The importance of network data in securing cloud workloads. Network data offer unique insights and the necessary context to ensure transparency and close security gaps in the cloud via network detection and response.
There are many ways to monitor and protect cloud workloads, including third-party agent-based solutions, cloud provider monitoring and logging services, cloud perimeter firewalls, and WAFs. As with everything in life, security technologies have certain advantages and disadvantages, so companies often deploy a variety of security solutions for cloud workloads, depending on their regulatory environment, the desired security situation and their risk tolerance.
Classic security technologies have their limits
Agent-based solutions such as Cloud Workload Protection Platforms (CWPP) and Endpoint Detection and Response (EDR) are great for countering threats. However, deploying them anywhere in a cloud environment can be problematic as they have to be integrated into the DevOps workflow or deployed ad hoc and support multiple operating system platforms and versions. Agents can scan endpoints for malware but only see their own network traffic and have no insight into what other workloads are doing or the environment in which they are running. Determined attackers often disable endpoint security agents or simply sit idle to avoid detection, as was the case with the massive SUNBURST malware attack.
Logging solutions are often available natively from cloud providers and can feed cloud providers or SIEM (Security Information and Event Management) tools from third-party providers. However, it can take valuable time for a SIEM to save and process the logs before generating alerts, and the lack of context of the logs can lead to a high number of false positives. Attackers often disable logging solutions or delete log files in order to thwart detection, investigation and increase dwell time.
CSPM tools fail due to real-time detection
Cloud Security Posture Management (CSPM) tools can discover workloads and determine their security configuration for compliance purposes, but they cannot detect threats or data breaches in real time, examine network traffic, or stop ongoing attacks.
Organizations aware of the shared responsibility model for cloud security know that they must take full responsibility for the security of their cloud workloads. This requires a careful assessment of the visibility and security gaps that their existing cloud security solutions leave behind, and ultimately a decision on what additional security technologies they will need to deploy to fill those gaps.
NDR provides contextual security in workload security
In recent years, Network Detection and Response (NDR) has been widely used in traditional data center environments, primarily to inspect east-west traffic between workloads for threats and anomalies. Now companies running workloads in cloud environments are taking full advantage of its benefits. With ExtraHop Reveal (x) 360 you have a uniform security solution for hybrid, multi-cloud and IoT environments with cloud-native NDR functions (Network Detection and Response).
NDR does not require agents to interfere with DevOps workflows and uses context-rich network data - the fundamental source of truth in both cloud and on-premises data center environments - to generate actionable real-time alerts. NDR provides insight into all network traffic flowing between all workloads, devices and services in the environment at all times.
Since NDR works outside the band, attackers can neither see nor turn it off. It thus offers an always active, invulnerable basis from which SecOps and SOC teams can automatically recognize attacks and attempts at data breaches in real time and react to them. In this way, NDR fills the gaps that other workload security technologies leave.
More at ExtraHop.com
About ExtraHop
ExtraHop is dedicated to helping businesses with security that cannot be undermined, outwitted or compromised. The dynamic cyber defense platform Reveal (x) 360 helps companies to identify complex threats and react to them - before they put the company at risk. We apply cloud-scale AI to petabytes of traffic per day and conduct line rate decryption and behavioral analysis for all infrastructures, workloads and data on the fly. With the complete transparency of ExtraHop, companies can quickly identify malicious behavior, hunt down advanced threats and reliably forensic investigate every incident.