Cloud security is arguably the most rapidly changing technology landscape out there. Naturally, the market for security tools is also constantly evolving as organizations continue to develop an understanding of the importance of a mature security posture and the effect it has on the entire organization — from innovation to sales to ongoing customer success.
Across the industry, different security solutions solve different problems for different types of businesses: There is no single cloud security “silver bullet.” In this post, we’re offering guidance on what some of the broader categories do and don’t offer, and how they deliver security information and alerts to their end users.
Network IDS Tools
Network IDS (NIDS) tools are an old school form of infrastructure security and rely on known network-level signatures to keep users secure. Teams continue to use NIDS tools because they’re familiar, but in reality, they’re relying on tools that were originally built for on-prem infrastructure. Back when infrastructure was relatively static and the physical perimeter was all you needed to lock down, you could rely on signature-based NIDS to tell you when bad actors were trying to get into your systems.
NIDS is like your traditional home security system — it keeps an eye on doors and windows to make sure no one tries to break in. But what happens if a thief slips past that system through an open window? Wouldn’t you like to know they’re inside so you can call the cops?
Because they rely solely on signatures, network-based IDS tools can’t detect any unknown or new attacks like a behavior-based tool can. Nor do they give visibility into what a bad actor is doing inside your infrastructure. The increasing prevalence of insider threats and other attacks that leverage stolen credentials make it necessary to have something in place that looks at host-level activity — and network-based tools can’t keep up.
Signature-based network IDS tools lack the necessary accuracy and flexibility. As a result, they negatively affect your overall effectiveness as a security team. Their inability to detect the many points of entry in cloud infrastructure hinders your ability to effectively respond to and mitigate a threat in a timely manner. Additionally, signature-based tools don’t offer visibility into what attackers are doing once they’re inside the infrastructure, just as your ADT Home Security Alarm won’t tell you what a thief is stealing.
As with traditional home security systems, Network IDS is falling by the wayside. In its place, people are adopting full home security systems such as smart doorbells and in-home cameras that connect to their mobile devices and alert them in real time if there’s an intruder. This is the type of visibility granted by a Host IDS, which gives you full knowledge of exactly who is doing what, where, and when in your infrastructure to make sure you’re alerted the moment something outside the norm occurs in your complex environments.
Building With Point Solutions
Leveraging a series of point solutions to handle functionality such as file integrity monitoring, user actions, and network behavior across hosts and containers respectively is a common way to build out a security suite. By using point solutions, teams voluntarily go through the painful process of aggregating all the data that these solutions generate in order to create actionable insights for incident response and analytics.
It’s always important to have as much information as possible to keep yourself safe and be aware of what might be out there. You read news coverage about local crime, keep your safe locked at home, and own a dog that barks whenever he senses something strange.
The tough thing, however, is that not all of these real-life data sources can communicate with each other directly. If someone does break into your home, you might tell your dog to stop barking a number of times before you realize he’s barking about someone cracking your safe. By the time you realize what’s going on, it’s too late and the thief speeds away with all your valuables because you had no way of correlating your dog’s warning to other activity going on in time to act on it.
With a suite of point solutions, you have to take all the information provided by each tool and aggregate it, and then find a way to correlate it into something that you and your team can understand and act on. On top of that, integrating a new tool into your home-grown system usually requires a heavy lift by your Ops team to make sure that nothing else comes crashing down in the process.
When you look at critical security functionality including File Integrity Monitoring, user and file activity monitoring, and network access across both hosts and containers, leveraging multiple point solutions will demand a considerable expenditure of human and tech resources to build correlation between all of those data sources to show the full scope of a security incident and enable you to effectively remediate as quickly as possible. With complex cloud environments, it’s much more efficient to use one comprehensive platform than it is to go through the pain of deploying a series of point solutions and finding a way to aggregate the data they produce.
Machine Learning for Intrusion Detection
As people continue to automate all things, machine learning tools are coming up more frequently in security. These tools baseline the infrastructure, and then without any rules, alert on behavior that doesn’t align with the norm. We’re led to believe that with minimal setup and tuning, you can “set it and forget it.”
This practice is risky, especially given how much environments change day to day with elastic, devops-run infrastructure. If you introduce new tools and users on a consistent basis, your “baseline” will constantly be shifting, and the accuracy of tools like these will slowly deteriorate over time until you find yourself back at square one.
Being able to implement a security tool and get results within a couple of hours without tuning anything sounds like a dream. However, without any rules or customizability, people soon experience heavy alert fatigue on activity that isn’t directly correlated with their use cases. Over time, the fatigue takes over and people derive less and less value from the tool. In the event that something important does come through, there’s a ton of noise to cut through to get to the source of the issue.
Breaking the rules can be fun, but when it comes to security, that’s the last thing you want anyone doing. Being able to customize rules to your unique use cases ensures that you and your team are laser focused on what’s most important from a security perspective. Whether it’s particular user behavior, ensuring compliance alignment, or understanding container behavior, it’s crucial to have eyes on what’s most important in your environment without having a ton of irrelevant data to bog you down.
Deploying a Comprehensive Cloud Security Platform
A comprehensive cloud security platform should combine the functionality of many tools into one. With the added complexity of containerized infrastructures, the platform should be focused on the behavior of files, users, and systems across the infrastructure at both the host and container levels to provide the most in-depth context possible around a security alert. The platform should also allow for a high level of customization to make sure you’re being notified about what’s most relevant to your specific use cases and to ensure that it has the ability to evolve as your organization and those use cases change over time.
On top of providing a wide range of security functionality, a comprehensive platform must also have the ability to integrate directly with your existing DevOps workflows. Keep in mind that integration should go beyond just your tools to align security and operations from the start. This allows security to become an enabler across the entire organization — boosting everything from your security reputation, to your ability to innovate, to your ability to close sales.
Most organizations know security should be a top priority, but don’t have the resources to build out a full program because internal and external stakeholders are pressing them to deliver platform improvements ASAP. To help with that, your Cloud Security Provider should partner with you to guide you through the process of building a program that integrates Security and Operations and gives you a roadmap that outlines how you can consistently improve your security maturity.
Threat Stack’s Cloud Security Platform and Services
If you’re interested in learning how Threat Stack can help your organization, sign up for a demo of our Cloud Security Platform® and take a look at our Cloud SecOps Program℠. If you’d like to know where your organization stands in terms of security maturity so you can map your needs to available services and tools, be sure to complete our free Cloud SecOps Maturity Assessment.