Killing Cloud Security Misconceptions Part 2: Cloud Workload Protection

Or Azarzar
Tuesday, Feb 23rd, 2021

As organizations accelerate their move to the cloud, it’s no surprise that many CISOs want to stick with what they know when it comes to security. On-premises, traditional best practices dictate that every endpoint or server needs to have its own endpoint protection, which is why anti-virus software on our machines is usually a top priority. However, lifting and shifting this approach to the cloud just doesn’t work. Let’s dive deeper.

New Cloud Environments Have Changing Security Needs

Think about the legacy firewall approach on-premises, where a perimeter-based firewall around the network was seen as sufficient to keep attackers at bay. Today, it’s well established that the idea of the traditional perimeter is dead, and that hybrid and complex IT environments can no longer be protected using a North-South perimeter approach. After all, the vast majority of traffic is already inside the network, East-West. The next logical step was therefore endpoint protection, where each machine or server had its own protections in place. Even if an attacker could enter the network, (and it’s now best-practice of a zero-trust model to assume access) critical assets were kept under lock and key.

However, in our hybrid and multi-cloud environment, security solutions need to evolve past a reliance on endpoint protection, too. On the cloud, endpoint protection technologies like EDR are comparable to workload protection, where Cloud Workload Protection Platforms (CWPP) use signature-based detection and anomalous behaviors to identify suspicious activity. By design, this is only effective as a security measure once attackers are inside the network.

The Cat and Mouse Game of CWPP

Seeing as so many organizations are putting their security in the hands of this kind of workload protection, let’s put CWPP under the microscope. As everything that we do as security professionals is intended to keep the attacker at bay, it makes sense to do this while thinking about the psychology of the people behind today’s cyber-attacks – the attackers themselves.

Any hacker goes through something called the kill chain, which starts from reconnaissance, and goes through various stages, from weaponization and delivery, to exploitation to deliver on their objective. From the outside looking in, we see a single path that an attacker takes to succeed in their campaign, without focusing on the one thing that can make all the difference – the time and effort that goes into the attack.

Today, even when cyber warfare is an almost daily occurrence, there is still a limit on the time and resources that attackers can put into each campaign. That’s why we see malware being reused in different campaigns over time, and it’s why even sophisticated attack patterns are often based on long-known signatures and threats. There is one obvious insight we can take from this. We clearly want to make it more time consuming and difficult for an attacker to make it to their final objective, namely - the data or critical assets they are looking to reach.

Now let’s consider whether the CWPP approach works towards that goal. We can compare it to a security guard and a guard dog walking around the base of a mountain with a flashlight. The mountain contains everything they want to protect. The guard is listening out for sounds of a trespasser, looking for any signs of movement, while the dog uses his sense of smell to warn against anything out of the ordinary. However, the mountain itself is not that high or strong, and the guard and the dog can only be at one point at any one time. On top of that, they may have a list of what they would call unusual behavior, but they can only protect against their existing schema, which is limited to what they have already seen in the past.

This is exactly what CWPP does, by scanning the network for known attack signatures, looking over audit and event logs, and processing traffic and activity. In return, attackers know exactly what security professionals are looking out for, and can evade this process by changing even a minute part of a known threat, down to a single hash or checksum, or by simply finding a vulnerability in the workload protection.

Below you can see a short list of the ways that attackers evade detection from CWPP or EDR tools. While these are just search terms, you can even find 326,000 results for ready-made tools on Github that allow attackers to bypass signature-based workload or endpoint protection.

defense evasion via masquweading

The New Cloud Security Posture Management: Contextual Cloud Security to Break the Cycle

In contrast, CSPM tools take a proactive approach to cloud security. Instead of looking for known attack patterns and protecting against those,Cloud Security Posture Management uses techniques such as configuration hardening, that makes the mountain you’re protecting harder to climb in the first place. Rather than wait for an attacker to enter the network, CSPM shows you where an attacker is likely to break in, so that you can shore up your defenses ahead of time. Your mountain becomes far too much effort to climb, and the attacker takes his limited resources elsewhere.

This is why IBM puts configuration hardening among the top three items  for CISOs to spend their money on when securing the cloud. Configuration hardening isn’t based on signatures, anomalies, or profiles. It’s a process where your security teams will be able to look at the entire configuration of your environment, in a single view. From there, they can uncover any threat, from dangerous defaults, to cleartext credentials, risky network configurations or vulnerabilities, unsafe permissions, and more.

When implemented intelligently and with visualization at its core, you can then detect the exact path that an attacker might take to your crown jewel applications or data, allowing you to harden exactly where and how its needed, ahead of time. I’ve seen myself that this approach can help you to close 80% of infrastructure issues with minimal effort.

Moving to a Proactive Approach to Cloud Security

Looking back at the IBM study, researchers also found that the average time it takes to identify and contain a breach is 279 days. This is the promise of CWPP tools that use anomaly detection and signatures. When we make CWPP our priority, we’re sending a clear message to the hackers. We’re saying, “You have plenty of time to play inside our network” and “We’re willing to continue engaging in this endless cat and mouse game where we always seem to be 2 steps behind.”

In today’s complex cloud landscape, wait and see is not an effective strategy. CISOs need to be more efficient about how they protect their organizations, focusing on pre-emptive and proactive measures that harden security ahead of time, rather than relying on those that simply react to known attack patterns once it’s already too late.

Start with CSPM tools that provide a full view of your infrastructure, and you’ll be able to uncover the routes that attackers could take to your critical assets and data and shore these pathways up via configuration hardening.

Now, even while assuming access to the network, you’re making it exponentially harder for hackers to take that next step, or to reach anything of value. This sends a clear message to the attackers. “Move on, you won’t find opponents for cat and mouse under this roof.”

Panoptica provides the tools to continuously visualize, detect and block any dangerous attack path in your cloud environment. This changes your point of view from that of a security team protecting single workloads, to that of the attacker, looking at the whole picture. Only with this view can you truly move from reactive to proactive mode, allowing you to harden each and every element of your configuration against today’s level of threat.

Popup Image