Machine Learning, Signatures, Rules, & Behaviors — Tips on Navigating Modern Cloud Security Solutions

See Threat Stack in Action

Threat Stack secures your cloud infrastructure workloads. See how.

Book Your DemoDemo

Cloud security is one of the most rapidly changing technology landscapes out there. And naturally, the market for security tools is also constantly evolving as stakeholders continue to develop an understanding of how important a mature security posture is to the entire organization — from innovation to sales to ongoing brand and customer success.

Throughout the industry, different security solutions solve different problems for different types of businesses: There is no “one-size-fits-all-cloud-security-silver-bullet.” Being able to cut through the hype, promises, and buzz to figure out which solutions are actually suited to your specific use cases can be a challenge.

So in this post, we’re offering guidance on what some of the broader categories of cloud security solutions do and do not offer, and how they deliver security information and alerts to their end users. In turn, we’ll take a look at using Network IDS tools, using point solutions to build your own security stack, jumping into the emerging world of machine learning (ML), and deploying a comprehensive cloud security platform that not only provides a wide range of security functionality but also integrates security into your existing DevOps workflows and provides a foundation for constantly improving your security maturity.

1. Network IDS Tools

Network IDS (NIDS) tools are an old school type of infrastructure security and rely on known network-level signatures to keep users secure. Teams continue to use NIDS tools because they’re familiar, but in reality, they’re relying on tools that were originally built for on-prem infrastructure. Back when infrastructure was relatively static and the physical perimeter was all you needed to lock down, you could rely on signature-based NIDS to tell you when bad actors were trying to get into your systems.

NIDS is like your traditional home security system — it keeps an eye on doors and windows to make sure no one tries to break in. But what happens if a thief slips past that system through an open window? Wouldn’t you like to know they’re inside so you can call the cops?

Because they rely solely on signatures, network-based IDS can’t detect any unknown or new attacks in the way that a behavior-based tool can. Nor do they give visibility into what a bad actor is doing inside your infrastructure. The increasing prevalence of insider threats and other attacks that leverage stolen credentials make it necessary to have something in place that looks at host-level activity — and network-based tools can’t keep up.

Signature-based network IDS tools lack the needed accuracy and flexibility. As a result, they negatively affect your overall effectiveness as a security team. Their inability to detect the many points of entry in cloud infrastructure hinders your ability to effectively respond to and mitigate a threat in a timely manner. Additionally, signature-based tools don’t offer visibility into what attackers are doing once they’re inside the infrastructure, just as your ADT Home Security Alarm won’t tell you what a thief is stealing.

As with traditional home security systems, Network IDS is falling by the wayside. In its place, people are adopting tools that give them the type of visibility granted by a Host IDS, which provides full details on exactly who is doing what, where, and when in your infrastructure to make sure you’re alerted the moment something outside the norm occurs in your complex environments.

2. Building With Point Solutions

Leveraging a series of point solutions to handle functionality such as file integrity monitoring, user actions, and network behavior across hosts and containers respectively is a common way to build out a security suite. However, by using point solutions, teams are putting themselves in a position where they have to go through the painful process of aggregating all the data that these solutions generate in order to create actionable insights for incident response and analytics.

It’s always important to have as much information as possible to keep yourself safe and be aware of what might be out there. The tough thing, however, is that not all of these real-life data sources can communicate with each other directly. With a suite of point solutions, you have to take all the information provided by each tool and aggregate it, and then find a way to correlate it into something that you and your team can understand and act on. On top of that, integrating a new tool into your home-grown system usually requires a heavy lift by your Ops team to make sure that nothing else comes crashing down in the process.

When you look at critical security functionality including file integrity monitoring, user and file activity monitoring, and network access across both hosts and containers, leveraging multiple point solutions demands a considerable expenditure of human and tech resources to build correlation between all of those data sources to show the full scope of a security incident and enable you to effectively remediate as quickly as possible. (And even then, you’re not finished because you need to factor in the effort required to maintain and update all these individual tools.) With complex, evolving cloud environments, it’s much more efficient to use one comprehensive platform than it is to go through the pain of deploying a series of point solutions and finding a way to aggregate the data they produce.

3. Machine Learning for Intrusion Detection

As people continue to automate all things, machine learning tools are coming up more frequently in security. These tools baseline the infrastructure, and then without any rules, alert on behavior that doesn’t align with the norm. Vendors tell us that with minimal setup and tuning, you can “set it and forget it.”

This practice is risky, given the extent to which environments change day to day with elastic, devops-run infrastructure. If you introduce new tools and users on a continual basis, your “baseline” will constantly be shifting, and the accuracy of tools like these will deteriorate over time until you find yourself back at square one.

Being able to implement a security tool and get results within a couple of hours without tuning anything sounds like a dream. And it is a dream: Without any rules or customizability, people experience a great deal of noise and develop severe alert fatigue on activity that isn’t directly correlated with their use cases. Over time, the fatigue takes over, and people derive less and less value from the tool. In the event that something important does come through, there’s a ton of noise to cut through to get to the source of the issue.

Breaking rules can be fun, but when it comes to security, that’s the last thing you want anyone doing. Being able to customize rules to your unique use cases ensures that you and your team are laser focused on what’s most important from a security perspective. Whether it’s particular user behavior, ensuring compliance alignment, or understanding container behavior, it’s crucial to have eyes on what’s most important in your environment without having a ton of irrelevant data to bog you down.

While machine learning and AI are improving, they still has a long way to go. According to Gartner (“Top Security and Risk Management Trends,” April 2018) and others, machine learning cannot yet replace humans, and human input is still essential to parse data and take appropriate action.

4. Deploying a Comprehensive Cloud Security Platform

A comprehensive cloud security platform is one that combines the functionality of many tools into one. Unlike point solutions that have many tools and vendors, this is an integrated platform that combines multiple functionality all from one provider. With the added complexity of containerized infrastructures, the platform should be focused on the behavior of files, users, and systems across the infrastructure at both the host and container levels to provide the most in-depth context possible around a security alert. The platform should also allow for a high level of customization to make sure you’re being notified about what’s most relevant to your specific use cases and to ensure that it has the ability to evolve as your organization and those use cases change over time.

On top of providing a wide range of security functionality, a comprehensive platform must also have the ability to integrate directly with your existing DevOps workflows. Keep in mind that integration should go beyond just your tools to align security and operations from the start. This allows security to become an enabler across the entire organization — boosting everything from your security reputation, to your ability to innovate, to your ability to close sales.

Most organizations know security should be a top priority, but don’t have the resources to build out a full program because internal and external stakeholders are pressing them to deliver platform improvements ASAP or because they just don’t have the necessary knowledge and skills in house. To help with that, your Cloud Security Provider should partner with you to guide you through the process of building a program that integrates Security and Operations and gives you a roadmap that outlines how you can consistently improve your security maturity. 

See Threat Stack in Action

Threat Stack secures your cloud infrastructure workloads. See how.

Book Your DemoDemo