Defensive strategies to overcome top cloud threats
With more applications and workloads moving to cloud platforms, security architects and administrators need to rethink their practices for protecting sensitive data and managing security risk. Unfortunately, cloud environments have many potential vulnerabilities that attackers can exploit.
For the past several years, the Cloud Security Alliance (CSA) has tracked the top cloud threats by surveying industry experts to gather their opinions. The graphic below displays what they call the “Treacherous 12: top cloud security threats.” (Eagle eyes will note that they added a 13th threat to represent hardware flaws like Spectre uncovered last year.)
It’s a pretty daunting list. And it underscores that security is not a simple check-off on a cloud deployment list. Security is an ongoing process that requires you to make strategic decisions, engage in constant monitoring, and make frequent adjustments to remain effective. One way to mitigate the risk is to look at what these threats have in common and address those things first.
1. Digital Footprints Are Hiding in Your Clouds
One thing that many of these threats have in common is the ability to take advantage of cloud architecture to “hide” evidence of wrongdoing from view of your security and network administrators. For instance, in many data breaches and advanced persistent threats, attackers leave digital footprints showing unexpected communications between an external end point and an internal resource. This is key evidence that could help you shut down an attack and strengthen a weakness in your security defenses. Unfortunately, these digital footprints lie outside the domains you traditionally monitor and protect.
In data centers or infrastructure on-premises, traffic from every segment can be tapped, filtered, and analyzed. This is true whether the infrastructure is physical hardware or software-defined. Packets traversing your networks can be submitted to security inspection and compared against white lists and black lists. Traffic that doesn’t fall within expected parameters can be immediately isolated and further analyzed.
However, in cloud computing, the traffic flowing between endpoints and cloud-based services is not directly observable because it is traveling on infrastructure that is not under the direct control of the enterprise. Digital footprints are still generated—by both legitimate and malicious traffic—but they are effectively invisible to your security and performance monitoring tools and staff.
The key to unlock this important information is to gain visibility to what is happening in your clouds.
DEFENSIVE STRATEGY: Establish automatic and fully-scalable cloud visibility
The best way to uncover anomalies and suspicious activity is to eliminate the “blind spots” where the evidence of attacks most often hides. Cloud visibility solutions that access packets moving between virtual resources (east-west traffic) are the place to start. It’s hard to imagine a successful security architecture that does not increasingly rely on cloud visibility. If your organization is one of those that are If you have not yet prepared executives and budget owners to invest in a visibility architecture, you should start now.
2. Full Packet Data is Needed for Security Inspection
It is possible to obtain information from your provider about the work your clouds are doing. This data includes things such as CPU utilization rate, completed disk reads, completed disk writes, and the number of packets sent out per each network interface. However, these metrics don’t help you see what’s inside the packet itself, and that is the key to effective cyber security.
Security monitoring systems, such as intrusion prevention and detection—are designed to analyze whole packets—header and payload—looking for specific events or characteristics. You must feed them whole packet data from every link in your virtual environment, as well as your physical environment. They need to see all the interactions that your cloud instances are involved in, to adequately protect applications, services, and sensitive data, including the personally identifiable information of your customers.
But what if the packet data is encrypted? Is it safe to just pass encrypted data into the network without security inspection since the packets are already secure? Hopefully, you already know the answer is “no.” Hackers have found encryption to be extremely helpful to their cause and frequently encrypt malicious code and malware, or insert their mischief into legitimate communications. They know there are organizations who don’t consistently inspect secure packets and the payoff can be substantial if they get lucky and avoid detection. Organizations who are not making the effort to decrypt and inspect secure packets could be in for a big surprise.
Luckily, decryption is now a feature of best-in-class network and cloud visibility platforms. With these solutions, encrypted packets from every network and cloud link are forwarded to a visibility engine or network packet broker, where they are decrypted, filtered, and delivered to the appropriate security monitoring systems.
DEFENSIVE STRATEGY: Provide packet-level data to all your security systems
Having access to cloud traffic is the first step, but an equally important step is being able to see inside the packets, right down to the payload in clear text. Some next generation firewalls and intrusion prevention and detection systems may offer on-board SSL/TLS decryption, but that can sap processing power. A more efficient approach is to deploy a visibility engine or network packet broker with decryption capability in front of your security tools, to offload your tools.
3. Even Basic Data Correlations Boost Security
Data analysis is a fast-growing discipline that can have a big impact on cyber security. While the cost of solutions using sophisticated intelligence algorithms may not be in your budget, even basic data correlations can boost your ability to identify suspicious activity and data leakage. Whether you invest in third-party solutions for event correlation (such as SIEM) or user behavior analytics (UBA), or develop your own algorithms, data correlations can help accelerate breach recovery and minimize damage. For example, event sequencing can be used to flag a sequence of events which on their own might not be enough to trigger an alert, but considered together are highly predictive of a serious attack.
Analytics solutions are not without their critics, however. Some users complain they are not contributing enough to detecting attacks and security the infrastructure. Part of the reason could be that not enough data is provided to these systems. One study found that only 22% of users passed 80% or more of their traffic through their SIEM.
Since you don’t really know where an attack will originate, it is important to achieve total network and cloud visibility. In addition to needing all the data, analytics tools also work better when they have contextual information about packets, such as application, user activities, end-point devices, and geolocation. “Knowing” more about the packets helps these solutions provide more granular results and reduce time it takes to resolve an alert.
DEFENSIVE STRATEGY: Get contextual data for better correlation
Once you’ve gathered traffic from every segment and cloud in your virtual environment, use a context-aware data processing engine (or network packet broker) to extract useful information and provide it at top-speed to your security monitoring tools for closer inspection and correlation analysis.
The bottom lineis that keeping your enterprise secure is a journey, not a destination, particularly with the increasing use of clouds. It makes sense to examine your security strategies and eliminate network blind spots, gather more information about data packets, and do more correlation analysis to better predict emerging security threats.
 451 Research: “Voice of the Enterprise: Information Security,” 2015, accessed online.