• United States



Lacework unmasks hidden attackers amid data center and cloud chaos

Jul 18, 20178 mins
Cloud SecuritySecurity

Managing even a local data center is a tough job. Keeping a cloud secure is even more difficult. Lacework helps to filter all the chaos, removing false positives, and generating actionable threat intelligence in real-time for IT teams tasked with keeping their clouds secure.

cloud security
Credit: Thinkstock

Data centers are at the heart of most enterprise computing environments these days, whether deployed as a local computing center, or serving hundreds of thousands of users as part of a public or private cloud. They work well in that role, especially those configured into cloud architectures, because they are extremely elastic, expanding to offer more computing power, storage, containers and even bandwidth to hosted applications and their users as needed. Unfortunately, that same flexibility makes it fairly easy for skilled attackers armed with advanced persistent threats and tools to remain hidden once they breach the perimeter.

Examining the log files generated by even a medium-sized facility is a daunting task. One that we recently studied from a local data center with about 400 clients contained over seven billion events from a six-hour period. Asking cybersecurity staff to simply monitor that level of data on their own would prove woefully inadequate, even with a huge team employed to do it. There are many tools available that can be deployed to generate alerts, but even then, the sheer volume of false positives nestled within those billions of events every hour can overload humans trying to monitor their SIEM, quickly dropping things back to an almost unprotected state. As such, careful attackers can spend months or even years roaming within clouds and data centers before being detected, and some may never be caught.

What is needed is a platform dedicated to working within cloud and data center environments, and one with a good method of filtering all the chaos, removing false positives, and generating actionable threat intelligence in real-time for IT teams tasked with keeping their clouds secure. That is the ambitious goal of the Lacework Cloud Workload Protection Platform. We put Lacework to the test in a medium-sized, cloud-based test environment.

The Lacework platform has an extremely light local footprint. It’s configured for deployment as a service with no need for a hardware or software console installation. Most data centers can provide access to the platform by simply adding the tiny Lacework agent to the default image for all new virtual machines (VMs), and then pushing the same agent out to existing assets. That way, it’s installed throughout the cloud and will be part of every new virtual machine as it is generated. Once connected to the service, Lacework provides several ways to access its data, including a web-based Lacework console that we tested for this feature, feeding directly to any connected SIEM like Splunk or others, or by sending e-mail alerts if that is how security teams prefer to work.

It’s probably worth noting that Lacework has an interesting pricing model that is extremely fair for a cloud computing tool. Instead of charging based on bandwidth or number of events, which a data center would not completely control, pricing is instead based on the number of instances of the Lacework agent that are deployed per hour. That way, data centers can include the cost of the monitoring in their own pricing to clients, controlled by the number of VMs they spin up and use, while also being infinitely scalable if needed.

Once the agents are in place, Lacework gets to work. The platform is designed to create a baseline of all activity occurring within a data center from users, assets and applications. Because most data centers are so huge, it accelerates the creation of that baseline – at least for the application part. Applications generally work the same way in all instances, so if a hundred instances of a specific app are performing a certain way, it’s a safe bet that the others, which are currently dormant, will follow those same patterns. As such, it only takes about two hours for Lacework to learn valid application behaviors within the cloud. User behavior might take longer, because unlike applications, users aren’t generally active 24 hours a day. Our test environment had Lacework running for a while, so we skipped the two-hour waiting period before getting started.

Lacework 1 - change over time Lacework/John Breeden

Because the Lacework Cloud Workload Protection Platform learns the baseline behavior of all applications, and monitors them, it can show how their interactions change over time, and point out which changes are suspicious.

Lacework first showed us a logical view of the test data center, including what type of apps and servers were interacting with others and the outside world. Looking at the map gave the data center form, which could be a big plus for organizations that have never tracked, or adequately tracked, their assets. This is a common problem in the cloud, where VMs are spun up to support temporary projects and then never get decommissioned. Lacework can show every asset, and how those assets interact, or don’t, with the rest of the cloud.

The other nice thing about the top-level interface is that it shows graphically how assets interact with one another, and when. Lacework allowed us to plot all changes over time, including setting up specific time differences for comparison. For example, we could easily compare asset usage patterns in the morning to those at noon, and then again at the end of the day, covering all normal working hours. This Lacework feature might not strictly be in the realm of cloud security, but could easily help to manage the data center.

Lacework also provides this level of visualization over time for individual assets as well. We could drill into specific servers and applications and see how they were being interacted with by users over time. This is incredibly helpful if you want to reduce overhead by eliminating spare and abandoned VMs or physical servers. Lacework will let you easily determine if anyone or any process is using the asset. It would also be useful if you need to take an asset offline to patch or upgrade it, because you could plan for the outage to affect the fewest users, or nobody at all if the asset was, for example, unused at night or at odd times during the day.

But this being a review in the cloud security category, we wanted to see how Lacework could help identify hackers hiding within the stream of normal activity. That came when a process decided to create a new user. Now, the process that was used did not normally create new users, so this was immediately flagged as a strange event well outside the accepted norms. Likely this process was either sideloaded with bad commands or possibly directed to do so using macros. But in any case, the fact that it did something odd got it flagged.

Had this been just another event inside a massive data center, it might not have been caught at all, especially because the user, named Bill, was a low-level one with no real privileges. Most likely, an attacker would have created Bill and then left it alone for a while so as not to raise the alarm, though Lacework saw the possible deception. In our test, Bill did not sit still long. Instead, Bill’s privileges were immediately raised to root. He then went on to launch new processes and begin a data exfiltration scheme. Lacework helpfully linked those events together in a chronological chain, suitable for remediation or auditing.

Lacework 2 - alert user bill Lacework/John Breeden

Lacework identified a behavior that was highly suspicious in our cloud. Here a new user named Bill was created, and immediately elevated to root-level permissions. Then Bill proceeded to perform a series of actions which further broke the baseline behavior model.

And because Lacework looks at users and applications, it also works well against insider threats. Any valid user performing new processes, or interacting with machines they have never previously touched, is quickly flagged by Lacework as that might signify either a user turned insider threat, or a case of compromised credentials.

Finally, Lacework is also a good threat hunting tool, able to be used even if everything within the network is seemingly working fine. For example, if administrators learn of a new attack tactic that employs Python Marathon, they can drill into that and see where and how Marathon is being used within the entire data center. We did that and could instantly locate every instance, plus obtain facts like how much bandwidth all the instances are using, and if any of them are acting strange compared to the others.

Lacework 3 - marathon in cloud Lacework/John Breeden

Beyond alerts, the data provided by Lacework can be used for threat hunting. Here we easily found every instance of Python Marathon running across the entire datacenter over time, which could serve as the jumping-off point for an investigation.

Managing even a local data center is a tough job. Keeping a cloud secure is even more difficult. When you get into datacenters and clouds with thousands of clients, it’s simply beyond the ability of humans to maintain without help. Lacework can cut through all the normal data and graphically identify outliers. It’s a perfect force multiplier for IT and cybersecurity teams, shifting their tasks back to manageable levels, and unmasking even the cleverest attackers whenever they step even a little bit out of line.