Using the Cloud to Protect the Cloud

The public cloud continues to be a game changer for companies of all sizes by increasing flexibility and adaptability, changing the cost model and reinventing the way that businesses are run. According to a survey by 451 Research, the majority of enterprise workloads (60%) are expected to run in the Cloud by mid-2018. Unfortunately, security has too often been a hurdle for companies looking to move compute, network and storage infrastructure to the Cloud as their legacy products don’t easily adapt to cloud architectures.

Cloud visibility (i.e., visibility into threats in the Cloud) is the number one cloud security problem. Cloud security controls have failed to keep up with the rapid rate at which enterprises have been adopting the Cloud, largely relying on logs and not network traffic to detect threats. Some of the major technical challenges with securing the Cloud include:

• Inability to tap/span/mirror network traffic from cloud environments, which is a mechanism used by many security tools for collecting and analyzing network data.
• Costs associated with having to backhaul traffic through enterprise networks and security tools (many cloud environments charge for data leaving the Cloud).
• Dynamic nature of the Cloud requires security tools to be automatically deployed as environments get spun up and torn down.
• Existing security tools are largely appliance based and can’t be easily deployed on cloud instances.
• Enterprise detection technologies aren’t focused on cloud threats and attacks.
• Cloud tools don’t integrate with existing incident response workflows.

There are many unique challenges to monitoring the Cloud: instances are constantly in flux; new workloads are continually being spun up, moved, and torn down; workloads can easily expand as demand grows, which means a lot more network activity. Any solution attempting to fill the Cloud visibility gap must accommodate the dynamism of the Cloud, analyze massive data sets, deliver extremely reliable threat detection and full packet visibility, and integrate with an organization’s incident response workflows.

The Cloud visibility gap must be addressed for organizations to fully embrace the Cloud but visibility is a tough problem that has not even been solved for enterprise networks. Legacy products are primarily appliance-based and, as a result, have been deployed at the perimeter of the network only. Visibility about threats within the organization (e.g., such as lateral movement of an attack) requires installation of multiple appliances across the network. The extra hardware costs and associated deployment and ongoing management headaches are too much for organizations to swallow. Similar issues prevent organizations from getting visibility about threats at remote offices. Also with legacy hardware, it becomes too expensive to store and analyze the massive amounts of data we now have from our networks.

As the enterprise expands beyond its traditional boundaries, organizations need solutions that can be used across multiple environments. In addition to on-premises, the modern enterprise network now encompasses public and private (or hybrid) cloud environments and, in many industries, industrial environments. Suddenly, even the limited visibility that security teams have become accustomed to with legacy products has disappeared. After all, organizations aren’t going to be allowed to install their appliance-based security controls into an IaaS providers’ (e.g., AWS) infrastructure.

Businesses are realizing the massive benefits of the Cloud but security teams are hampered by the constraints of legacy on-premises technologies when trying to secure their organizations. A natural choice for filling this security visibility gap would be to leverage the massive benefits of the Cloud to help secure the Cloud. A cloud-based security solution that’s architected for the Cloud could easily accommodate the dynamism of the Cloud and provide the unconstrained compute for the advanced analysis techniques (e.g., machine learning, correlation of multiple indicators of compromise, continuous analysis of massive amounts of data) needed to reliably detect both known and unknown multi-stage attacks that occur over time. It can leverage the Cloud’s elasticity, economies of scale, and deployment models to better serve real-world cloud deployments without having to adopt inflexible architectures that require manual configuration. A security platform born in the Cloud and designed for the Cloud could erase many of the headaches associated with legacy products that struggle to scale, are difficult to manage, and can’t be deployed in the ways that are needed to support cloud use.

Such a solution would also enable organizations to benefit from the potentially unlimited storage that’s available with the Cloud. Network traffic (e.g., full-fidelity PCAP, metadata) could be stored for as long as needed and the advanced analysis techniques could be automatically applied to this historical data to mine for previously unknown threats. This historical data is also invaluable to security analysts who often need access to forensic evidence to provide assurance that the findings of a threat hunt or incident investigation are indeed real. Packet data allows an analyst to assess the actual impact of a security incident to the organization beyond logs, which only tell them something happened but not what happened (what came in to the organization) or the impact (what left the organization)

Such a solution doesn’t have to be restricted to monitoring only the Cloud. If it is done right, it has the potential for becoming THE investigative platform for the modern enterprise that lives in the Cloud, in the enterprise and even in process and industrial control environments. After all, cybercriminals target every part of the enterprise network and security teams need a complete picture, including unlimited forensics and advanced analytics into all areas of their organization. Adding more point products that only provide value for enterprise, cloud or industrial environments increases complexity, costs analysts valuable time and provides a myopic view of only part of the organization.

Overtaxed security teams that are used to pivoting between multiple interfaces in order to reassemble an attack will appreciate the ability to use the Cloud to protect the Cloud. First, the Cloud visibility gap will be history. Second, they will have one place from which to get a holistic view into threats everywhere. And, finally, unlimited forensics will enable them to take threat hunting and incident investigation to a level that wasn’t possible before and to confidently determine the impact of attacks that may have occurred in the past.