Lacework unmasks hidden attackers amid data center and cloud chaos

Managing even a local data center is a tough job. Keeping a cloud secure is even more difficult. Lacework helps to filter all the chaos, removing false positives, and generating actionable threat intelligence in real-time for IT teams tasked with keeping their clouds secure.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Data centers are at the heart of most enterprise computing environments these days, whether deployed as a local computing center, or serving hundreds of thousands of users as part of a public or private cloud. They work well in that role, especially those configured into cloud architectures, because they are extremely elastic, expanding to offer more computing power, storage, containers and even bandwidth to hosted applications and their users as needed. Unfortunately, that same flexibility makes it fairly easy for skilled attackers armed with advanced persistent threats and tools to remain hidden once they breach the perimeter.

Examining the log files generated by even a medium-sized facility is a daunting task. One that we recently studied from a local data center with about 400 clients contained over seven billion events from a six-hour period. Asking cybersecurity staff to simply monitor that level of data on their own would prove woefully inadequate, even with a huge team employed to do it. There are many tools available that can be deployed to generate alerts, but even then, the sheer volume of false positives nestled within those billions of events every hour can overload humans trying to monitor their SIEM, quickly dropping things back to an almost unprotected state. As such, careful attackers can spend months or even years roaming within clouds and data centers before being detected, and some may never be caught.

What is needed is a platform dedicated to working within cloud and data center environments, and one with a good method of filtering all the chaos, removing false positives, and generating actionable threat intelligence in real-time for IT teams tasked with keeping their clouds secure. That is the ambitious goal of the Lacework Cloud Workload Protection Platform. We put Lacework to the test in a medium-sized, cloud-based test environment.

The Lacework platform has an extremely light local footprint. It’s configured for deployment as a service with no need for a hardware or software console installation. Most data centers can provide access to the platform by simply adding the tiny Lacework agent to the default image for all new virtual machines (VMs), and then pushing the same agent out to existing assets. That way, it’s installed throughout the cloud and will be part of every new virtual machine as it is generated. Once connected to the service, Lacework provides several ways to access its data, including a web-based Lacework console that we tested for this feature, feeding directly to any connected SIEM like Splunk or others, or by sending e-mail alerts if that is how security teams prefer to work.

It’s probably worth noting that Lacework has an interesting pricing model that is extremely fair for a cloud computing tool. Instead of charging based on bandwidth or number of events, which a data center would not completely control, pricing is instead based on the number of instances of the Lacework agent that are deployed per hour. That way, data centers can include the cost of the monitoring in their own pricing to clients, controlled by the number of VMs they spin up and use, while also being infinitely scalable if needed.

Once the agents are in place, Lacework gets to work. The platform is designed to create a baseline of all activity occurring within a data center from users, assets and applications. Because most data centers are so huge, it accelerates the creation of that baseline – at least for the application part. Applications generally work the same way in all instances, so if a hundred instances of a specific app are performing a certain way, it’s a safe bet that the others, which are currently dormant, will follow those same patterns. As such, it only takes about two hours for Lacework to learn valid application behaviors within the cloud. User behavior might take longer, because unlike applications, users aren’t generally active 24 hours a day. Our test environment had Lacework running for a while, so we skipped the two-hour waiting period before getting started.

To continue reading this article register now