Fighting known and unknown threats with CNAPP

Lacework EditorialApril 7, 20236 min read

Editor’s note: This is the second of a three-part blog series to provide a primer on CNAPP. The first blog focuses on how the CNAPP emerged on the scene and why they’re important to modern cloud security. For a full CNAPP rundown, get our eBook, CNAPP for Dummies.

For any company operating in the cloud, it’s critical to manage vulnerabilities and maintain an airtight cloud security posture. Achieving this holy grail of security has traditionally been anything but easy, and even the best security defense can’t guarantee 100% protection. But a CNAPP, or cloud-native application protection platform, can go beyond risk protection and drastically improve your ability to find and fix troublesome threats — both known and unknown.

In this second installment of our three-part series on CNAPPs, we’re sharing how new technologies like behavioral analytics and anomaly detection are changing the security landscape. And if you haven’t yet read part one, which sets the scene for everything you need to know about CNAPP, make sure to check that out.

Curious about how CNAPP can provide security for your entire cloud environment, from build time to beyond? Great — keep on reading.

Legacy protection models are passé

Legacy protection tools were not built to support applications running on complex and dynamic public cloud infrastructures. In the past, security management tools often relied on sets of rules to do their jobs. As with intrusion detection or intrusion prevention systems (IDS and IPS, respectively), incoming packets are subject to a series of rule checks to determine whether request or response traffic should be allowed access to networks and systems under their control. Configuring such platforms takes considerable time and effort — as does the need to write rules specific to an organization’s environment. 

Fortunately, a CNAPP enables organizations to easily collect, correlate, and analyze data. The best CNAPPs use this data to augment threat detection with anomaly detection capabilities. Historically, through rules-based threat detection alone, organizations relied on third-party intelligence feeds to ensure protection from bad actors. But the limitations were clear. This “protection” was limited to known-bad threats. Rules had to be fine-tuned and maintained in order to avoid alert fatigue and an onslaught of false positives.

Now, CNAPPs can feature rules-based security, augmented by anomaly detection capabilities. Not only are cloud environments benchmarked against third-party threat feeds — they’re benchmarked against themselves. The best CNAPPs constantly learn how you behave in the cloud and point out anything that looks out of place. This way, security staff can stop chasing pesky false positives and refocus their energy on responding to high-priority, high-risk events — even if the threats are unknown. Providing superior protection in a fraction of the time, a fully automated CNAPP can also help organizations save on operational costs. It’s a win-win.

Cloud security requires cloud scale

A key benefit of the cloud is the ability to scale up or scale down when needed. Cloud components are spun and spun down, sometimes within hours. And while it’s impossible for legacy tools to secure cloud workloads quickly and at scale, a proper protection platform can do just that. A CNAPP runs natively in the cloud which allows it the flexibility to scale up or down as needed, without interrupting continuous build to runtime threat detection, ongoing behavioral anomaly detection, and constant misconfiguration and compliance checks. 

It’s time to leave legacy security behind. To root out threats, organizations need a true protection platform that can continuously monitor and secure all cloud workloads — cloud hosts, containers, K8s, and PaaS environments — regardless of type, host platform, or location. It’s also imperative to be Linux-aware and support Linux-based physical and virtual servers, along with vendor-specific enterprise Linux platforms (like Red Hat or SuSE) and Windows. 

Full visibility requires context from a layered approach

Events and activities inside a cloud environment are difficult to see, and even harder to understand. In order to claim true visibility, admins and security teams must have transparent access to all logs, monitoring data, and security information, regardless of whether it comes from on-prem, a public cloud, or a private cloud platform. This context is critical for understanding how to protect your cloud from the inside out. 

So how can we gather this context? The answer is continuous cloud monitoring. In order to understand what’s going on across your environment, you need to collect data continually, not just take snapshots at various points along the way. 

The most effective monitoring uses a layered approach that consists of both an agentless and an agent-based method. With an agent-based approach, a local agent collects and sends monitoring data to a third party (typically a security management tool). Agentless offerings, meanwhile, require the application itself to do the collecting and reporting. 

A CNAPP provides full visibility by combining the two approaches together. Together, agentless and agent-based solutions provide the ability to inspect identity and access management systems and data, the usage of privilege and multi-factor authentication, and password requirements. They ensure log files are validated, encrypted, and monitored. Security staff can detect and respond to vulnerabilities and anomalies more quickly when they are able to track critical account activity, the use of management consoles, and privileges in order to monitor unauthorized API calls.

The best CNAPP solutions do all this and more. They also provide full visibility that allows for detailed data analysis of the applications, data, users, traffic, usage, and behavior involved in a complex multicloud system. Moreover, many CNAPPs employ artificial intelligence (AI) and machine learning (ML) to correlate these data points and elicit insights and observe patterns occurring from different areas of your cloud, whether benign or malignant.

Interested in hearing more about why the best CNAPPs employ a layered approach? Check out Chapter 2 of CNAPP for Dummies, which includes a handy analogy to help you explain this dynamic to your non-security friends.

Stronger protection with CNAPP

The benefits of a strong CNAPP are clear: it can help you speed up remediation, limit your organization’s risk exposure, and offload work from stressed security teams by equipping them with accurate and reliable information. In addition, by sharing information across teams within a single view, a CNAPP can reduce the mean time to respond and eliminate communication errors that often slow response.

It’s important to note that not all CNAPPs are created equally. AI and ML can vary from one vendor to another, making it essential to look for a solution that understands how to take your unique data, digest it, and provide the best risk guidance for your business. A CNAPP should be fully automated, with limited rules to write and maintain. It should use ML to learn what behaviors are normal and expected, and what kinds of behaviors could indicate potentially malicious activity. Such an approach takes the threat detection capabilities of a cloud workload protection platform (CWPP) to new heights. 

Looking for even more details on CNAPP? We’ve got just the thing for you: our new eBook, CNAPP for Dummies. With chapters on managing risks, pinpointing threats, and increasing visibility in the cloud, you’ll get all the information you need on the power of this comprehensive platform approach. 

If you missed the first blog in our three-part CNAPP series, you can find it here. And be on the lookout for our third and final blog coming soon! 

Suggested for you