Adapting security response for cloud workloads

As originally posted on Security Boulevard on January 7, 2019

Not long ago, enterprise security could be organized neatly around the critical assets needing to be guarded. However, this “moat and fortress” model for cyberdefense is being demolished as the world turns to the cloud. This vanishing perimeter poses a profound problem for CISOs already grappling with other secular trends including mobile computing, shared security paradigms and fast-moving threat actors.

Take, for example, security information and event management (SIEM) system in the cloud. The underlying principle of a SIEM is that relevant data about an enterprise’s security is produced from multiple sources and must be correlated. By collecting and collating all data in a single location, it becomes easier to spot patterns, run searches and hunt for threats. This approach historically worked well in traditional fix-capacity environments. However, as threat actors evolve and IT environments continue to move to pure or hybrid cloud deployments, extracting meaningful and actionable information from SIEMs has proven difficult, requiring continuous creation of manual rules and policy updates to detect evasive threats. Securing and monitoring infrastructures have become more complicated and riskier as security architects struggle to map existing security solutions and techniques to the cloud. According to Verizon’s latest Data Breach Investigations Report, more than two-thirds of breaches worldwide went undetected for several months. Another study from NSS Labs shows SIEMs being deployed in more than 87 percent of enterprises.

Image courtesy of Verizon DBIR 2018

Correlating these two data points, traditional SIEMs are woefully behind the eight ball and seldom deliver on their promise. A new approach is needed so that detection and response can be delivered with agility and scale to tackle this problem head-on.

Getting Your Cloud Architecture ‘Monitoring-ready’

Watching and analyzing activity can be way more challenging in cloud native applications, since servers may be created and destroyed in days, hours or even minutes (in the case of containers). Time is at a premium for getting the activity trace off the “box” onto the aggregation platform. The best way to assure compliance, security and agile response is to co-locate the SIEM besides the rest of the infrastructure in the cloud so that logging can be centralized. Next, the security telemetry from underlying operating systems, network devices, users and applications need to be ingested at the aggregation layer. This sensor telemetry is augmented by external threat intelligence sources that provides a near-real time view of the existing threat climate and any emerging threats. The SIEM platform can then funnel this streaming dataset to a data lake where machine learning techniques are used to detect anomalies, corroborate potential threats and surfacing security incidents.

Delivering Security Response from the Cloud: 3 Essentials

Whether you are running a public, private or hybrid cloud, it is important to optimize the vast array of tools at your disposal so that your monitoring strategy can be effective, comprehensive and most importantly scale with your business. Here are three essentials that can help you be successful:

1. Eliminate blind spots: As traditional monolithic applications move to the cloud, they are often broken down into microservices that may exist in several containers that exchange information on the wire. This so called ‘east-west traffic’ flow exists within the data center and is invisible to any perimeter security infrastructure, such as a firewall or a web gateway, presenting a security blind spot. Public providers have tools and services designed to provide visibility into this traffic besides providing a mechanism to guard against service misconfiguration. For example, AWS offers Guard Duty, VPC Logs, Trusted Advisor, Inspector, etc., while Azure has Security Center, Monitor, App Insights, etc. These tools offer extensive logging and reporting that can be used to identify potential abuse, compliance fails, configuration weakness and threat activity, and must be leveraged by the security analyst.

1. Guarding against alert fatigue: A single pane of glass to view all security threats sounds like a no-brainer, but it can overwhelm the analyst making them numb to spurious alerts. Thus, it is important to prioritize and filter false positives so that appropriate high-fidelity incident tickets are created for further investigation.
   

1. Automation: Allowing technology to automatically respond to incidents is fraught with danger since no two incidents are alike. Software patches, application blacklists and configurations need to be extensively tested before being rolled out. There is always the lurking risk of impacting a production environment due to a false positive; this is especially true of critical workloads running in the cloud. A security orchestration and automation response (SOAR) solution can optimize the productivity of highly skilled analysts by correlating the output of disjointed processes and technologies, such as compliance assessments and configuration management, and then orchestrating them.

Traditional monitoring architectures are built around fix-capacity environments and ill-equipped to handle the dynamic and elastic nature of cloud workloads. A new adaptive security approach is needed to support the digital transformation while retaining the ability to detect and respond to a new generation of threat actors.