Traditional network intrusion detection systems (NIDS) have long been a staple of on-premise security stacks. Deploying, managing and obtaining actionable results from these systems was often a big challenge. Now that organizations are migrating to the cloud, even bigger challenges arise when deploying NIDS. And while It may seem intuitive that managing for network intrusions is the purview of the cloud service providers, managing for network intrusions falls in the laps of end-user organizations, as defined by the shared security model of public cloud computing.
Network Intrusion Management for Azure, Google Cloud and AWS Security Requires a Different Approach
Preventing network intrusions in cloud is critical, as the virtual perimeter in public cloud environments is more vulnerable to attacks than a physical perimeter in on-premise environments. Organizations need to vigilantly monitor network traffic in the cloud and detect suspicious activity. However, network security in public cloud environments requires a different approach for several reasons:
- Performance & Scale Implications: Inline network security solutions can negatively impact important cloud architecture benefits such as bursting and auto-scaling. An out-of-band approach is necessary.
- Blind Spots: Traditional network monitoring tools create security blind spots in the cloud since they cannot be deployed for monitoring traffic to API-driven services, or to monitor east-west traffic at scale. An out-of-band approach is necessary.
- Privileged Users: While the cloud enables agility by allowing users to create and modify resources on-demand, this often occurs without any IT or security oversight. As a result, a simple network misconfiguration can expose sensitive applications to the internet.
- Alert Fatigue: Alerts based solely on network configuration changes could inundate security teams with false positive results if the changes were deliberate. As a result, configurations must be continuously correlated with network traffic and other threat intelligence sources to truly assess risk.
CSI Trends Report - Key Findings
Even though a different approach to cloud network intrusion is required, the RedLock CSI Team found that organizations are needing to do a much better job in this area. The latest RedLock CSI Trends Report highlighted some of these trends including:
- 85% of resources associated with security groups do not restrict outbound traffic at all. This reflects an increase from one year ago when that statistic was 80%. The research found an increasing number of organizations were not following network security best practices and had misconfigured or risky configurations. Industry best practices mandate that outbound access should be restricted to prevent accidental data loss or data exfiltration in the event of a breach.
- The team also discovered that 25% of organizations had cryptojacking activity within their environments up from 8% last quarter. The team forecasted that cryptojacking would increase as it gained traction in the hacker community, but this rapid, dramatic growth was still unexpected.
The rise of cryptojacking and seemingly misuse of security groups highlights the need NIDS and a holistic approach to security in the cloud. A combination of configuration, user activity, network traffic, and host vulnerability monitoring is necessary to detect advanced threats in public cloud environments.
4 Tips for Preventing Network Intrusion in Public Cloud Computing Environments
In order to mitigate any network related misconfigurations or attacks on your public cloud computing environment, the RedLock CSI team recommends following these four security best practices for preventing network intrusion in the public cloud.
- Implement “Deny All” Default Outbound Firewall Policies. Network configuration monitoring is mandatory and your teams should continuously assess the policies and trigger alerts if violations are detected. For example, identify sensitive resources and trigger an alert if it detects direct traffic to them from the internet.
- Implement North-South Threat Detection. Monitors north-south traffic for ingress threats such as traffic from suspicious IPs to sensitive resources as well as egress threats such as nefarious crypto mining traffic from compromised compute resources. Use AI to correlate data from netflow logs with data from your public cloud environment and third party threat intelligence sources to identify suspicious activity.
- East-West Threat Detection: As organizations move towards microservices, it becomes imperative to monitor east-west traffic as well. The ingestion of netflow logs provides visibility into this traffic. Correlating this with data from your public cloud environment and third party threat intelligence sources enables the platform to identify network abuse and insider threats.
- Network Threat Investigation. Use analytics to quickly investigate threats of downstream resources. Use your system’s audit trail to view time-serialized activity for any given resource. This allows you to review the history of changes for a resource and better understand the root cause of an incident, past or present.
Get the NEW Cloud Security Trends - May 2018 - Anniversary Edition
This edition of RedLock’s Cloud Security Trends marks the report’s one year anniversary, and it’s been a sobering year in terms of public cloud breaches, disclosures and attacks. Download the latest Cloud Security Trends - May 2018 report to get 14 tips to fortify your public cloud environment.