These days, in both on-premise datacenters and cloud environments, Linux servers are at the core of enterprise computing. And most enterprises abide by commonly accepted guidelines for securing virtualized Linux servers with least-privilege access control, file encryption, segmentation, process isolation, and other best practices. But in highly scaled and dynamic cloud environments, where the containers and workloads are ephemeral, traditional Linux security must be reinforced with process-level visibility at runtime.
In a datacenter, even if due diligence is done to securely configure the servers and to deploy and orchestrate the virtual machines and containers, runtime is when you start to lose visibility of what’s happening.
The Security Gap – Visibility and Hi-fidelity Alerts
The cloud service provider may enforce network intrusion detection at runtime. However, since the cloud environment is shared and accessed by several customers and users, the provider often limits the depth of network traffic that you can monitor. Some providers offer flow and event logs to monitor and detect potentially malicious traffic and events. However, these logs do not offer packet-level visibility, nor do these allow content inspection. As a result, they may miss inter-process data transfers as well.
Besides, reliably discerning the sheer volume of the logs from hundreds of servers across the datacenter poses a formidable challenge. A study shows that for a mid-sized firm with 400 users, seven-billion events were logged in a seven-hour window. Discerning these high volumes of logs using rules and signatures of known threats is not only overwhelming, but it may also lead to a number of false alerts that eventually undermine threat vigilance.
In such runtime environments, careful attackers can lurk within clouds and data centers for months or even years evading detection.
Linux Security in Containerized Environment
The cloud environment is increasingly containerized, where it is fairly easy to deploy complex applications or microservices that are inherently secure. Orchestration platforms like Docker/Kubernetes orchestrate and execute containers on servers assigned to them. Kubernetes does not offer native controls to secure the servers or offer traffic visibility between the container clusters.
Although a network intrusion detection system can monitor ingress and egress traffic from/to an EC-2 server instance, activity between multiple containers sharing data inside one EC-2 instance would escape in this case. Monitoring is further complicated in a virtualized environment with ephemeral processes. For example, container and virtual machine instances can be spun-up on demand. Some microservices, data caches, or temporarily assigned IP addresses may only be active for a few minutes before being deleted. Any activity not logged during that brief service period is unavailable for analysis and forensics at a later time.
These logging and visibility limitations expose servers to various kinds of attacks. For example, when a cron command (cron is a utility that runs jobs based on a pre-established schedule) is configured to launch a job by using an S3 bucket, it would execute without any error if it finds an appropriately named S3 bucket, regardless of instances when that S3 bucket might be operated by a malicious user. In the absence of adequate visibility into what is actually happening with that data, it would not be possible to detect a problem.
Deep runtime visibility is fundamental to detect surreptitious activity, e.g. whether an unauthorized user got access to your credentials and have launched a privilege escalation attack, or an exploit is underway for a process that used to be secure.
Defense-in-depth to Secure Linux in the Cloud
To address these potential gaps you need a solution that delivers in-depth defenses at all layers of the runtime environment, namely applications, containers, workloads, and the host. In a containerized environment, real-time visibility coupled with process-level granularity can provide the security personnel with continuous awareness to reduce the attack surfaces and detect threats leaving no space for attackers to hide.
Automated Host-based Intrusion Detection
An effective host-IDS system monitors and logs all inter-process activities, including those within the same file, process hierarchy, communications between processes, machines, and clusters, changes in user privileges, internal and external data transfers, and so forth.
Machine learning-based behavioral baselining and automated threat defense are highly scalable for cloud and datacenter environments with thousands of Linux servers.
An effective solution analyzes all layers and clusters activity based on normalized behavior. This provides a continuous real-time view even across short-lived services that may only exist for a few minutes.
Low Noise Alerts
Hundreds of alerts and false positives result in alert fatigue and undermine threat vigilance within an organization. The ability to alert only genuinely suspicious activity is a key security competence in cloud environments.