Knowing your cloud is knowing what’s normal…and what’s not - Lacework

Knowing your cloud is knowing what’s normal…and what’s not

Jose Gonzalez, Competitive Intelligence (CI) Senior Analyst

August 12, 2022

More flexibility and visibility with agentless coverage for workloadsWhy is cloud security so hard?

The cloud is just as complex as it is amazing. With the constant release of new services and capabilities, the cloud is still an emerging technology. It allows builders near infinite scalability and flexibility, but is fundamentally different from the days of building your own datacenter and infrastructure. Securing the perimeter was efficient for on-premises datacenters, but in the cloud, the network perimeter is programmatically defined and much more dynamic. And that makes securing the cloud very challenging.

The major cloud providers (AWS, Microsoft Azure, Google Cloud) offer hundreds of services. But every single service has its own configuration parameters. Do you turn on encryption? For identity and access management, how will you enforce least privilege? Virtual firewalls need ingress and egress rules defined. How will you monitor the ongoing activity of all your cloud users and entities? And this doesn’t even take into account the software that is deployed and run in the cloud. How is the software composed? Are there vulnerabilities in dependencies or in the code? If you’re running containerized workloads, are your container images riddled with known CVEs?

Learning the ins and outs of a single cloud provider takes time, energy, and effort. Being able to translate that knowledge between cloud providers only further complicates things. Industry research tells us that the misconfiguration of cloud resources is the leading cause of breaches. Do you feel confident that you have visibility into every asset that has been deployed in your company’s cloud environment and exactly how they are configured and utilized on a regular basis? 

Does your cloud security solution adapt just as quickly as your cloud changes?

When thinking about cloud environments or cloud-native application workloads, every single one is unique. There is a high level of variability which only increases the levels of complexity in your cloud-native applications. You simply can’t apply a deterministic mindset or implement a rigid security solution for your cloud(s). You can’t blanket everything with a one-size-fits-all security solution that a rules-only approach offers. And you can’t solve the cloud security problem with point solutions and partial coverage.

As an example, let’s take a look at AWS. With over 200 individual services offered, the activity taking place in your cloud accounts will be infinitely different between customers or teams within an organization. All of these accounts and workloads will generate loads of data. How much data are customers actually generating in AWS? Listening to Steve Schmidt during the AWS re:Inforce conference keynote, he stated that “every single month, we track quadrillions of events. That’s a number that has 15 zeros.” Just to write that out, a quadrillion is 1,000,000,000,000,000. 

And what happens when a new AWS service or feature is released (which is quite often)? Your engineers might experiment with it without understanding the security implications, opening up entirely new attack vectors because cloud providers don’t mandate the secure use of their services. That responsibility falls on the customer.

Now imagine adding additional cloud providers, introducing new emerging technologies (IaC, Kubernetes, etc.), and you will quickly realize that security solutions need to adapt to environments where the only constant is change and the pace of change is accelerating. With this fluid nature of the cloud, human analysts could never determine every possible threat scenario that should be flagged for investigation. A different approach to cloud security is absolutely necessary. 

Your cloud security solution needs to answer the following question: “Is this normal?”

With the rise of cloud, many organizations have adopted DevOps to rapidly deploy new services and capabilities to their customers. As a result, everyone should be pretty familiar with Continuous Integration, Continuous Testing, Continuous Delivery/Deployment, and hopefully Continuous Security. But what about Continuous Context? Context is the only way to determine if what is happening should be happening.

Knowing that successful cyber attacks can take place almost immediately, an organization needs to be able to protect themselves by understanding exactly how their cloud environment is configured, what activity is taking place at the cloud control plane, and what is actually happening in their runtime environment. A daily snapshot scanning of your workloads is insufficient given the persistence and sophistication of cyber crime. Without continuous runtime monitoring of your applications and services, you can’t have the complete context necessary to contain threats when they occur. Because as we all know, it’s no longer a matter of if you will be compromised, but when you will be compromised, and how often.

If you know it’s not a matter of IF but WHEN, you really need to ask yourself, how does your cloud security vendor deliver continuous context? Leaving yourself vulnerable for even a few hours can be the difference between safety and having to deal with the growing costs of a breach, which reportedly averages $4.35 million in 2022.

And while providing fragmented security checks only focused on risk for organizations who are early in their cloud adoption journey (such as some of the Fortune 100) may be satisfactory, most innovative startups and industry disruptors were born in the cloud and can leverage DevOps principles and automation to deploy many times a day to production. In these organizations, every code push has the potential to deploy a configuration change that can be exploited or an application that contains vulnerabilities today — or in the future. Because of this speed of change, the adoption of multiple cloud providers, the usage of emerging technologies, and the amount of data that is being generated in the cloud control plane and the data plane, the only way to have true continuous context is to leverage a security platform that understands behaviors in your unique cloud environment. 

Will your security solution solve the cloud security challenge?

With the highly ephemeral nature of the cloud and the accelerating pace of innovation that the cloud enables, organizations need to ask tough questions of the security solutions they consider. 

Will the security solution require you to hire a team of analysts to write complex and rigid security rules? 

While rules are useful when looking to the past and protecting against a known threat reoccurring, there’s simply no way to write a rule to catch a novel or unknown attack. The overhead and maintenance of customizing rules makes this approach very difficult to scale and sustain.

Does your solution deliver security across the application development cycle from build time through runtime?

Security needs to be woven into every stage of the application development lifecycle to provide redundancy and a layered defense strategy. If possible, known vulnerabilities or misconfigurations should be detected in containers or IaC before they’re ever deployed into an environment. However, a securely running system today can become vulnerable overnight when a new CVE is discovered and published. So ensuring that your running workloads are actively monitored for threats is just as important as shifting security left. 

Does your security vendor help you identify and mitigate potential risks, while also monitoring for attacks/threats against risky assets?

Identifying and prioritizing risk is a big part of securing your cloud. But it is impossible to expect 100% prevention where new attack tactics are developed frequently and new vulnerabilities are regularly introduced. Attackers only need one mistake, one small misconfiguration, one new vulnerable application package deployed, or some other crack in your defenses to compromise your cloud account. This makes monitoring for active threats a critical component of your security solution if you want a comprehensive, contextualized view of your cloud.

Will your security vendor be able to understand what is normal…and what is not?

The cloud changes quickly. Context means understanding what is changing as well as how changes are related to your resources. This allows you to understand if behaviors are normal and innocuous or abnormal and potentially malicious. 

Leveraging solutions that are only focused on risk reduction or the likelihood of an attack will leave you exposed with no understanding of your runtime environment during an active breach. And without data correlation that spans across your entire security solution, investigation times will increase significantly as your teams sift through cloud-scale amounts of data. 

Ultimately, your security solution must take a data-driven approach, filtering millions or billions of security signals in order to understand what is normal for you and all your unique cloud environments and workloads, to deliver the right, fully contextualized alert, at the right time.