Selecting and using advanced security tools as part of the overall security strategy is one of many critical success factors in protecting data. "Currently it is insufficient to use just one or two security solutions," warn Christoph Koslowski, Marcin Jung, Sylwia Sławińska and Adam Burek from Global IT Security at ERGO in their guest article for //next. And tell us what the most effective protection against current methods of attacks would be instead.
The increasing digitalisation of business processes leads to a greater influence of cybersecurity-related risks on the overall risk of the organisation. At the same time cybersecurity’s threat landscape is growing in terms of the sophistication of attacks and their impact. Selecting and using advanced security tools as part of the overall security strategy is one of many critical success factors in protecting data. Currently it is insufficient to use just one or two security solutions. The most effective protection against such attacks is the process of building a multi-layered security defence consisting of various security mechanisms that minimise the number of utilisable attack vectors in the cloud environment. Some examples of security services include best practices benchmarks, web application firewalls and anomaly detection.
Cloud security posture management services perform continuous verification of the cloud security maturity level based on industry standards and best practices. To achieve adequate quality of verification it is necessary to collect data from a variety of tools and services including threat detection, vulnerability discovery, sensitive data classification, infrastructure scanning, and network security. This data may be aggregated to provide a holistic view of the security posture. Each major cloud provider offers such a tool, in which security findings are aggregated and organised for better search and analysis capabilities.
A web application firewall (WAF) helps to protect web applications and/or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. Web application firewalls typically block known malicious and unwanted requests before they reach the application. It is possible to create custom rules to filter out specific traffic patterns which prevent common types of attacks, such as SQL injection and cross-site scripting. To simplify the implementation and cost of deploying a WAF solution, cloud providers may offer managed rule sets which provide basic protection against common web attack signatures. A WAF usually provides real-time metrics and captures raw requests that include details related to IP addresses, geo locations, URIs, user-agents and referrers. Cloud-based WAFs may also be integrated with other cloud security tools (like a Security Incident and Event Management System), simplifying the creation of custom alarms when thresholds are exceeded, or particular alerts are triggered.
Most cloud providers offer central logging and monitoring services for their cloud platforms. There are also services responsible for threat detection that continuously monitor for malicious activity and anomalous behaviour in the cloud. These services usually combine developed machine learning algorithms that can process millions of events across multiple data sources in the cloud. In the example case of AWS, these sources include event logs from AWS CloudTrail, flow logs from Amazon Virtual Private Cloud (VPC), audit logs from Amazon Elastic Kubernetes Service, and DNS query logs.
Besides building a solid foundation of multi-layered core cloud security services, newly released features such as intelligent malware protection can help to improve the efficiency and detection rate of advanced attacks. This is applicable to anomaly detection services that identify potentially compromised virtual machines primarily based on network traffic. The process of tracking the traffic down to individual servers and identifying infected files in a cloud environment can be slow, as it requires manual actions such as creating a snapshot and running an anti-malware scan using third-party tools. With malware protection enabled and connected to the existing anomaly detection services, whenever signs of an infection over the network are present, the alerts/findings can be automatically correlated, leading to a standardized response – the creation of a snapshot and initiation of an agentless scan on the backup of the EC2 instance or container to identify the infected files. This helps the security team to identify false positives and eradicate malware infections faster.
Cloud providers continue to expand their competencies in the area of cloud security, with new services and tools being systematically developed. Integrating them together means we are able to build a multi-layered security defence which allows us to monitor, detect, identify, protect and respond to a variety of threats in near real time.
Text: Christoph Koslowski, Marcin Jung, Sylwia Sławińska, Adam Burek