The threat landscape continues to expand as both the frequency and the financial impact of cyber security incidents increase. As a result, traditional host-based security evolves to counter new attack vectors and types of infections. On rare occasions however, two separate, independently evolving technologies can come together in a way that benefits both – and so it is, with host-based intrusion detection systems (IDS) and the cloud.
In an earlier blog post, The History of Intrusion Detection Systems (IDS), we took a look at the history of IDS, and concluded that today’s cloud environment is ideal for IDS. In this second part, we’ll examine why host-based IDS thrives in AWS and other cloud environments.
1. The Cloud Difference: Auto-scaling
The cloud is fundamentally different from on-premise environments due to its ability to replicate servers – meaning, to auto-scale. Auto-scaling greatly enhances operational flexibility and agility, thus, a majority of workloads are now being deployed and auto-provisioned specifically in the cloud (as opposed to on premise just a few years ago), creating and accessing a broad set of data.
2. A New Class of IDS is Born
As threats to cloud data have become more advanced, a class of IDS products called Endpoint Threat Detection and Response (ETDR), employing a variety of indicators to alert on possible intrusion or compromise have come to life. Two key IDS features to this type of cloud security are Continuous Security Monitoring and Audit History.
3. Continuous Security Monitoring Closes the Window
Perhaps the most important functional principle of Endpoint Threat Detection and Response is continuous security monitoring. A cloud-native implementation of continuous security monitoring ensures your cloud assets are continuously being monitored and protected.
The need for this evolution of intrusion detection is seen in spear phishing, the most prevalent method of attack today. A spear phishing attack entices the victim to click a link in an email and, in so doing, allows an attacker to run a program to steal login credentials and other personal data. To combat spear phishing, a new way to detect, prevent and remediate these infections was required. This is the response aspect of endpoint detection and response.
4. Audit History Illuminates the Transient
Gathering and maintaining an activity history for later audit is arguably more important in a cloud environment where we have transient servers that come and go because of the auto-scaling nature of the cloud. We saw this recently with Shellshock, a vulnerability that affected a vast number of Linux workloads running in the cloud.
However, with the ability to rewind and play the tape – especially on transient servers – it is possible to go back and investigate what happened during that transient instance’s lifetime. Therefore, an essential requirement for a security solution for cloud environments, is to retain the audit history of transient servers, and enable important forensic and response capability.
5. A Cloud-Native IDS Meets the Performance Need
Security-conscious organizations not only need the ability to detect a breach, but also the ability to respond and research the extent of the breach – and quickly! Fast responses to Cloud-based attacks demands a cloud-native IDS.
At the Intersection, the Future Looks Bright
Cloud application auto-scaling combines with a cloud-native IDS that has endpoint threat detection and response, continuous monitoring, and audit history capabilities. The integration of these features results in improved IDS reliability and accuracy, resulting in better, overall cloud security.
A host-based IDS seeks to detect anomalous system activity, meaning that teams today must establish a baseline of normality from which to detect deviations or variations from. The replication of identical servers through auto-scaling makes it possible to establish a more accurate baseline of normality for cloud-resident workloads – whether via automated learning, or policies created by DevOps and/or Security teams. The replication of identical servers improves the overall accuracy and reliability of alerts, by reducing the number of false-positives.
Let’s use spear phishing once again as an example. When you auto-provision using elastic infrastructure, there should be no process running on one system that isn’t running on another system. Likewise, a certain process should not start making outbound connections from one system, if that process makes no such connections from another system. Any anomalous activity is indicative of a breach or compromise because the elastic cloud infrastructure is so uniform, IDS can detect an anomalous process, connection, user account, etc.
When it comes to delivering value to high-performance businesses, the IDS-cloud combination provides the level of assurance necessary that your business’s agile cloud-based operations remain secure, efficient, and compliant.
Stay tuned in the coming weeks as we explore the requirements for cloud-native security controls to effectively protect cloud resident workloads and the data they create and access.
If you’re ready to plan or revamp your cloud security strategy, be sure to download a copy of our free Cloud Security Use Cases Playbook.