The growing importance of network data in effective cloud workload security
Article by ExtraHop regional sales manager for A/NZ Glen Maloney.
As organisations increasingly use cloud-based resources and services, the challenge of ensuring effective security becomes more complex by the day.
Cloud usage is also likely to be spread across multiple providers and supported by both Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) resources. These are being combined with localised infrastructures that are often regularly changing, adding another layer of complexity into the mix.
The workloads themselves can also be many and varied. They may range from legacy applications that have been migrated from traditional on-premises data centres, to applications that have been built specifically to run on cloud platforms, to entirely serverless applications. They may run unchanged for weeks or months, or only exist for a few minutes.
Ensuring effective cloud security
Several options can be considered when it comes to ensuring effective security for cloud-based workloads. These include agent-based third-party solutions, cloud provider monitoring and logging services, and cloud perimeter firewalls.
As is often the case, each of these security technologies comes with certain advantages and drawbacks, so organisations often deploy various cloud workload security solutions depending on their regulatory environment, desired security posture, and aversion to risk.
Agent-based solutions, such as cloud workload protection platforms (CWPP) and endpoint detection and response (EDR), excel at threat prevention. However, they can be problematic to deploy everywhere in a cloud environment.
This is because they require integration into the DevOps workflow or ad hoc deployment and must support multiple OS platforms and versions. Agents can scan endpoints for malware, but they can only see their own ingress/egress network traffic — and have no visibility into the activities of other workloads.
Determined attackers will often disable endpoint security agents or simply go dormant in their presence to avoid discovery, as was the case in the global SolarWinds SUNBURST malware attack.
Logging solutions are often available natively from cloud providers and can feed cloud provider or third-party security information and event management (SIEM) tools. However, it can take precious time for a SIEM to store and process logs before generating alerts, and the lack of context provided with logs can result in high false positives.
Experience shows that attackers frequently disable logging solutions or delete log files to thwart discovery and investigation and increase dwell time.
Cloud security posture management (CSPM) tools can discover workloads and determine their security configuration for compliance purposes, but they can’t discover threats or data breaches in real-time, examine network traffic, or stop attacks in progress.
A shared responsibility
Organisations aware of the shared responsibility model of cloud security understand that they must fully own the security of their cloud workloads. This entails a careful evaluation of the visibility and security gaps left by their existing cloud security solutions, and ultimately deciding which other security technologies to deploy to fill those gaps.
During the past few years, network detection and response (NDR) has seen widespread deployment in traditional on-premises data centre environments, primarily to inspect east-west traffic flowing between workloads for threats and anomalies. Now the benefits of NDR are also increasingly understood by organisations running workloads in hybrid and cloud environments.
A significant benefit is that NDR requires no agents that can add friction to DevOps workflows and uses context-rich network data to produce real-time actionable alerts. NDR also provides visibility into all network traffic flowing between all workloads, devices, and services in the environment, all of the time.
Since it operates ‘out-of-band’, NDR cannot be seen or disabled by attackers. It, therefore, provides an always-on, unassailable perch from which SecOps and SOC teams can automatically discover and respond to attacks and data breach attempts in real-time.
As the usage of cloud-based resources continues to grow, it’s clear that NDR can fill gaps that other workload security technologies leave behind. CISOs should take the time to consider the value it could deliver to their organisation.