Cloud Workload Security: The Importance of Network Data

Cloud workloads, deployed into highly dynamic environments, typically use and coexist with a wide range of cloud providers and third-party platforms and services. The workloads themselves can be built for cloud platforms, consist of serverless applications, or be designed for on-premises data centers and later migrated to the cloud. Workloads might run unchanged for weeks or months, or only exist for a few seconds.

Under the shared responsibility model of cloud security, organizations must own the security of their cloud workloads, but because of their complex ephemeral nature, they can be difficult to secure with existing tools. Cloud workload security entails a careful evaluation of the visibility and security gaps left by their existing cloud security solutions, and ultimately a strategic decision about which additional security technologies are needed to fill those gaps.

Securing and Protecting Cloud Workloads

There are many ways to monitor and protect cloud workloads, and like most things in life, most cloud security technology comes with both advantages and a list of drawbacks. To cover their bases, organizations tend to deploy a variety of cloud workload security solutions depending on their regulatory environment, desired security posture, and aversion to risk. These include agent-based, third-party solutions, cloud provider monitoring and logging services, cloud perimeter firewalls, and WAFs.

Common Security Technologies in the Cloud

Agent-based solutions, such as cloud workload protection platforms (CWPP) and endpoint detection and response (EDR) excel at threat prevention. However, these tools require integration into the DevOps workflow or ad hoc deployment. They also must support multiple OS platforms and versions. This all makes them problematic to deploy everywhere in a cloud environment, and they lack key visibility. Agents can scan endpoints for malware, but can only see their own ingress/egress network traffic. They also have no visibility into the activities of other workloads or the environment in which they’re running. What’s more, a determined attacker can disable endpoint security agents or simply go dormant in their presence to avoid discovery, as we saw in the massive SUNBURST malware attack.

Logging solutions, available natively from cloud providers, can feed cloud-provider or third-party security information and event management (SIEM) tools. However, it can take precious time for a SIEM to store and process logs before generating alerts, and the lack of context provided with logs can result in high false positives.

Cloud workloads are highly dynamic. Because of this, organizations who rely only on SIEM may still miss out on much of the cloud’s east-west traffic. Like endpoint solutions, attackers also can (and do) disable logging solutions. They also can and do delete log files to thwart discovery and investigation, leading to increased dwell time.

Cloud security posture management (CSPM) tools can offer more coverage by discovering workloads and determining their security configuration for compliance purposes. This is a start. Unfortunately their reach is limited: They can’t discover threats or data breaches in real time, examine network traffic, or stop an attack in progress. For that you need network detection and response (NDR) in the cloud.

Evaluating Tools to Fill the Gaps

To fill gaps and secure the cloud, NDR provides context-rich security. Over the past several years, NDR has seen widespread deployment in traditional on-premises data center environments, primarily to inspect east-west traffic flowing between workloads for threats and anomalies. Now its benefits are being fully realized by organizations running workloads in cloud environments as well.

NDR is effective in the cloud because it requires no agents to add friction to DevOps workflows and uses context-rich network data—the ground source of truth in both cloud and on-premises data center environments—to produce real-time, actionable alerts. NDR offers visibility into any and all network traffic that flows between workloads, devices, and services in the environment.

Since it operates out of band, NDR cannot be seen or disabled by attackers. This provides an always on, unassailable perch from which SecOps and SOC teams can automatically discover and respond to attacks and data breach attempts in real-time. In this way, NDR fills the gaps that other workload security technologies leave behind.

Securing any Environment with Cloud-Native NDR

By choosing a SaaS-based, cloud native NDR security solution, organizations can monitor and protect cloud workloads in AWS, Azure, and Google Cloud environments. A solution that integrates with cloud-native packet mirroring services gives you agentless real-time visibility into network traffic flowing to and from workloads and compute instances. This results in security benefits including discovery, investigation, and response to both known and unknown threats and attacks.

Cloud-native NDR solutions apply advanced machine learning and behavioral analysis to network metadata, allowing them to accurately identify anomalous behavior associated with attacks, data breach attempts, and malware. Once threats are discovered, these machine-learning based solutions can alert security administrators for remediation, or integrate with SOAR solutions for auto-remediation.

The result is stronger security posture and minimized risk for organizations running workloads in cloud environments. Because SaaS-based NDR can also support on-premises data center environments, security teams are set to gain a single console for workload security across hybrid and multicloud environments.