Cyber Risk Resilience Requires Cloud Visibility
Whether your IT infrastructure is all cloud, all physical, or a hybrid mixture, it is constantly being probed and tested by cybercriminals. They are looking for Common Vulnerabilities and Exploits (CVE), so they can use off-the-shelf attacks. They are also probing to find new vulnerabilities to exploit and share as new CVEs on the dark web.
Criminals primarily commit fraud, extortion, and steal and sell sensitive and valuable data and personal identities. They also compromise and disrupt organizations by degrading or stopping IT operations until you pay a ransom. Risks also include acts of cyberterrorism and cyberwarfare that impact many. The consequences to individuals, organizations, critical infrastructure and global supply chains are very harmful.
Organizations must do everything possible to lessen this disturbing trend from a growing number of attackers. You must never let your guard down! You should also never compromise on your security measures, especially foundational network visibility, a vital element of your overall cloud visibility that drives detection, response, security evidence, and forensic analysis.
The Cloud Is Where the Money Is
As the saying goes – “people rob banks because that is where the money is,” the same applies to the cloud – cybercriminals are attacking data and workloads hosted in the cloud because that is where the money is. Clear IT trends include increasing use of cloud platforms and omnipresent cyberattacks that target data and workloads hosted in the cloud.
Cloud infrastructure and the people who use and administer it are vulnerable and exploited more and more by cybercriminals who are explicitly honing unique skills to target and successfully attack cloud-hosted data and workloads.
Cybercrime is industrialized, which means that criminals have many resources at their disposal to commit crimes, including funding, weapons, know-how, and support services. They prey on Common Vulnerabilities and Exploits, such as dynamic and static visibility gaps. They also discover and exploit other vulnerabilities revealed from reconnaissance that have become a commonly used pre-attack tactic, technique, and procedure (TTP).
It is not a matter of if criminals will attack, but when, how, and how often. The objective and question are how resilient an organization and its IT infrastructure are to attacks to maintain operational continuity and contain the chaos, losses, and other detrimental consequences throughout the entirety of a breach and attack.
It is tempting to believe your cloud environment (e.g., your Virtual Private Cloud or VPC) is inherently secure because cloud provider organizations have a strong security posture. Because cloud infrastructure offloads a lot of burden from the IT team, this false sense of security assumption gets overestimated.
In some ways, public cloud infrastructure is inherently more secure than privately operated data centers, and in other ways, it is not. Regardless of who operates a data center, what is consistent is the responsibility to secure access and data, and that responsibility always rests with the organization using the infrastructure.
This is why public cloud security uses a shared responsibility model, whereby physical security is covered. Natively provided cloud security services, if used correctly, add to resilience from DOS attacks. Additional security services such as Firewalls, Network Detection and Response (NDR), and SIEM tuned for cloud environments are available. However, using these along with IAM is up to each organization to maintain the policies to keep up with an expanding attack surface to ensure continuous prevention and detection.
Cyberthreat readiness, hygiene, and resilience are your responsibilities. Underestimating or unpreparedness will result in adverse consequences.
Exploiting cloud vulnerabilities resulted in one of the most widespread and problematic supply chain cyberattacks ever when cybercriminals hid malware in SolarWinds software updates distributed to its customers.
Threat actors use many methods to compromise a VPC, including phishing, brute force credential guessing, trojans, SQL injection, XML wrapping, etc. So preventing these are partially or fully your organization’s responsibility. Rogue users, invalid access and use of data and resources, lax policies and security measures, and neglecting to keep up with an elastic environment with a constantly expanding attack surface area are all exploitable vulnerabilities.
Data hosted in cloud repositories can be heavily secured by encryption and tight access control or neglected and carelessly left unsecured and open. Improperly secured infrastructure and data is a problem no matter where the infrastructure and data are. Too many successful extortion attacks succeed by exploiting open access to data.
It is a fundamental necessity to be able to see what is in your cloud infrastructure to maximize your organization’s resilience during and after an attack. This is especially true of anomalous and suspicious as well as outright malicious activity. Visibility must be paramount, and therefore it must be thoughtfully designed in, not patched-on as an afterthought so you can quickly and see:
- Vulnerabilities, including new and expanding attack surfaces
- Malware and other rogue software
- Indicators of Compromise (IoCs)
Being resilient to cyber and performance risks and being operationally and cost-efficient requires ubiquitous and extensible network visibility, a vital element of your cloud visibility. Attacks execute at machine speed, so your defenses driven by visibility must keep up. To defend against cyber risks, you must have clear and constant real-time visibility into:
- Connections – who and what devices are accessing your network and IT resources
- Conversations – Command-and-control and other suspicious conversations must be detected and analyzed
- Lateral movement, data exfiltration, and other Indicators of Compromise
To help their customers secure their environments and data, cloud providers add visibility and security services such as NDR and SIEM to their platforms. Packet and traffic mirroring services as part of some public cloud infrastructure provide the foundational and necessary visibility to drive these security measures (and help manage performance).
These native services are indeed helpful but are insufficient for a truly robust cybersecurity posture. Depending on your environment, they can be costly and challenging to manage. Data from other sources and a myriad of security-centric analytics are required to detect malware, breaches, and attacks in progress, all of which add to the challenge of managing multiple data streams.
Assuring cyber risk resilience also requires analyzing stored historical data, so using packet capture to collect and store network packets is another challenge, mainly if your cloud infrastructure includes multiple VPCs and Availability Zones. So, your visibility fabric should also have the ability to uniformly orchestrate and manage multiple distributed network packet capture and storage nodes.
If your infrastructure is multi-cloud or hybrid, your visibility fabric must seamlessly scale across that environment to provide holistic visibility and manage with a uniform fabric manager.
Software-defined networks and data centers, containers, cloud automation, and other platform components create siloes and blur the responsibilities between NetOps, AppOps, DevOps, SecOps, InfoSec, and SRE. Data siloes are common and counterproductive. Given the breadth of responsibilities and roles within the IT team, visibility (and its corresponding data) must be democratized so that all stakeholders and their tools have access to the visibility data that is necessary to do their jobs effectively. Role-based access can be used to control visibility to sensitive data and interactions. Therefore, NetOps must extend its visibility to the IT team and accommodate additional visibility requirements from other IT teams.
However, doing so can be a challenge given the velocity, volume, and distributed sources of network packet data. Unified visibility fabric that seamlessly scales across any infrastructure and network to provide homogenous visibility with holistic management is the ideal solution that does not introduce an additional management burden.
Your visibility fabric must therefore provide seamless homogenous visibility into:
- All VPCs in all Clouds (e.g., multi-cloud if you use more than one cloud)
- All Availability Zones
- Hybrid combinations of cloud and physical infrastructure
And, reiterating a previous point, the visibility must be available to all teams and stakeholders within the IT team and to external stakeholders, such as Managed Security Providers, third-party Vulnerability and Penetration testers, etc.
Focus on Visibility and Security Increase Resilience
I will wrap up this two-part discussion with an old saying – “an ounce of prevention is worth a pound of cure.” Prevention does not include bandaid approaches that are often a patch and not a robust long-term solution.
Visibility and security require the same focused attention as the standard three IT infrastructure components (compute, storage, network) because they are intertwined and must interoperate and scale together. Visibility and security must not be an afterthought; instead, you must treat them as necessary integral IT infrastructure components. You must give them focused attention and carefully instrument your network for comprehensive visibility to support a multi-layered security strategy and your ability to maintain performance and optimal levels. The quality of your security posture, end-user experiences, and the effectiveness of your operational technology all depend on visibility; it too must be high-quality.
Planning ahead and proactively addressing the need for tightly integrated visibility into your network and infrastructure will yield a better result than a patchwork, especially if the patchwork is implemented hastily after an unplanned and undesired event.
You need to identify and eliminate vulnerabilities before attackers exploit them. You need to see what is in your infrastructure and network and what is happening. And you need security evidence for forensic analysis and regulatory compliance. These are all table stakes. And you need to put these in place and scale them as your infrastructure, network, and other dynamics vary without inadvertently introducing new vulnerabilities.
Therefore, you need a ubiquitous visibility fabric that scales to accommodate elasticity and increased connections, traffic, ports, and incremental additions to your infrastructure and network. Your security measures should always be uninterrupted and at full strength, including for environments used for testing, evaluation, and pre-production staging.
An excellent first step is to create a plan that includes assessing your current situation and how your IT infrastructure is likely to evolve. Planning your visibility and security strategy before developing cloud-hosted apps and services and migrating to the cloud is wise. Your planning must recognize current and planned cloud and hybrid infrastructure – the number and locations of data centers, including the growth of public cloud infrastructure VPCs and Availability Zones. All IT and OT systems connections must be discovered and monitored, which requires discovering all (intentional and unintentional) dependencies so you can identify specific vantage points to monitor. Afterward, the SecOps and InfoSec teams, aided by their analytics and tools, have visibility to detect and respond to malicious activity that might occur anywhere in your infrastructure.
Going back to the title, “Your Cloud Security Is Constantly Being Tested,” it is also recommended to self-test your security measures, including identifying visibility gaps. You should therefore utilize vulnerability and penetration assessment tools and certified third-party services.
At cPacket Networks, we understand network visibility and its necessity. Our portfolio includes the cCloud® Visibility Suite for cloud visibility consists of elastic virtualized appliances for broking, capturing, and analyzing network traffic.
Also, note that the return on investment for cloud visibility includes beyond resilience to cyber risks; it is also foundational for effective performance management to assure exceptional end-user experiences and that the benefits of operational technology are realized.
Learn more about our solutions for: