As you’re probably well aware by now, security is different in the cloud. The good news, of course, is that running in the cloud offers more visibility than ever before. It’s now possible to gain a bird’s-eye view of your entire environment, something that was unimaginable with on-premise data centers.
In partnership with Dark Reading, Threat Stack’s VP of Product, Chris Ford, got together in a recent webinar to discuss measurement and monitoring in the realm of cloud security with Rich Mogull, CEO and Analyst at Securosis. You can read the recap below or view the entire webinar here.
How is Cloud Security Different From On-Premise?
From our perspective, there are four major differences between cloud and on-prem security. Here’s what you need to know:
1. Monitoring the Management Plane
There’s no data center equivalent to the management plane in the cloud. There was never a single login that let administrators access everything in the data center, and there was no ability to create or destroy Class D networks on a whim or to easily see every user making API calls. In the cloud, the management plane is like a surveillance camera that can monitor your entire infrastructure, which is a tremendous advantage – if you know how to use it.
Velocity is both a blessing and a curse when you move to the cloud. At Threat Stack, we have seen a lot of companies that seem to be more than willing to sacrifice security for speed. So one of the key challenges going forward is balancing the need for speed with the vital role of security.
3. Distribution and Segregation
A single cloud might contain hundreds or thousands of Class D networks. These might be completely segmented from one another, but they all need to be monitored for signs of intrusion. How do you pull data from dozens, hundreds, or thousands of separate networks into a centralized location so they can be analyzed? The key lies in implementing an integrated security platform.
More visibility is good, but it can also be overwhelming. One of the big issues you’ll need to address as you embark on this journey is figuring out how to find the signal in the noise. How can you turn visibility into insight, without adding undue burden to your security team? Generally speaking, context is key. The more you know about an incident, the better you will be able to determine whether it requires immediate action. Certainly this is more possible than ever in the cloud, but you need the right tools and the right strategy to do it well.
The Big Visibility Question: What Do You Care About, and Why?
As we mentioned above, more visibility can be a boon and a real challenge. The added visibility of the cloud can get overwhelming fast if you don’t have the right tools in place. One way to start gaining clarity is to ask your organization, “What do we care about, and why?”
Let’s take a closer look at this. Visibility into cloud infrastructure will yield events from a variety of sources. This panoramic view can be helpful. For example:
- Network Flow: When looking at network flow, knowledge of user and application behavior can help you understand what’s a meaningful threat and what’s normal.
- Configuration Monitoring: Monitoring configurations will give you visibility into privilege escalation through your account. Privilege escalation combined with unauthorized file modification is certainly a type of behavior to pay close attention to. In our view, this is a 1+1 = 3 situation, where combining visibility into your account and your host helps you achieve insight rather than mere data.
Some of the fundamental questions you should always be trying to answer include:
- Who: Which user, process, or network connection triggered the alert?
- When: What’s the timestamp on the alert? What’s the timeline of the processes that led up to the alert being triggered?
- Where: What part of your environment (e.g., which server, EC2 tag, or AWS service) caused the alert to fire?
Being able to piece these clues together will offer far more insight than simply picking through separate alerts from disparate systems.
The bottom line is that, with the cloud, you can and should look across all sources of visibility to unearth the context that leads to insight.
Options for Sorting the Wheat From the Chaff
In the webinar, we discuss a few of the options out there when it comes to successfully monitoring and alerting in the cloud.
One option is to use the built-in log monitoring and analytics tools that come with the major cloud platforms (AWS, Azure, and Google Cloud Platform). These have limitations, of course, since many organizations run hybrid or multi-cloud environments, and these do not provide full context for all types of events.
You can also build your own security monitoring system, but at the end of the day you want to ask yourself: Do we want to be a secure company, or a security company? If your goal isn’t to be a security company, it may not make sense to build your own. It’s a huge investment of resources, and requires quite a bit of ongoing maintenance. Between tooling and human resources, it can be quite an undertaking, even for a large organization.
We’ve written recently about the downsides of investing in open source cloud security tools. While they may look free or cheap at first glance, the reality is that the associated costs often spiral out of control. They can be really tricky to manage successfully in a way that is scalable, especially if your company is growing.
We’ll admit we are biased, but we believe that, for most organizations, investing in a comprehensive intrusion detection platform is the best path forward. Threat Stack takes a comprehensive approach to cloud security by combining continuous security monitoring and risk assessment — this can help protect from external attacks, insider threats, and data loss in real time.
Our cloud security platform goes beyond a single type of infrastructure, point of detection, or threat category — and casts a wide net of detection points across complex infrastructure including cloud, hybrid cloud, multi-cloud, and containerized environments. This approach gives you visibility into threats and the context to know what’s important, all without inhibiting the velocity of your operations team.
If you’re interested in learning more about how Threat Stack’s intrusion detection platform can address your security and compliance requirements, sign up for a demo today.