If Your Cloud Security Is Static, You May Miss Indicators Of Attack

By Sysdig

Over the past few years, hardly a week goes by without another major data breach. In 2020 alone, the top five cyberattacks targeted cloud services and exposed 25 billion-plus personal and privileged information records. Consider the 100 million+ consumer credit applications exposed because of an overly permissive web application firewall (WAF) server. Or when hundreds of millions of social media user records were publicly accessible on an Amazon Web Services (AWS) S3 storage server.

What's notable is that these attacks occurred because seemingly small configuration changes resulted in the potential for massive damage. Yet, cloud environments constantly change, so it's critical that cloud users operate with a security approach that identifies changes that can increase risk and flags unusual activity that could indicate an attack.

You need cloud security, but what does that look like?

Cloud security has typically lagged behind cloud adoption, leaving many organizations without a unified framework to protect data and assets. Many have pieced together point products that address various elements of the cloud stack, but are not integrated. The result: Security teams are blind to cloud threats. The good news is cloud security solutions are maturing, offering more advanced capabilities.

Over time, the idea of comprehensive cloud security evolved to encompass the following areas:

• Access security. These are typically cloud access security brokers (CASB) and secure access service edge (SASE) solutions that manage group or individual access based on generalized categories. Access is not usually defined at a granular level, which means these solutions don't necessarily adapt to changing levels of access needed in a cloud environment.

• Workload security. Cloud workload protection platforms (CWPP) are focused on, well, workloads. For organizations that adopt DevOps methodologies to develop and deploy applications rapidly, workload security is optimized to shift security left with code scanning, image scanning, Infrastructure-as-Code and pre-deployment vulnerability management. Additionally, with applications built as containerized microservices, CWPP also focused on runtime threat detection, network segmentation, detailed user activity audit and incident response for container and cloud workloads.

 Cloud security posture management (CSPM). CSPM tools offer capabilities to handle security, visibility, compliance and risk management of cloud deployments. They integrate directly with cloud management console APIs to obtain configuration data. CSPM tools typically automate incident response, compliance assessment, operational monitoring, risk identification and risk visualization across cloud infrastructures. 

• Data security. This is a nascent area. However, given that data is the holy grail for attackers, managing user access to data at a granular level, tracking and restricting data movement and data encryption will need to evolve to address data security in the cloud.

The definition of CSPM needs to change — static is not enough.

Most CSPM tools are adept at periodically scanning cloud resources, checking configurations against an ever-growing number of requirements to determine compliance against cloud best practices and regulations. While useful, it's inadequate. It captures only a snapshot at the moment it's analyzed. Because it's not continuous, it doesn't keep pace with the dynamic nature of the cloud, nor with the increasing aggressiveness of cyberattacks. Further, this approach of scanning periodically focuses on the compliance of each cloud resource, but doesn't correlate security events by looking at real-time cloud activity across an entire cloud account. 

Because the cloud constantly changes, DevOps and security teams need a way to identify risky changes as they occur. To do this, teams need to ensure some type of continuous threat detection so security risks are identified before exposing data or allowing unauthorized users. 

A 2020 Microsoft breach highlights the importance of this type of unified, continuous approach to threat detection. A Microsoft customer database which stored anonymized user analytics inadvertently exposed 250 million entries because an Azure server adopted a configuration change that made it public. A continuously scanning CSPM solution could have identified this configuration change immediately and issued an alert if it's optimized for runtime threat detection based on parsing cloud log data.

In addition to continuous scanning, threat detection should be based on recognizing anomalous behavior that can indicate an attack. A CSPM must operationalize the following, at scale, continuously:

• Reduce the risk of attack and meet configuration compliance requirements. 

• Detect breaches, threats, malware and anomalous behaviors at runtime.

• Leverage deep visibility to rapidly investigate and remediate known issues.

The data exists, but you need to plan.

An effective solution is timely and efficient. Consider how standard native tools are used in AWS: VPC Flow Logs enable IT and security teams to capture data about the traffic moving in and out of a virtual private cloud (VPC). AWS GuardDuty ingests data about activity across a cloud environment and reports on that which looks malicious. CloudTrail provides governance and operational auditing of activity within AWS accounts. 

AWS provides deep data, but the real question is how to make sense of it. A traditional approach is to ingest all logs that contain potentially valuable information into a central repository, and then write detection rules by querying the underlying repository. This is ostensibly the role of traditional security information and event management (SIEM) products. But few customers can afford the cost of aggregating their cloud logs into a SIEM tool, which was not built for cloud environments. Additionally, this approach doesn't flag threats in real time.

When selecting a CSPM tool, ask vendors if their technologies:

• Can go beyond scanning the configuration of the cloud resources and flagging violations. 

• Can identify, analyze, detect and report on activity across an entire cloud account. 

• Continuously identifies issues as they happen. 

Beyond new tools, CISOs need to recognize that secure DevOps requires a shift in roles as well. Cloud configuration security may be managed by the security team, the cloud team or even by the compliance team. Application teams are frequently changing configurations for services. Security teams can work closely with DevOps teams to provide the guardrails, including security policies and best practices. The teams can then implement these policies together using secure DevOps tools to manage risk without slowing down development.