Bad guys are watching for new openings in your cloud, are you?

By Janet Matsuda - JUNE 14, 2021


You see the headlines, and perhaps, ‘thank goodness it wasn’t us’ flickers through your mind. An overly permissive web server exposes 100 million+ consumer credit applications, or an S3 bucket leaves hundreds of millions of user records open to the public. A nightmare scenario for any CISO and their cloud security team!

According to Gartner “Customer misconfiguration of cloud resources is the leading cause of data loss in the cloud environment.”[1] But how do you stay on top of misconfigurations in the world of the cloud, where any employee can quickly sign up for a new service? Accelerating application delivery means letting go of control, and allowing more people to make changes. New ways to monitor changes are required with a DevOps approach.

Schedule cloud security checks

Cloud security posture management (CSPM) tools can be used by security teams to discover cloud assets used by their organization. These tools also check configurations against CIS benchmarks as a best practice for reducing risk. These checks are run periodically, normally daily.

However, attackers recognize that cloud configurations are changing constantly. They have automated bots that are continually hunting for openings they can exploit to steal data. This means you can’t afford to rely on periodic checks. Instead, you need to be aware of changes to configurations as they are made, in real time.

Watch for suspicious behavior

The importance of monitoring configuration changes is highlighted by a 2020 Microsoft breach. This breach of a customer database that stored anonymized user analytics inadvertently exposed 250 million entries. Unfortunately, an Azure server adopted a configuration change that made this data public.

Now is the time to make sure you have a continuous approach to cloud security posture management to avoid exposing confidential data. It also makes sense to consider how cloud security fits into your overall security stack as you secure applications deployed using a DevOps workflow.

First, let’s think about the continuous approach. Cloud logs have a record of activity across all of the services available from your cloud provider. By inspecting these logs you can identify unexpected changes, as well as suspicious behavior that could indicate a breach. Security teams are using rules mapped to industry-standard frameworks, such as the MITRE ATT&CK@ framework, to alert on suspicious activity. The tool you use should have a flexible rules engine so you can customize alerts based on your organization’s priorities. The rules should also be able to detect threats across all services captured in the logs.

You should also consider how the tool analyzes the cloud logs. Some tools require that you export the logs to their data store, and then inspect for changes and threats. This requires you to pay egress charges, along with storage of the cloud logs. The more efficient approach is to analyze this data in real time as it is produced, using a streaming approach. Then, only the results are sent back to the tool. These savings can really add up over time. Of course, a simple pricing model is a good idea as well.

Implement DevOps, but also Secure DevOps

As organizations move to the cloud, they realize a DevOps approach with a continuous integration / continuous delivery (CI/CD) pipeline is required to realize the agility benefit they want. As you adapt your organization to deal with the new world of DevOps, containerized microservices and Kubernetes, you need a new security stack. The current stack based on a proprietary, firewall mindset slows application delivery. Secure DevOps is not only ‘shift left,’ to secure the build, but also ‘roll right’ for detection and response. Effective security requires deep visibility with rich context, and the tooling must be designed specifically for this new environment.

Cloud and container security tools are consolidating into platforms that can secure cloud services and workloads. It makes sense to use a unified platform across containers and cloud for security, compliance, monitoring and troubleshooting. A unified platform can highlight lateral movement of threats traversing containers and cloud services. It should also reduce the number of tools that are required and provide a single source of truth for security and DevOps teams. Maintaining consistency in rules and frameworks saves time in training and improves efficiency. Lastly, selecting a platform that works across multiple clouds will simplify operations.

The Future of Security is Open

Core technology choices made by vendors drive the speed of innovation and the degree of interoperability between tools. Today, the CI/CD pipeline is mainly built on open source tools — Kubernetes, Jenkins, GitLab, etc. Security has traditionally been closed, but it’s now clear the pace of innovation cannot be constrained by proprietary development models. Contributions by the community accelerate innovation, which is critically important in the security space. We need the best minds to contribute ideas to stay ahead of attackers. Many of the open source security projects, like Falco, OPA and Cloud Custodian, allow contributions on multiple levels. Programmers contribute code and security teams contribute rules for detecting threats and validating compliance.

Open source is also increasing in popularity for the same reason Linux replaced the many versions of Unix. IT leaders prefer to adopt a standard they know will stand the test of time. Kubernetes is now the de facto standard for orchestrating containers. Prometheus is quickly becoming the open standard for collecting metrics from applications, making it easier to monitor application performance with a consistent set of tools.

With organizations like the Cloud Native Computing Foundation (CNCF) providing governance, sharing best practices and code across the industry has become practical. Broad adoption of standards and sharing of code within the community makes integration into your existing environment straightforward. For example, an open source community member created falcosidekick with the sole purpose of integrating Falco with other open source and commercial tools. Since being made public, it has been downloaded more than 450,000 times.

Open source security standards are starting to emerge, such as Falco for runtime security and sysdig for incident response. Both sysdig and Falco are incorporated in multiple commercial products, and used by hundreds of teams. With over 27 million downloads across the Sysdig open source projects, it is clear that open source security is gaining ground.

The journey to the cloud has accelerated for most companies over the past 12 months. The change is a seismic shift that impacts people, processes and technology. Managing teams through the change can be the biggest challenge. If you make the right technology choices, the technology can make it easier for the people as they change their roles and processes.

[1] Gartner “Solution Path for Security in the Public Cloud ,” Richard Bartley, January 30, 2020.

Secure your cloud with Sysdig

If you want to dig deeper into this topic, check our article on how an attacker can perform lateral movement from a vulnerable container, and compromise your whole cloud infrastructure.

With Sysdig Secure for cloud, you can continuously flag cloud misconfigurations before the bad guys get in, and detect suspicious activity like unusual logins from leaked credentials. This all happens in a single console, making it easier to validate your cloud security posture. And it only takes a few minutes to get started!

Start securing your cloud for free with our Sysdig Free Tier!

Subscribe and get the latest updates