Complementing Your CSPM with Runtime Cloud Workload Protection
Written by Intezer
There are many solutions available for securing your cloud applications and workloads. Even after doing your due diligence and making an investment, it can take a long time to provide value. CISOs report Cloud Security Posture Management (CSPM) and other pre-runtie vulnerability management programs can take anywhere from months to years to be completed.
Budgets have been cut short due to COVID-19 and security is already one area that is more difficult to prove tangible business results than sales and other revenue generating departments. Quick wins can make all the difference in both supporting large security programs and providing positive updates to key stakeholders.
So You’ve Begun Your CSPM Journey?
You might have already begun your CSPM journey with the aim of protecting against misconfigurations caused by human error. The need for this type of solution is evident. According to Gartner, 95 percent of cloud security issues are the result of misconfiguration. A lack of visibility into cloud infrastructure can cause misconfigurations to go undetected for long periods of time, exposing highly sensitive data to the public internet. We saw this play out recently with the Doki malware, which went undetected for over six months and is scanning the internet for misconfigured Docker cloud servers.
Security teams acknowledge ramping up a CSPM program is a lot of work that is going to take time. This is partially due to the Shift Left movement, where finding and fixing vulnerabilities in your code requires working in tandem with the development team. While you are getting ramped up with your CSPM, what are you doing to prevent breaches in runtime?
Runtime Protection is a Quick Win
Just as protecting against misconfigurations is essential, so is the need for a runtime solution. Pre-runtime security solutions have limitations, namely defending only against a single attack vector (vulnerability exploitation) and a lack of visibility into production. The latter is incredibly problematic because cyber attacks eventually require the attacker to run unauthorized code or commands somewhere in the victim’s runtime environment.
Taking an assume breach mentality, attackers are still going to find a way in. Whether you are reliant on a third party or not, it’s going to be difficult to catch every vulnerability considering the sheer size and complexity of enterprise cloud environments. When you do find a vulnerability, fixing it can take time.
Living off the Land attacks are one way an adversary can get access to the system without needing to exploit a vulnerability, instead utilizing a trusted application in the operating system itself to conduct the attack.
Protecting your cloud servers in runtime against unauthorized code is an important last line of defense. A Cloud Workload Protection solution provides full visibility over all code in runtime and alerts on any unauthorized activity that deviates from the predetermined secure baseline. Think of it as a quick win, complementing a pre-runtime solution like a CSPM and buying you time to work on a larger project such as fixing misconfigurations.
Where Companies Fall Short in Runtime Security
Runtime protection hasn’t been successful in the past for organizations usually due to challenges caused by vendor implementation:
- False positives: Overhead with cloud workloads is a significant challenge and sadly it’s a reality for most Cloud Workload Protection strategies. Recent research suggests that 90 percent of cloud servers drift from their original trusted baseline. Overly strict policies can create a lot of noise and false positives resulting in alert fatigue.
- Allow Listing causes high overhead: Allow Listing (also known as Application Control or Zero Trust Execution) means ensuring only pre-approved code is running in your systems. The discovery of this process has a very high overhead which is why companies have abandoned it. When done properly, Zero Trust Execution is considered by market research firms to be the best practice for securing workloads in the cloud and there are specific implementations of this approach that produce significantly low overhead.
- In-memory visibility: Traditional implementations of Allow Listing apply this approach only on disk. This prevents them from providing protection against vulnerability exploitation and other in-memory threats. This is one of the main reasons why Gartner recommends pairing App Control with memory protection capabilities as part of any effective runtime Cloud Workload Protection strategy.
What to Look For in a Cloud Security Solution
Assuming the status of your CSPM will be behind, you should consider a runtime cloud security solution to immediately secure your cloud assets. Here is what to look for:
1. Adequate Linux threat detection: The majority of public and private cloud servers are Linux-based. With Linux threats emerging as a top concern for organizations, you should understand how your cloud security solution is addressing them. If you want to detect these threats you will likely need a security solution designed to protect Linux systems, not a migration or adaptation of a Windows endpoint detection platform. Genetic Software Mapping is a viable alternative to signature and anomaly-based detection as these more traditional approaches can be less effective if you don’t have new IOCs or attackers mimic normal behavior.
2. Low overhead: Look for a solution that won’t alert you on every small software upgrade or natural change in memory. Otherwise you will be investigating a lot of false positive alerts.
3. Full visibility: A runtime Cloud Workload Protection solution can give you full visibility over all applications running on your infrastructure. You also want to ensure this includes visibility in memory to defend against fileless threats, not just traditional files on disk.
4. Secure the entire cloud native stack: The cloud has many new technologies including containers and Kubernetes. Make sure your cloud security solution secures all of your assets, including VMs, database servers, and containers, and preferably under one roof to further reduce overhead and complications.
Vulnerability management and CSPM are essential but even fully ramped up they are not going to protect you against breaches which occur in production. A strong runtime Cloud Workload Protection solution is a quick win. It provides a lot of immediate security value which you can report to your higher ups by protecting against breaches and buying you time for perfecting longer vulnerability and misconfiguration initiatives. Guarding against unauthorized code or commands is your last line of defense and one of the first actions you can take to reduce risk.