Hyperfocused Security for the Cloud

The cloud is the future and the future has arrived. Gartner predicts the worldwide public cloud service market will grow from $182.4 billion in 2018 to $331.2 billion in 2022, representing an annual growth rate of 12.6%. Gartner also expects that by the end of 2019, more than 30% of technology providers’ new software investments will shift from cloud-first to cloud-only.

Cloud environments significantly increase an organization’s security exposure footprint. An ideal system should ensure that applications work securely across multiple cloud service provider (CSP) environments as well as on-premises systems.

Cloud Native Now

However, CSPs such as Amazon Web Services (AWS) and Microsoft Azure have made it clear that their responsibility for security and compliance goes only so far. Their customers are left having to close the data security gap themselves.

Off the Cloud vs. In the Cloud

AWS and Microsoft Azure have articulated a shared responsibility model for security and compliance, which has been adopted by other cloud providers as well. In effect, the CSP is responsible for the security of the cloud, and the customer is responsible for security in the cloud.

Under this model,  the CSP operates, manages and controls the components from the host operating system, the virtualization layer and the physical security of its facilities in which the service operates. The customer assumes responsibility and management of the guest operating system, other associated application software and the configuration of the AWS security group firewall.

Proactive, Not Just Defensive

Under the shared responsibility model, organizations need to take a proactive approach to their security posture. No defense is 100% effective, and despite all manner of security safeguards provided by CSPs, workloads and other customer assets in the cloud can be compromised. A truly proactive organization already assumes that it has been hacked, that malware and advanced persistent threats (APTs) have breached its defenses, and that its systems cannot be trusted until proven otherwise.

As such, organizations need a security solution that not only hunts attackers that have breached their defenses but also enables users to respond to threats and certify that systems are completely “clean.”

Traditional Security Options

Organizations currently have several options for securing their on-premises and data center assets, but those tools are not optimal when it comes to securing their cloud infrastructure.

Traditional agent-based security tools and endpoint-focused protection platforms are not designed with the cloud in mind and are not suitable for cloud security. The ephemeral nature of cloud assets and the complexity of most cloud environments limit the effectiveness of traditional security platforms. Application whitelisting can be appropriate for single-function workloads, but it doesn’t prevent in-memory attacks and exploits. Another traditional option, log analytics, still provides value for addressing cloud security but relies on massive amounts of data.

This data requirement is useless for temporary cloud assets such as serverless functions and workloads. Ingesting and understanding the log analytics data from your cloud assets may also require additional resources—time, talent and tools. In response, AWS and Azure now offer log aggregation and analytics services. However, a comprehensive cloud security solution would integrate with and extend the AWS and Azure log aggregation and analytics services, not replace them.

The Need for Advanced Analysis

The most effective method for organizations adopting the shared responsibility model for cloud security is a hunting, detection and incident response (IR) solution with advanced analysis capabilities.

Security teams should assume the systems in their environment are already compromised and seek to validate that they are clean. An automated forensics-based approach is more efficient than any log-based approach because it enables scalable host inspection to find malware, backdoors, scripts, rogue accounts and other threats and vulnerabilities present within an organization’s systems. This type of analysis can focus search parameters within an organization’s store of logs and enable a much easier and more effective way to proactively detect threats.

A root cause analysis (RCA) tool can help IR teams trace the source of suspicious activity or identified threats across their environment. It can correlate and combine the historical activity of identified threats and malicious leads quickly in the form of an activity timeline.

Strengthening IR readiness is a proven way to reduce an organization’s cyber-risk. A hunting/detection platform needs to include IR capabilities, so the IR team can either investigate, contain and eliminate the threats and vulnerabilities it finds or be able to alert a support/security team to handle IR.

Compromise assessments (CAs) need to quickly verify whether a network has been breached and quickly identify the presence of known or zero-day malware and persistent threats that have evaded existing cybersecurity defenses.

Don’t Accept an Agent-Only Answer for Your Cloud

Traditional agent-based cybersecurity tools, which require permanent software on each endpoint, are not efficient in cloud environments where “endpoints” don’t exist. In the cloud, you have single-purpose workloads, serverless functions and temporary containers with short lifespans that sometimes are not present long enough for agents to even register and perform their function.

An agentless, API-driven detection and response tool can be integrated into multiple points of the DevSecOps life cycle.  An example is triggering scans via API based on the appearance of new containers and serverless functions to establish a baseline and verify no rogue malicious code made their way into production.

Proactive organizations can protect their cloud environments as quickly and effectively as they do their on-premises network, servers and workstations using real-time baselining and certification to help ensure that cloud environments are free from security breaches. It helps to have full visibility into the layout of the organization’s cloud environment, including instances, workloads and containers; and continuous cloud monitoring and trigger scans based on new or modified cloud workloads.

Today’s threat landscape includes a growing range of sophisticated bad actors, and many of them are specifically targeting cloud environments. Organizations need to be hyperfocused on their cloud security posture.

Chris Gerritz

Avatar photo

Chris Gerritz

Chris is a retired Air Force cybersecurity officer and veteran who pioneered defensive cyber threat hunting operations for the U.S. Air Force — standing up their first interactive Defensive Counter Cyberspace (DCC) practice.

chris-gerritz has 12 posts and counting.See all posts by chris-gerritz