The Importance of Network Data in Securing Cloud Workloads

Cloud workloads are deployed into highly dynamic environments, often utilizing and coexisting with a wide variety of cloud providers and third-party platforms and services. The workloads themselves can range from legacy applications that have been migrated from traditional on-premises data centers, to applications that have been built specifically to run on cloud platforms, to entirely serverless applications. They may run unchanged for weeks or months, or only exist for a few seconds.

Many Ways to 'Secure' Cloud Workloads

There are also many ways to monitor and protect the cloud, including agent-based third-party solutions, cloud provider monitoring and logging services, cloud perimeter firewalls, and WAFs. Like anything in life, security technologies come with certain advantages and drawbacks, so organizations often deploy a variety of cloud workload security solutions depending on their regulatory environment, desired security posture, and aversion to risk.

All Security Technologies Come with Limitations

Agent-based solutions, such as cloud workload protection platforms (CWPP) and endpoint detection and response (EDR) excel at threat prevention. However, they can be problematic to deploy everywhere in a cloud environment as they require integration into the DevOps workflow or ad hoc deployment and must support multiple OS platforms and versions. Agents can scan endpoints for malware, but can only see their own ingress/egress network traffic and have no visibility into the activities of other workloads or the environment in which they're running. Determined attackers will often disable endpoint security agents or simply go dormant in their presence to avoid discovery, as done in the massive SUNBURST malware attack.

Logging solutions are often available natively from cloud providers and can feed cloud provider or third party security information and event management (SIEM) tools. However, it can take precious time for a SIEM to store and process logs before generating alerts, and the lack of context provided with logs can result in high false positives. Attackers frequently disable logging solutions or delete log files to thwart discovery and investigation, and increase dwell time.

Cloud security posture management (CSPM) tools can discover workloads and determine their security configuration for compliance purposes, but they can't discover threats or data breaches in real-time, examine network traffic, or stop attacks in progress.

Organizations that are aware of the shared responsibility model of cloud security understand that they must fully own the security of their cloud workloads. This entails a careful evaluation of the visibility and security gaps left by their existing cloud security solutions, and ultimately a decision on which additional security technologies they must deploy to fill those gaps.

NDR Provides Context-Rich Security that Fills Gaps in Workload Security

Over the past several years, network detection and response (NDR) has seen widespread deployment in traditional on-premises data center environments, primarily to inspect east-west traffic flowing between workloads for threats and anomalies. Now its benefits are being fully realized by organizations running workloads in cloud environments as well.

NDR requires no agents that can add friction to DevOps workflows, and uses context-rich network data—the ground source of truth in both cloud and on-premises data center environments—to produce real-time actionable alerts. NDR provides visibility into all network traffic flowing between all workloads, devices, and services in the environment, all of the time.

Since it operates out-of-band, NDR cannot be seen or disabled by attackers—providing an always-on, unassailable perch from which SecOps and SOC teams can automatically discover and respond to attacks and data breach attempts in real-time. In this way, NDR fills the gaps that other workload security technologies leave behind.

About ExtraHop Reveal(x) 360

Reveal(x) 360, a SaaS-based NDR security solution, helps to protect cloud workloads in AWS, Azure, and Google Cloud environments by providing discovery, investigation, and response to both known and unknown threats and attacks. By integrating natively with cloud-native packet mirroring services, Reveal(x) 360 provides agentless real-time visibility into network traffic flowing to and from workloads and compute instances, even when that traffic is encrypted.

Reveal(x) 360 applies advanced machine learning and behavioral analysis to network metadata, accurately identifying anomalous behavior associated with attacks, data breach attempts, and malware. Once threats are discovered, Reveal(x) 360 can alert security administrators for remediation, or integrate with SOAR solutions for auto-remediation. The result is stronger security posture and minimized risk for organizations running workloads in cloud environments. Reveal(x) 360 also fully supports on-premises data center environments, providing a single console for workload security across hybrid and multicloud organizations.

To learn more about how NDR helps to secure both cloud and on-premises workloads, read the latest research report from 451, Cloud Security is Much More than Prevention and Compliance.

Get technical details of Reveal(x) 360 and learn how ExtraHop works.

You can also try Reveal(x) 360 for free. See how SaaS-based Reveal(x) 360 detects threats up to 95% faster and slashes your time to respond by up to 70% with a 15-day proof of value in your AWS environment.