Security Consultant shares insight to respond to cloud incidents

A CISO’s guide: Is Your Team Log-Ready for Unforeseen Cloud Incidents?

The following article on recent cloud incidents was written by Kalles Group Security Consultant, Jayanth Kumar. This content appears in our monthly email Security Digest, which unpacks recent security incidents and details what you should know, and what you should do.

As a leader, are you confident that your teams have the necessary logs to dissect incidents in your cloud landscape?


What you should know about recent cloud incidents

In the aftermath of a breach disclosed by Microsoft in recent weeks, the cybersecurity industry has cast an uneasy spotlight on audit and event logging within Microsoft’s Azure and M365. The primary concern here is that the provision of cloud logs isn’t incorporated into standard security product pricing tiers – an outcome of several factors inflating the costs associated with delivering these logs.

Microsoft reported a hack of their cloud infrastructure that targeted government organizations like the State Department. The severity of the breach is analogous to threat actors gaining control over a passport printing machine, capable of issuing passports to a wide spectrum of users, from ordinary citizens to government officials.The threat actors named Storm-0558, known for their alignment with the interests of the Chinese state, reportedly used stolen signing keys for Microsoft’s cloud services. Microsoft identified 25 government organizations, including the State Department, as targets.

To Microsoft’s credit, they have rushed to remediate this hack by revoking signing keys and making their provisioning and use much more secure. They also have made audit logs available for free for 180 days (about 6 months). Customers were also notified that they can use Microsoft Purview Audit to access and visualize a range of logs in their environment.

It’s worth pondering Eric Goldstein’s, (CISA’s Executive Assistant Director for Cybersecurity), comment, “When organizations are asked to pay more for essential logging, it can result in inadequate visibility during cybersecurity investigations, potentially handing adversaries unsettling levels of success against American entities.”

Microsoft might have done a better job clarifying to clients the limitations of providing logs at no extra cost and being more forthright about potential blind spots if clients aren’t equipped with the necessary licenses. Currently, highlighting their Purview Audit product as an alternate solution is confusing messaging at best.

What you should consider

As leaders, understanding the detailed needs of security teams should be an ongoing process. It’s essential to move past a primary compliance-oriented approach to recognize emerging threats. In this specific example, without logs, security analysts were seriously hampered in their ability to investigate complex breaches.

Key takeaway

As CISOs and IT leaders, you should not only gauge whether your organization has the bandwidth and appetite to maintain logs for a given duration but also determine how these logs can be leveraged to bolster your security. For instance, are your network logs being employed to detect shadow IT and undesired software usage via Microsoft Defender for Cloud?


At Kalles Group, we adopt a security-centric approach mindful of business limitations when architecting our cloud hardening and security solutions for diverse businesses.

If you’re ready to enhance your cloud security, Let’s talk.