Network data provides unique insights and context required to close visibility and security gaps in the cloud.
Cloud Workload Security- Cloud workloads are deployed into highly dynamic environments, often utilizing and coexisting with a wide variety of cloud providers and third-party platforms and services. The workloads themselves can range from legacy applications that have been migrated from traditional on-premises data centers, to applications that have been built specifically to run on cloud platforms, to entirely serverless applications. They may run unchanged for weeks or months, or only exist for a few seconds.
Many Ways to ‘Secure’ Cloud Workloads
There are also many ways to monitor and protect cloud workloads, including agent-based third-party solutions, cloud provider monitoring and logging services, cloud perimeter firewalls, and WAFs. Like anything in life, security technologies come with certain advantages and drawbacks, so organizations often deploy a variety of cloud workload security solutions depending on their regulatory environment, desired security posture, and aversion to risk.
All Security Technologies Come with Limitations
Agent-based solutions, such as cloud workload protection platforms (CWPP) and endpoint detection and response (EDR) excel at threat prevention. However, they can be problematic to deploy everywhere in a cloud environment as they require integration into the DevOps workflow or ad hoc deployment and must support multiple OS platforms and versions. Agents can scan endpoints for malware, but can only see their own ingress/egress network traffic and have no visibility into the activities of other workloads or the environment in which they’re running. Determined attackers will often disable endpoint security agents or simply go dormant in their presence to avoid discovery, as was done in the massive SUNBURST malware attack.
Logging solutions are often available natively from cloud providers and can feed cloud provider or third-party security information and event management (SIEM) tools. However, it can take precious time for a SIEM to store and process logs before generating alerts, and the lack of context provided with logs can result in high false positives. Attackers frequently disable logging solutions or delete log files to thwart discovery and investigation and increase dwell time.