By Richard Davies, Director AN/Z at Lacework.
The cloud is just as complex as it is amazing. The major cloud providers (AWS, Microsoft Azure, Google Cloud) offer hundreds of services but every single service has its own configuration parameters. Learning the ins and outs of a single cloud provider takes time, energy, and effort.
According to a Gartner survey, the misconfiguration of cloud resources causes 80% of all data security breaches, and until 2025, up to 99% of cloud environment failures will be attributed to human errors. Do you feel confident that you have visibility into every asset that has been deployed in your company’s cloud environment and exactly how they are configured and used on a regular basis?
When thinking about cloud environments or cloud-native application workloads, every single one is unique. There is a high level of variability which only increases the levels of complexity in your cloud-native applications. For example, let’s look at AWS. With over 200 individual services offered, the activity taking place in your cloud accounts will be infinitely different between customers or teams within an organisation. All these accounts and workloads will generate loads of data. According to Steve Schmidt, “every single month, we track quadrillions of events. That’s a number that has 15 zeros.”
Now imagine adding additional cloud providers or introducing new emerging technologies and you will quickly realise that security solutions need to adapt to environments where the only constant is change and the pace of change is accelerating.
Will your security solution solve the cloud security challenge?
While rules are useful when looking to the past and protecting against a known threat reoccurring, there’s simply no way to write a rule to catch a novel or unknown attack. The overhead and maintenance of customising rules makes this approach very difficult to scale and sustain.
Security needs to be woven into every stage of the application development lifecycle to provide redundancy and a layered defence strategy. If possible, known vulnerabilities or misconfigurations should be detected in containers or IaC before they’re ever deployed into an environment. However, a securely running system today can become vulnerable overnight when a new CVE is discovered and published. So, ensuring that your running workloads are actively monitored for threats is just as important as shifting security left.
Identifying and prioritising risk is a big part of securing your cloud. But it is impossible to expect 100% prevention where new attack tactics are developed frequently and new vulnerabilities are regularly introduced. Attackers only need one mistake, one small misconfiguration, one new vulnerable application package deployed, or some other crack in your defences to compromise your cloud account. This makes monitoring for active threats a critical component of your security solution if you want a comprehensive, contextualised view of your cloud.
Cloud migration has increased alert volume to exponential levels, especially for organisations using legacy rules- and signature-based security solutions that weren’t built for the cloud. This overwhelming alert quantity works at the expense of security quality. Per IDC, each alert takes 30 minutes on average to investigate, with false positives taking even longer. With behaviour-based threat detection built for the cloud, organisations will reduce alerts in order to better prioritise, investigate, and track the status of all incoming alerts.
Why you should consider Continuous Context in your cloud environment
With the rise of cloud, many organisations have adopted DevOps to rapidly deploy new services and capabilities to their customers. As a result, everyone should be familiar with Continuous Integration, Continuous Testing, Continuous Delivery/Deployment, and hopefully Continuous Security. What about Continuous Context? Context is the only way to determine if what is happening should be happening.
The cloud changes quickly. Context means understanding what is changing as well as how changes are related to your resources. This allows you to understand if behaviours are normal and innocuous or abnormal and potentially malicious.
Knowing that successful cyber-attacks can take place almost immediately, an organisation needs to be able to protect itself by understanding exactly how its cloud environment is configured, what activity is taking place at the cloud control plane, and what is happening in the runtime environment. A daily snapshot of your workloads is insufficient given the persistence and sophistication of cyber-crime. Without continuous runtime monitoring of your applications and services, you can’t have the complete context necessary to contain threats when they occur. Because as we all know, it’s no longer a matter of if you will be compromised, but when you will be compromised, and how often.
Leveraging solutions that are only focused on risk reduction or the likelihood of an attack will leave you exposed with no understanding of your runtime environment during an active breach. And without data correlation that spans across your entire security solution, investigation times will increase significantly as your teams sift through cloud-scale amounts of data.
Ultimately, your security solution must take a data-driven approach, filtering millions or billions of security signals in order to understand what is normal for you and all your unique cloud environments and workloads, to deliver the right, fully contextualised alert, at the right time.
