Insight and analysis on the data center space from industry thought leaders.
Essential Building Blocks for a Cloud Workload Protection Solution
Malicious actors are widening their embrace of encryption to evade detection.
January 29, 2019
Navindra Yadav is a Cisco Fellow and Founder of Cisco Tetration.
Editor's Note: This is the second part of a two-part series.
IT security breaches can cause heavy economic damage to organizations that may take months or years to resolve. According to Cisco’s 2018 Cybersecurity Report, 53 percent of respondents reported that cyberattacks resulted in financial damages of more than $500,000, including losses in revenue, customers, and opportunities.
Meanwhile, adversaries are becoming more adept at evasion and weaponizing cloud services and other technology used for legitimate purposes. Malicious actors are widening their embrace of encryption to evade detection. Meant to enhance security, encryption can be a powerful tool to conceal command-and control (C2) activity, affording more time to inflict damage. Cybercriminals are also adopting C2 channels that rely on legitimate Internet services, making malware traffic very difficult to identify.
So how do CEOs and CIOs protect their companies? Here are seven essential building blocks for a cloud workload protection solution.
Visibility
If you can’t see it, you can’t secure it. Capture high granularity interaction data between and inside the workloads. This data store forms the foundation for all layers above it. Examples: packet by packet network activity, user activity, and process meta data.
In addition to collection, aggregate and up-level the data. Why? In order to generate high quality policies in a brown field environment, you need to access high resolution data. Also, this helps in testing policy changes on past data before pushing it into enforcement and forensic analysis of an incident.
Vulnerability Detection
Scan all installed software running in the user space or kernel on the workload for vulnerabilities. Vulnerability analysis can be conducted using either static analysis of the coder or by comparing the code against a known set of vulnerabilities. Vulnerability analysis helps to identify unused network services and packages to uninstall.
One approach: Use an “outside in” vulnerability scanner that checks workloads using an external scanning tool. Another approach: “Inside out,” using an agent running on the workload for internal analysis.
Full Policy Life Cycle of Workload Segmentation
Workload segmentation provides protection by isolating the workload from non-essential parts, so if the system is breached, the ‘blast radius’ is contained. Workload segmentation can firewall within the workload. Policies inserted inside the workload move with it when migrated elsewhere.
Application Behavior Whitelisting
Application behavior whitelisting observes the behavior of the application running on the workload, building a process behavior baseline model. This function observes network communication, system call activity, and relationship between processes, then examines CPU counters and files opened, the user associated, memory analysis, and memory cache spills of every application. If the application deviates from its known behavior model, mitigation action is taken.
But enabling application behavior whitelisting with few false positives or negatives is difficult to implement in production systems at scale.
Application Whitelisting
Application whitelisting allows only a known set of processes to be started; everything else is banned. The use of whitelisting to control what executables are running on a server provides a powerful security protection strategy. All malware that manifests itself as a file to be executed is blocked by default.
File Integrity and Memory Monitoring
File integrity and memory monitoring tracks the sanctity of the file system, bootloaders, startup folders, registry on windows, drivers, etc, making the boot up process secure. Part of the solution must include memory scans for memory-resident malware, or malware probing cache lines or setting read, write, execute settings of page tables. The latter is a specific form of memory monitoring, where the "control system" of memory is watched rather than the contents of memory.
Deception and Decoys
Deception and decoys turn the tables on the attacker. Security protection capability creates fake vulnerabilities, systems, shares, or cookies, often called “honey tokens”. If an attacker tries to exploit these fake resources, it’s a strong attack indicator. A legitimate user should try to access these resources.
Another technique: On the machine under attack, tunnel traffic sent by the attacker to another decoy machine with the same operating system. This binds on all ports. The decoy machine allows the attacker to explore while continuously logging their actions. The monitoring system learns from the decoy system logs, and combined with artificial intelligence, produces knowledge to create an even stronger defense.
By understanding the key characteristics to protect data center and cloud workloads from cyber intrusions and following the essential building blocks for cloud workload protection, CEOs and CIOs can know their security needs are being met and workloads protected.
Opinions expressed in the article above do not necessarily reflect the opinions of Data Center Knowledge and Informa.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating.
About the Author
You May Also Like