There are significant benefits to using a Host-Based Intrusion Detection System (HIDS) to monitor system activities in cloud environments. Traditionally, most organizations struggled to choose between deploying a Host Based Intrusion Detection System (HIDS) and a Network Based Intrusion Detection System (NIDS). Each of these intrusion detection systems provided strengths and weaknesses. However, today’s cloud-based services are now driving the adoption of Host-Based approaches to intrusion detection.
Three key drivers of HIDS technology include:
- The adoption of Enterprise Container Platforms has changed the way software applications talk to each other. Previously you may have had one EC-2 server running an application talk to a second EC-2 server hosting a different application. This communication would have been sent over Amazon’s network infrastructure which was monitored by a NIDS.
Container Technologies such as Elastic Container Service allow developers to host both applications one and two on a single EC-2 Server.
Since network traffic is contained within the Docker’s virtual container network, traditional network traffic won’t occur, and a NIDS is unable to see traffic. Additionally, if a container application process is run as root, then a container would have the ability to see application data from the host OS (to include mounted volumes from application two). Certainly, applications viewing external datasets activity is worth detecting.
- The use of public cloud has created new Privacy Concerns. Example: Organizations should protect sensitive data which was previously held within the organization from being seen by cloud hosting providers. This problem is easily solved with end to end encrypted communications solutions such as transport layer security (TLS). Unfortunately, web traffic which is encrypted past a Load Balancer limits the value of a network monitoring and protection tools such as a WAF or NIDS. Compare these technology failures to a HIDS solution which has the ability to inspect traffic after HTTPS has been terminated. This end to end encrypted traffic use case is also commonly found in today’s ransomware. Detecting ransomware and inspecting unencrypted traffic is something organizations will be responsible for detecting for quite some time.
- The cloud has also created an environment of Ephemeral Web Servers with constantly changing IP addresses. Thus, the value of monitoring microservices based off of IP addresses is quickly becoming an antipattern. The new practice is to monitor application service proxies which are available via the host device.
Now that we know we want a Host-Based IDS for today’s cloud architecture we should think about how best to configure and deploy it. We should follow the principles of least privilege, hardened configurations, and strong patch management.
First we should run our HIDS in user space and not kernel space. We can use tools such as Security-Enhanced Linux (SELinux) in Red Hat based Linux systems or AppArmor for Ubuntu to enforce least privilege and access control. We can also use new Linux kernel enhancements such as extended Berkley Packet Filters. Extended Berkley Packet Filters allow developers to run programs injected from user space with attachments to hooks in the kernel. Staying safe in user space has been a proven approach to minimize the damage our HIDS can perform if vulnerabilities are found in its software holdings at a later time. Example: In 2016, Google Project Zero found High-Severity bugs in 25 different Symantec/Norton products. These findings in a veteran software security company should send goosebumps to anyone who thinks they can build safe applications which live in kernel space.
We should also make sure our HIDS is kept up to date. Example: The OSSEC 3.1.0 HIDS agent hosted on Microsoft Windows device allowed local users to gain access to NT Authority\System via a directory traversal attack. Patching applications to the latest clean version continues to be a key requirement for all resilient software applications.
The rapid adoption of HIDS in cloud environments continues at a rapid pace, and the influence of honeypots known as active deception defenses will definitely change the future of how HIDS work and what they monitor.