As we detailed in an earlier post, Internal Data Center Traffic: An Enterprise Security Blindspot, security teams find themselves in increasingly more complex environments to defend. In that post, we focused on how organizations should secure the traffic in their data centers.
In this installment, we’ll tackle the rest of the environment: specifically, how organizations should be thinking when it comes to securing their network traffic in hybrid and multi-cloud environments.
These architectures aren't going away anytime soon. According to research from Market and Markets, the multi-cloud management market is expected to grow to $4.5 billion this year, up from $1.2 billion in 2017. According to the firm, what's driving that spending is the need for increased agility, automation, and policy governance. Additionally, research firm Fortune Business Insights estimates that the cloud security market will grow to $106 billion by 2029, up from $33 billion this year, growing at about 18% annually.
There are substantial challenges for organizations trying to protect these environments, which include newly adopted at-scale technologies like containerization and edge computing, plus a mix of various public clouds, private clouds, and on-premises systems.
Traditional security tools can’t keep up
Consider the disparity in network security capabilities: systems designed for on-premises don't work on the public cloud. In contrast, systems designed to protect public clouds won't work well for private cloud environments. To succeed, enterprise security teams must invest in the right areas.
Of course, a good defense requires understanding how attackers go about infiltrating hybrid and multi-cloud systems. And that looks a lot like what they do when compromising endpoints. Once they manage to get into a cloud workload -- whether through exploiting a system vulnerability or gaining access credentials -- they will look for ways to move laterally throughout the environment. That's not only to the next server but also to another cloud system or data center.
Network traffic analysis, detection, and response
IDS/IPS has traditionally been used to monitor network traffic. But newer technologies extend and enhance the capabilities of network IDS/IPS: network traffic analysis (NTA), network detection and response (NDR), and sandboxing, which together helps security teams identify potentially anomalous behavior, accurately determine the nature of the event, and swiftly and precisely respond.
NTA explained
While traditional IDS/IPS systems spot and attempt to block attacks using known attack signatures and employ network traffic behavioral analysis to find trusted and suspicious patterns alike, NTA takes this capability and expands on it by identifying abnormal behavior and malicious network activity within the network,whether from endpoints or cloud workloads. NTA detects anomalous activity and malicious behavior as it moves laterally across multi-cloud environments, can detect data exfiltration, malicious internal command and control, common attacker reconnaissance techniques, and more.
Through a virtual tap or out-of-band network mirror, NTA also entails encrypted traffic analysis of anomalies that impact endpoints. Additionally, modern NTA sensors have been integrated within the hypervisor, which provides a fully tapless architecture. This eases deployment and eliminates hairpinning.
NDR explained
What do security teams do when they discover possible attacks? That's where NDR comes in, helping network security and security operations center analysts more effectively detect malicious network activity, prevent successful ransomware attacks, and stop the lateral movement of attackers through the automatic correlations of events.
This is done through a distributed set of sensors from NTA tools, intrusion detection and prevention systems, sandboxes, and other sources, enabling faster and more efficient threat hunting. Additionally, when attacks are identified, the information collected can be used to perform forensic investigations on the spot. This way, dangerous situations such as data stealing or ransomware attacks are mitigated before severe damage can be done.
Sandboxing the threats
When malware, harmful content, and artifacts are discovered, security teams can return to their sandbox, an entirely isolated testing environment where it's safe to watch and analyze suspicious items and emulate their user's computing environment.
By safely executing malware samples and activating malicious URLs and attachments, the sandbox provides insight into current attacks that security teams can use to identify the indicators of compromise and malware used in the most advanced attacks. The right sandbox will help the threat intelligence team build remediation workflows to mitigate advanced and targeted attacks.
Sandbox automation
Traditional network sandboxes are based on operating system virtualization and run on virtual machines, making it possible for the malware and the operating system to run directly on system hardware. While this does optimize the number of files a single piece of hardware can analyze, it is unfortunately not entirely effective when it comes to analyzing malware. That’s because criminals have adapted their malware to discover if it is being run within a virtualized sandbox and, if so, alter their malware’s behavior to evade detection or wait until the sandbox operation times out.
Virtualization can also limit what the sandbox can see. While the sandbox can observe calls to the operating systens, it can't see what the malware does on those calls internally.
A modern network sandbox, however, provides considerable improvements in these areas: automatically inspecting artifacts as they traverse the network in all cardinal directions. It’s also expected that the modern network sandbox provide full system emulation.
Full system emulation, or FUSE sandboxes, emulate all of the relevant hardware including the CPU, memory, and I/O devices. FUSE enables the sandbox to interact with the malware and conduct "deep content inspection." This enables the sandbox to view all of the malware’s activity and provides analysts the ability to carefully study the operation of the malware. Because everything is emulated, it is much more difficult for cybercriminals to evade the modern network sandbox.
By safely executing malware samples and activating malicious URLs and attachments, the sandbox provides insight into current attacks that security teams can use to identify the indicators of compromise and malware used in the most advanced attacks.
Conclusion
When used together in modern hybrid and multi-cloud environments, network traffic analysis, modern sandboxing, and network detection and response effectively protect modern enterprise multi-cloud and hybrid architectures from advanced persistent threats, attackers digging into the environment through lateral movement, and malware designed to bypass firewalls and anti-malware systems.
When attackers do manage to get onto a server, endpoint, or cloud workload (and there will be those times), these tools allow teams to act swiftly and ensure those attacks don't cause real damage.
