Martin Roesch, CEO, Netography.
As of last year, nearly 90% of organizations have a multicloud environment, according to a Flexera report, and for the second year in a row, managing cloud spend was the top challenge, with security dropping to number two.
Business and security leaders are accustomed to making tough choices, but sometimes you don’t have to choose. With global cyberattacks at peak levels and security still a formidable challenge, there’s a way to close cloud security gaps while managing cloud spend.
How Focused Tools Create Blind Spots
Organizations can choose from a variety of cloud security solutions focused on application security. Cloud security posture management (CSPM) ensures correct configurations and that workloads don’t contain vulnerable software. Cloud-native application protection platforms (CNAPPs) and cloud workload protection platforms (CWPPs) detect and block potential attacks with access controls and hygiene for the workload environment.
Each cloud provider also offers native tools to monitor activity within their environment. However, these typically only include a few dozen generic “black box” detections, which require substantial investigation to ensure relevant alerts. Visibility is not consistent between different cloud providers; much is missed, and it is still difficult to understand how assets and workloads interoperate between clouds.
Since multicloud networks are the norm, we must consider network security across multicloud environments. However, this has lagged for several reasons, including the shared security model and limits that cloud providers have placed on legacy network security tools to inspect network traffic.
Back To Basics
Unsurprisingly, we’re seeing an explosion of attacks, such as ransomware. If you lack full visibility into east-west traffic, traffic between clouds and trust boundary violations, it’s difficult to know when ransomware or other threats have penetrated your layers of endpoint defenses and infiltrated your multicloud network.
Threat actors don’t have to be particularly stealthy because organizations cannot observe how users, devices, applications and data interoperate within and between clouds.
The irony is that every organization already has the data they need in the form of flow logs to gain network visibility from all of their cloud providers and on-prem infrastructure. It requires the following steps:
• Aggregating And Normalizing: Bringing your diverse cloud and on-prem flow logs into one manageable location and translating vendor-specific data into a uniform format makes it usable.
• Enriching: Augmenting normalized flow logs with operational context turns data into actionable insights. Context comes from the other tools and platforms in your technology stack. It includes dozens of attributes, like user information, location, asset types and names, vulnerabilities, risk scores and application data.
• Analyzing: Detecting anomalous and malicious activity in potentially tens of thousands of flows per second requires the capacity to analyze a large volume of data and apply policies to identify active threat actors or misconfigurations. Doing so in near real-time, before this activity can disrupt operations, is a bonus.
Now, you have insight into the functional fingerprints of the network and clusters of users within them by functional group. You can identify users in groups such as finance, product development, HR, sales and executives. You can also tag devices and applications. This allows you to set up rules and define operational trust boundaries for how they interact with each other, which should be limited and specific.
When you detect violations of these boundaries, you know anomalous activity is happening, which could indicate an active threat actor.
Flow Data In Action
Let’s go back to ransomware as an example.
Ransomware lays the groundwork before it executes and exhibits many behaviors that indicate it is coming. However, you have to be able to detect anomalous activity and behavior to see what is going on as it moves through the various stages of an attack. Otherwise, “once data is encrypted and/or stolen, the costs snowball—as much as 1,000 times higher than if an incident is not detected and contained early.”
Here’s how flow data can be used to help prevent ransomware:
• Reconnaissance: Flow data can alert you to network scanning that shouldn’t occur as ransomware looks for new hosts to infect. This can include unauthorized access attempts to restricted areas and unusual communication patterns, such as potential botnet communications activity through irregular traffic patterns.
• Staging: Flow data can detect data exfiltration to internal collection points and the associated trust boundary violations caused by malware pulling data from finance, engineering and HR and moving it around the network and across boundaries in strange ways.
• Execution: Flow data can detect data transfers happening at egress points at unusual rates and times of day, as well as the use of nonstandard protocols and TOR networks.
• Threat Hunting: Flow data is also valuable retrospectively. You can look back in time to see where else the attacker went and what they did across your hybrid multicloud environment, allowing you to scope, contain and remediate more rapidly and comprehensively.
However, while flow data is ubiquitous in modern networks, the domain expertise to derive value from it is not. When starting down this path, know the following challenges and internal best practices to smooth your journey:
• No cloud flow log standards exist, so each cloud provider offers a version of flow logs with differences in the type of data provided, the format and timeliness. Include CloudOps team members with vendor-specific expertise in the normalization process.
• SecOps teams have relied on deep packet inspection (DPI) for years but have not developed deep expertise in creating flow data detection rules. You may have to rely on vendor-supplied detections and no/low-code ways to build your own to help bring that capability in-house.
When it comes to defending multicloud networks or managing cloud spend, security and business leaders are in the enviable position of not having to choose. By understanding how to capture insights from the data you already have and being able to do that across every cloud instead of piecemeal, you can do both.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
