Lacework Threat Detection in Cloud Environments: A Quick Guide
August 5, 2019
There’s an enormous amount of event activity in the cloud. A busy cloud environment can generate eight to ten billion events per month, which makes threat detection a challenge. Moreover, in the cloud where ephemeral servers and containers come and go on-demand, malicious activity can escape detection unless the visibility into events and behaviors is deep and persistent enough.
That’s why a threat detection solution for your cloud environment must be equipped to:
- Establish a behavioral baseline for your cloud and data center environment
- Automatically identify deviations from the behavioral baseline and generate real-time alerts if the deviations indicate malicious activity
- Filter the chaos from millions of logged events and remove false positives
- Provide actionable threat insights and visualization.
Lacework is designed to give you all of the above. Our combined techniques of unsupervised machine learning, threat intelligence, and compliance auditing to detect threats across all aspects of the run-time environment, including Linux workloads, servers, containers, account activity, and build-time workflows.
Let’s step through the various stages of threat detection with Lacework.
Establish Behavioral Baseline
A baseline of behaviors is the first step to detect behavioral abnormalities. On a regular basis, Lacework establishes a solid baseline of all activity across applications, assets, and users in the cloud environment. Baselining application activities in a large data center may take about a couple of weeks. User activity baselining takes a little longer as users are not always active.
As a host-IDS, Lacework runs in every instantiated server in the data center. The Lacework agent has a tiny local footprint and most data centers can simply add the agent to the default images of all new VMs and containers, and subsequently push it to the existing assets. Lacework deployment in large data centers is quick, scalable, and easy as no hardware or software console installation is necessary. Once connected to the service, Lacework ingests process metadata and employs advanced machine learning techniques to generate a logical baseline view of the interactions among users, workloads, and infrastructure assets across the cloud.
Lacework interfaces with a variety of enterprise productivity and SIEM tools like Splunk, Slack, ServiceNow, or simply e-mails to send alerts.
Threat Detection: Deep run-time visibility
Lacework continuously monitors cloud traffic and events across containers and processes, file hashes, and cloud-native logs (example: AWS CloudTrail logs). Lacework agent runs in the endpoint and uses process-level visibility to stitch everything together. Regardless of the workload running in a VM or container, it can provide all the process-level information.
Behavior-based anomaly detection exposes threats due to deviations from the normal behavior of various cloud entities.
New Network Connections
In a cryptojacking attack, for example, many new network connections to external servers are launched to download malicious scripts from Bitbucket, GitHub, ngrok.io, etc., or to perform coinmining activity, command and control communications, etc. Connection and activity performed out of normal context and existing relationships trigger an anomaly and alerts are generated.
In the same cryptojacking example, when new applications are spawned and there is no knowledge about the applications (curl, wget, and malware binaries like kerberods) Lacework registers it as a new anomaly.
File Integrity Monitoring (FIM)
Lacework agent keeps track of new files and records file hashes for easy comparison as they change over time. The file hashes are regularly synced between Lacework’s agent and the cloud platform, and the checksum is compared against curated threat databases to ensure the file is not malicious. In events when the file is flagged as malicious, Lacework triggers a critical alert and provides you the information to trace all the assets infected by the file.
Hi-fidelity Alerts Powered by Machine Learning
Lacework uses machine learning to automate the process of ingesting billions of incoming data and to correlate events with normalized behaviors to identify suspicious events in real-time. However, as shown in the figure below, the number of detected events is large and can lead to high volumes of alerts. That’s why, Lacework uses a system to build levels of alert severity, and notifies only high and critical severity alerts.
Thus only genuine threats are notified, while details of other detected events are used for traceability and to expedite the triage process.
In addition to using anomaly detection and container-aware FIM to expose unknown threats, Lacework also uses threat intelligence and compliance auditing to prevent future attacks. Combining multiple techniques drastically improves the accuracy of Lacework’s threat detection.
And to expedite the manual component of threat investigation, Lacework generates a global view of processes and their connections, along with charts showing the 4W’s (Who, What, Where, When) to quickly trace back to the origin of the attack. Attackers usually delete their trail. But in this case, once the event is logged as a process level, it cannot be wiped out. This fine-grain, persistent visibility distinguishes Lacework’s threat detection.