Online security

The growing importance of network data in the effective security of cloud workloads

Article by Regional Sales Manager ExtraHop for A / NZ Glen Maloney.

As organizations increasingly use cloud-based resources and services, the challenge of ensuring effective security becomes more and more complex.

Cloud usage is also likely to be distributed across multiple vendors and supported by both Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) resources. These are combined with localized infrastructures that often change regularly, adding another layer of complexity to the mix.

The workloads themselves can also be many and varied. They can range from legacy applications that have been migrated from traditional on-premises data centers, to applications that have been specifically designed to run on cloud platforms, to fully serverless applications. They can run unchanged for weeks or months, or only exist for a few minutes.

Provide effective cloud security

Several options can be considered to ensure effective security of cloud-based workloads. These include third-party agent-based solutions, monitoring and logging services from cloud providers, and cloud perimeter firewalls.

As is often the case, each of these security technologies has certain advantages and disadvantages, so companies often deploy various cloud workload security solutions depending on their regulatory environment, desired security position, and of their risk aversion.

Agent-based solutions, such as Cloud Workload Protection Platforms (CWPP) and Endpoint Detection and Response (EDR), excel in threat prevention. However, they can be problematic to deploy anywhere in a cloud environment.

This is because they require integration into DevOps workflow or ad hoc deployment and must support multiple platforms and operating system versions. Agents can scan endpoints for malware, but they can only see their own inbound / outbound network traffic – and have no visibility into the activities of other workloads.

Determined attackers will often disable endpoint security guards or simply remain inactive in their presence to avoid discovery, as was the case in the global SolarWinds SUNBURST malware attack.

Logging solutions are often available natively from cloud providers and can power cloud providers or third-party security information and event management (SIEM) tools. However, storing and processing logs by a SIEM can take valuable time before generating alerts, and the lack of context provided with the logs can result in high false positives.

Experience shows that attackers frequently disable logging solutions or delete log files to thwart discovery and investigation and increase latency.

Cloud Security Posture Management (CSPM) tools can discover workloads and determine their security configuration for compliance, but they cannot detect threats or data breaches in real time. examine network traffic or stop ongoing attacks.

A shared responsibility

Organizations aware of the shared responsibility model of cloud security understand that they need to take full ownership of the security of their cloud workloads. This involves a careful assessment of the visibility and security gaps left by their existing cloud security solutions, and ultimately the choice of what other security technologies to deploy to fill those gaps.

Over the past few years, Network Discovery and Response (NDR) has been widely deployed in traditional on-premises data center environments, primarily to inspect east-west traffic flowing between workloads to detect threats and problems. anomalies. Now, the benefits of NDR are also increasingly understood by organizations running workloads in hybrid and cloud environments.

A significant advantage is that NDR does not require any agents that can add friction to DevOps workflows and uses context-rich network data to produce actionable alerts in real time. NDR also provides visibility into all network traffic flowing between all workloads, devices, and services in the environment, at all times.

Since it operates “out of band”, NDR cannot be seen or disabled by attackers. It therefore provides an always-on, unassailable perch from which SecOps and SOC teams can automatically discover and respond to attacks and data breach attempts in real time.

As the use of cloud resources continues to grow, it’s clear that NDR can fill the gaps that other workload security technologies leave behind. CISOs should take the time to think about the value this could bring to their organization.

Leave a Reply

Your email address will not be published.