“Data is the pollution problem of the information age, and protecting privacy is the environmental challenge” – Bruce Schneier
Cybersecurity in a multi-cloud environment has become more challenging than ever. Cloud-native technologies have added to the prevailing complexities. Threats, such as account takeover, defacement, and doxing, are still very relevant. In the recent Security trends by Industry for BFSI published in State of Cybersecurity Report 2020, 74% said a bad cyber event causes damage to brand reputation. In Healthcare & Life sciences, 71% said that a breach related to peer/competitor is the reason for an increase in budget allocation, and 44% agreed that security orchestration and automation is a top priority. According to Gartner, “Too often, container workloads are deployed without adequate runtime protection. ” This article discusses what it takes to propel threat hunting and response in a multi-cloud environment.
Multi-cloud makes it complex
Security in the Cloud is the responsibility of the customer as per the shared responsibility model. For example, Cloud customers are responsible for controlling access, logging, and monitoring all customer-deployed instances in the Cloud and retaining an audit trail for a specified duration to meet regulatory requirements. These logs must be immediately available for analysis.
In a cloud-native environment, native Kubernetes logs are not persistent. When a pod is restarted, logs and the archives associated with that pod are lost. If a pod is deleted from the node, all corresponding containers and their logs are also deleted. Unless a central log management system is maintained, all the logs are lost.
Even when a container security tool is used, events of interest from multiple clouds must be federated to a centralized data lake for analysis, detection, and response.
Hundreds and thousands of terabytes of enterprise security telemetry are generated on an ongoing basis in an enterprise. For example, an endpoint detection and response tool generates more than 30 megabytes of data per endpoint per day. This multiplied by the number of endpoint devices in an organization makes it an immense volume of data. Additionally, the data from firewalls, authentication sources, flow-logs from multiple-clouds, DNS, DHCP, traffic management, proxy, and several other tools are pumped into the data lake. Identifying threats and proactively hunting at top speed from this massive volume of data is like winning a race.
Modus operandi of the adversary
Dark Web 201 provides a glimpse of the culture, operating principles, and types of markets in the adversary community. A good understanding of their modus operandi helps design a proactive security strategy and stay ahead continuously. Per the #SOCR, the consumer industry’s security trends show 70% of respondents participate in cyberattack simulation exercises coordinated by a third-party service provider.
Modern tools for faster detection, hunting, and response
The maximum capacity of the appliance and the speed of detection have been the bottlenecks of the past decade. This paradigm has changed completely with virtually infinite capacity and search speeds increasing by a few hundred times. The toolset used for this purpose should be scalable, flexible to accommodate new rules, and must be aligned to an industry-standard framework, such as MITRE ATT&CK. The tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise include techniques specific for major Cloud providers. Out of the box playbook tasks must be complemented with further workflows explicitly tailored for the environment’s need.
Multi-skilled teams take the chequered flag
The proliferation and sophistication of easily accessible tools and techniques make the circuit wet and foggy. It may not be pragmatic to master all the features of cyber-tools available in the public repositories.
The skill required for detection, tuning, malware analysis, honeypots and deception, identifying indicators of compromise, application security, proactive hunting, cloud security, although inter-related, are discrete.
Offensive cyber capabilities are highly technical, and building these skills, although time-consuming, is crucial. Rome wasn’t built in a day either.
The ability to identify a threat quickly, drive to explore new tools, exposure to the security world, a willingness to wear different hats, and leveraging AI to make informed decisions, are essential skills. Access to a multi-cloud lab environment where the functionality of these restricted (potentially harmful if uncontrolled) tools could be mastered helps the team stay ahead of the contender consistently. This will also help expand the depth and breadth of the team’s cloud and cybersecurity expertise, enabling them to contribute to the larger cyber community and take the chequered flag.