Visibility is Critical for Workload Threat Defense
May 8, 2019
The dynamic nature of public cloud and hybrid environments expose applications to new forms of threats and cyber-attacks. Unfortunately, legacy security solutions are unequipped to handle these new threat vectors.
Often, threats evade detection for extended periods of time. Longer threat detection cycles not only raises the organization’s risk profile, but it also impacts the bottom-line. Ponemon Institute’s 2018 “Cost of a Data Breach Study” found the total cost of a data breach exceeds $3.8 million (global average), a 6.4 percent increase from the previous year’s average.
Cloud security is about dynamic threat defense
Agile cloud environments require dynamic methods for timely threat detection.
Typically, security solutions rely on signatures and rules. While rules are readily understandable, they can detect only known attack profiles. To cater to newer attack profiles, the rules must be manually updated each time.
Moreover, as the rules are typically written for very well-defined threat scenarios, in production environments their performance is limited, and false-positive rates are high.
To secure agile runtime environments, threat detection must provide greater visibility and context, so users get fewer but more accurate alerts. Besides, malicious events are now increasingly tricky and sophisticated. Instead of relying on static rules and after-the-fact forensic data, security analysis needs to run continuously and focus on identifying behavioral abnormalities.
Malicious users often cover their tracks by impersonating as legitimate users. Irregular activity across cloud resources, such as any user extracting abnormal amounts of data or getting into the network from strange IP addresses or unusual changes in users, roles and privileges are all useful indicators to identify behavioral abnormalities.
Advanced techniques to secure the cloud
An end-to-end cloud security solution employs advanced techniques to identify vulnerabilities across the entire scope of both cloud and containerized environments. It encompasses cloud configurations, account activities, workload/runtime analysis, and automated anomaly and threat detection.
Visibility at runtime: Threats cannot be averted unless issues are identified before they spread. This calls for visibility and emphasis on events happening at runtime.
In a rapidly changing deployment environment, traditional security rules are stale as soon as they are deployed, and new attacks are missed because they require someone to write the appropriate rule. Expectations from a truly effective machine-learning-based runtime analysis are:
Eliminate missed events: Timely alerts for anomalous behaviors to identify potentially malicious events.
Minimize alert noise: False positives often lead to alert fatigue within organizations. Alerts should only flag what is new and anomalous.
Simplify security operations: Automated threat detection and visualization to simplify security analysis. Many cloud platforms have native applications to store event log data. When something goes awry forensic analysis references the stored data after-the-fact. But proactive threat defense techniques are able to apply visibility, insight, and analysis capabilities to this log data at runtime, so users get both a continuous and automated view into their environment. Runtime analysis coupled with a review of historical event data provides enterprises with intelligence about threats sourced from internal resources, or during interactions with third-party data and applications. Dead accounts, inappropriate data exfiltration, and other aspects of misuse within a cloud or container environment are some of the indicators of potentially malicious events.
Accuracy in anomaly detection: A major differentiator for security solutions is their level of accuracy in detecting anomalies. When events are analyzed against normalized behavior, only those issues that are truly problematic are surfaced. In this approach, instead of investigating every machine, user, and application individually, behavior baselining clusters these together based on historical behavior analysis, and alert when behavior is abnormal. The benefit of this approach is that instead of being alerted multiple times for activities on multiple machines that all operate according to the same behaviors, alerts are generated only for those few issues that deviate from the norm. Deep temporal baselines are useful in modern data centers where complexity and volume are high. Behavioral maps or “Polygraphs” provide a zero-touch approach that leaves no blank spaces for attackers to hide.
Power of automation: The cloud enables organizations to deploy, scale, and configure their IT infrastructure at great speed and efficiency. But runtime threat detection involves analysis of the massive volume of events at fast rates. That’s possible by automating threat detection.
Traditional security approaches are hard to automate. Runtime threat detection based on behavior baselining and machine techniques pave the way to automate the entire workflow and to provide security teams with investigative insights.
Awareness and the ability to effectively manage threats in cloud environments can seem like a massive undertaking. Careful attention to the capabilities outlined in this article coupled with right security tools to automate aspects of cloud security can empower your organization to effectively identify and address threats. Through continuous awareness, issues can be addressed upon discovery, with greater odds of thwarting attacks and strengthening the overall security of your cloud environment.