How to Monitor Network Activity When Your Infrastructure Lacks an Edge

It won’t be long before network perimeters are a thing of the past. As companies continue to adopt the cloud, either going all-in or operating in hybrid mode, the familiar perimeter starts to disappear.

Laptops, smartphones, tablets, and, for many companies, IoT technologies, all have access to the network. So do on-site and remote employees, contractors, and business partners. All of these factors are stretching the network perimeter to the point where companies need to completely rethink whether their security strategy should focus on perimeters at all.

So how do you implement security controls in the cloud when you have replaced the network edge with a virtual perimeter? Consider the following four ways:

1. Redefine Your Network

Companies need to understand what all their assets and users are doing, when, and where across the network at all times. Given the dynamic nature of the cloud, a fundamentally different approach to security monitoring is required.

To begin, determine where your company falls on the perimeter/perimeter-less spectrum:

  • What company assets are running in the cloud? On premise?
  • How many BYOD devices are on the network belonging to employees, contractors, or business partners?
  • How many users work on-site? Remotely?  

Getting clear on these questions will help you get a handle on your assets and their locations, allowing you to see what, if any, perimeter you have left. This information should form the basis of your security monitoring strategy going forward.

2. Develop an “Inside-Out” Approach to Security

In a perimeter-less environment with no network edge from which to deploy security monitoring, traditional outside-in security won’t work. The cloud requires an inside-out approach instead.

With more endpoints connected to your network, attackers have more ways in than ever before. But that doesn’t necessarily mean they have a leg up. It means, as defenders, we need to think like our attackers by honing in on our most important assets (networks, passwords, code, IP).

To develop an inside-out approach to security, you first need to understand where your vulnerabilities lie — what your attackers are looking to exploit. Once you’ve taken inventory of your network (Step 1 above), you can begin to implement monitoring from within your infrastructure to protect these critical assets.

In the cloud, monitoring should be done at the host or workload layer (or the “source of truth,” as we like to call it) where real system activity occurs. This enables you to detect anomalous behavior the moment it begins. Security monitoring at the host level can tell you specific events, over time, on specific servers, so you have a complete picture of all activity 24/7/365.

This not only helps to accurately pinpoint attacks, but aids in mounting an effective and timely response. Host-level monitoring is like your mission control center for security.  

3. Integrate Security Into Your Continuous Deployment Process

If you’ve been following our blog for awhile, you’ve likely heard us talk about how to integrate security into DevOps. That’s because, with the speed that companies are building and deploying apps today, security needs to be baked into continuous integration (CI) and continuous deployment (CD) processes so that vulnerabilities are caught before they go into production. This practice supports the inside-out security strategy we advocate above by embedding security into development activities from day one.

In practice, this means leveraging configuration management tools like Chef, Puppet, Ansible, or SaltStack that automate software updates and patches for you, ensuring that nothing is pushed to production without a full security check-up.

As we explained in a recent post, integrating security operations into your existing DevOps workflows means both applying DevOps principles to security and incorporating security into the DevOps process. It has to go both ways in order to be truly effective. Embedding a DevSecOps mindset begins as a cultural shift, and is enabled by communication (people) and automation (machines) such as running vulnerability scans on every build.

4. Embrace Software-Defined Everything

In the cloud, traditional intrusion detection/prevention systems (IDS/IPS) and firewalls that require a physical point from which to be deployed simply won’t work. But software-defined solutions (ones that are built in and for the cloud) will. They are specifically designed to scale as you grow and spin up or down new servers, without requiring any additional hardware (e.g., Amazon Machine Images). Put simply, as threats evolve, your IDS/IPS needs to evolve, too.

Speaking of evolution, traditional security solutions (you know, the signature-based ones) can only detect what they know, and on top of that, are only effective if the solution is updated and current, which is hard to keep up with. In a perimeter-less world, security needs to move and adapt faster. Specifically, your security system should be able to do more than simply detect known threats; it needs to understand the signals of unknown threats, too.   

Perimeter-less Environments Offer a Security Opportunity

A lot of folks think the cloud introduces a new layer of vulnerability, but it is actually quite the opposite. The cloud is built for collaboration, meaning (when done right) that systems and applications can seamlessly hook into each other. From a security viewpoint, this makes monitoring a straight shot: The best cloud security solutions can be deployed across an entire cloud environment in one go and can quickly pinpoint where suspicious activity is occurring anywhere within your cloud. From there, they can detect what a threat is up to and effectively shut it down and mitigate damage as needed.

This is in direct opposition to the traditional method of jumping from system to system, trying to manually piece together the facts of a security incident. Tedious manual security processes like that can bring incident response to a screeching halt, giving attackers plenty of time to carry out their objectives. But a strong cloud-based security solution — such as Threat Stack’s cloud-based continuous security monitoring platform — can slash time-intensive processes, speed up responses, and keep you ahead of attacks.

Operating in a perimeter-less environment is often part of a company’s effort to be more competitive, so the good news is that doing so doesn’t mean you need to sacrifice security. In fact, security can now be embedded much faster across your environment, using the inside-out approach we’ve described.