Today’s security tools must take into account today’s work environments.
The work – the network, the applications and the types of data used – used to have clearly defined boundaries. It was obvious where the corporate network started and ended, and which applications belonged to the company. It was clear what was considered work and what was not. The growing adoption of multi-cloud environments, coupled with increased acceptance of hybrid working arrangements, means that these boundaries are no longer fixed or constant.
Opponents know this. They know that today’s continuous integration and continuous delivery (CI/CD) software operations require developers to spin clouds up and down in minutes without paying attention to potential misconfigurations. Sometimes public cloud instances are made available for quick work, without multi-factor authentication or other security measures. But it only takes a second for an intrusion to latch onto a vulnerability and turn into a fast sideways breach.
That’s why security teams need an adversary-centric approach that automates security checks, regardless of cloud provider or deployment model.
Why traditional security tools fail
Traditional security tools have not kept up with new ways of working, the exponential increase in endpoints and vulnerable workloads, and the lack of understanding of cloud-based threats.
The elastic multi-cloud environments of today’s organizations can deliver state-of-the-art products that allow business operations to focus on agility. Unfortunately, this focus complicates the work of security teams. The speed with which DevOps builds and deploys applications, along with an ever-increasing number of attack vectors, are among the challenges security professionals face today.
Securing on-premises systems was an easier proposition because there was a separate breadcrumb to follow for requisitioning servers, and endpoints were visible and easy to monitor. Unfortunately, the tools used to protect on-premises systems cannot be scaled to monitor thousands of attack surfaces in real-time across multi-cloud environments. As a result, disparate security solutions have proliferated, creating silos on-premises or in the cloud. Such a lack of centralization makes it difficult to take a holistic view of security and potential threats.
This lack of visibility could allow potential threats to go unnoticed and create opportunities for attackers. Common entry points for modern attackers include exposed Docker/Kubernetes environments, phishing, attacks on web applications and network services, and keys assigned to GitHub, GitLab, and BitBucket. Misconfigured cloud workspaces and shadow computing, both of which can go unnoticed for a long time, can also open up organizations to access.
In order to defend their environments against today’s ever-evolving threats, enterprises must think like the attackers who target them. An adversary-focused approach can help protect their cloud environments before an attacker gets inside.
Components of an adversary-centric approach
A proactive security strategy for today’s cloud starts with studying the tactics, techniques, and procedures (TTPs) attackers execute in hybrid environments. With a better understanding of TTPs, organizations can focus on visibility, cloud hygiene, and automation.
Visibility is critical. Organizations need to know how many cloud assets exist and where they reside. When all the dark corners have been illuminated, threat intelligence can lay the groundwork for relevant information. Security teams can scan new environments and provide vulnerability assessments based on an ever-changing context. In the event of an attack, visibility can help security teams conduct quick and effective investigations, applying countermeasures to stem the bleeding.
Basic Cloud Hygiene is a simple step that can go a long way in defending against modern attackers. Companies operating in the cloud need to clarify responsibility for security so that the vendor and security teams know how to allocate monitoring tasks. Access management is also a key element; not everyone needs access to all cloud environments at all times. IT and security teams should also understand the need to protect applications during coding and runtime.
Automating is another key pillar of an adversary-centric approach to today’s security solutions. Given the thousands of attack surfaces cloud environments work with, automation is necessary to monitor and remediate solutions at scale.
As companies accelerate their migration to the cloud, many have quickly realized that using traditional security tools just doesn’t work. Between a lack of integration of security tools and confusion over shared responsibility, security teams often backhand when it comes to defending their cloud environments. Meeting the needs of DevOps, as well as the multiple clouds that enterprises must now protect, requires an adversary-centric approach that automates security tasks and stays ahead of dynamic threat situations.