Observability and Incident Response in Managed Serverless Environments Using Ontology-Based Log Monitoring

TL;DR

This paper presents an ontology-based log monitoring framework for fully managed serverless environments, enhancing observability and incident response through a unified activity graph and specialized tools.

Contribution

It introduces a novel three-layer security scheme utilizing serverless logs and a knowledge graph to improve security monitoring and incident response in managed serverless platforms.

Findings

The incident response dashboard improved response accuracy and speed.

The risk assessment framework facilitated better prioritization of security assets.

User study demonstrated effectiveness of the proposed tools.

Abstract

In a fully managed serverless environment, the cloud service provider is responsible for securing the cloud infrastructure, thereby reducing the operational and maintenance efforts of application developers. However, this environment limits the use of existing cybersecurity frameworks and tools, which reduces observability and situational awareness capabilities (e.g., risk assessment, incident response). In addition, existing security frameworks for serverless applications do not generalize well to all application architectures and usually require adaptation, specialized expertise, etc. for use in fully managed serverless environments. In this paper, we introduce a three-layer security scheme for applications deployed in fully managed serverless environments. The first two layers involve a unique ontology based solely on serverless logs which is used to transform them into a unified application activity knowledge graph. In the third layer, we address the need for observability and situational awareness capabilities by implementing two situational awareness tools that utilizes the graph-based representation: 1) An incident response dashboard that leverages the ontology to visualize and examine application activity logs in the context of cybersecurity alerts. Our user study showed that the dashboard enabled participants to respond more accurately and quickly to new security alerts than the baseline tool. 2) A criticality of asset (CoA) risk assessment framework that enables efficient expert-based prioritization in cybersecurity contexts.