TLP:WHITE
Secure Cloud Business Applications (SCuBA) Technical Reference Architecture (TRA)
Page | 15 TLP:WHITE
In cloud business applications, logs should be collected from each of the key building blocks previously 453
identified: 454
• The SCA solution 455
• The endpoint solutions 456
• The SCuBA application platform (M365/GWS) 457
• The security services, such as the ICAM solution (whether on-premises or cloud-based) and the secure 458
DNS solution 459
As shown in Figure 6-6, the telemetry and logs can be aggregated via the Telemetry Hosting solution to facilitate 460
analysts’ needs and internal agency monitoring, auditing, alerting, and threat detection activities. An eVRF 461
visibility surface definition and OMB M-21-31 [4] logs should capture both key business events (e.g., 462
send/receive email, document sharing outside of tenant) as well as configuration changes (e.g., new user 463
creation, policy updates) as both can be indicative of cybersecurity events. Logs should be generated in an 464
automated fashion. They can be configured to capture numerous pieces of contextual information about cloud 465
activities, accesses, and resource states; this often includes fields or attributes such as associated user ID, 466
resource ID, Application Programming Interface (API) name, timestamp, IP addresses, etc. Specific metadata are 467
identified in more detail in the eVRF visibility surface definition. Agencies will need to manage issues associated 468
with scaling, retention, access, privacy, provenance, exportability, and timeliness—among other issues—of their 469
logs as well as ensure that the logs that must be shared with CISA in real time are properly delivered as per the 470
NCPS Cloud Interface Reference Architecture. [5], [6] 471
6.8.2 Monitoring 472
While some logs may be stored for record keeping and compliance purposes, others will be monitored, audited, 473
and analyzed as part of broader agency security posture management. Agencies should therefore incorporate 474
logs from their cloud business applications into their monitoring services to update tracking metrics, conduct 475
resource mapping, and generate security reports, which will in turn facilitate auditing, alerting, and threat 476
detection. The same applies for new security services deployed as part of SCuBA adoption. 477
6.8.3 Auditing 478
Agencies should conduct further analysis of their application logs and security reports through security auditing. 479
This can address various contextual questions for a potential event, such as which users, processes, services, or 480
applications were involved; what was done; where it took place; when it occurred and over what time period; 481
how it occurred; and the impacts. Auditing services allow agencies to better understand what is happening 482
within (and to) their cloud environments and ensure they are operating as desired. This is a more labor-intensive 483
process than automated monitoring and report generation, as it typically involves a human policy decision point 484
(as opposed to a technology policy decision point). Periodic audits can further seek to discern not only whether 485
given transactions can occur, but whether they should occur in normal operating conditions and states. The 486
additional review of organizational visibility (i.e., the awareness of business functions, priorities, risks, and 487
collaboration agreements) enhances auditor precision and can provide further insights to an agency. 488
6.8.4 Alerting 489
Agencies should create alerts for their business applications that automatically generate based on their 490
monitoring and auditing data. Alerts will enable agencies to quickly identify various issues with business 491
applications, such as misconfigurations, unauthorized access, and privilege changes, as well as other 492
anomalous activities for review and remediation. Such alerts will represent the result of defects or heuristically 493
derived detections and should be given preferential treatment in analysis tools and dashboards (with respect to 494
the raw data used to generate the alerts). Agencies should integrate these alerts into their existing Security 495
Operations Center (SOC) procedures and leverage their existing Security Information and Event Management 496
(SIEM) and Security Automation, Orchestration, and Response (SOAR) tooling to respond to security alerts. 497
6.8.5 Threat Detection 498
Agencies can leverage a variety of tools and services to detect and mitigate potentially malicious activity taking 499
place within or against their cloud environments through business applications. These can include threats such 500
as denial of service, data exfiltration, malware injection, unauthorized privilege escalation and account creation, 501
etc. Threats may be detected using automated means or manual discovery. Data visualization tools and 502