory requirements
- Anomalies and suspicious behavior: Logging activities that deviate from normal patterns or behavior, such as unusual login times, repeated failed authentication attempts, or abnormal resource usage
- Security IR: Documenting actions taken during IR, including alerts triggered, investigations conducted, containment measures implemented, and remediation steps performed