Rafal Los, head of services strategy at ExtraHop, recently joined Anton Chuvakin and Tim Peacock for a crossover episode of their two podcasts, “Down the Security Rabbithole” and “Cloud Security Podcast.” Los, Chuvakin and Peacock had a rollicking time discussing what it means to use the cloud securely. Their conversation–at times laugh-out-loud funny and always insightful–yielded a number of highlights.
Fun with Cloud Security
Chuvakin, Peacock and Los opened by poking fun at the cliche, “The cloud is secure, but organizations aren’t using it securely.” Los noted, “That’s a little like saying lava is safe to walk on if you let it cool off first.” He then took the analogy a step farther: “Every car is safe as long as you don’t get in.”
Los’s wry observations about cloud security led to more serious comments about architecture. He noted that cloud security architecture was designed to give security practitioners as many choices as possible, so it can be customized to fit any environment. This sounds great at first glance, added Los, but without guidance, there can be too many options, which can end up undermining security by creating blind spots. “It’s like handing a client a massive box of Legos and saying, ‘good luck!’” Los commented.
What it Means to Use Cloud Securely
Los offered a number of cloud security recommendations: turn on logging and other default security settings, and implement network security.
He also reminded listeners that migrating applications involves much more than transferring an application into a virtual machine. Apps that are designed to run on-premises often count on the fact that they are normally deployed behind a firewall or air gapped for security, Los added. Once they’re in the cloud, however, that protection disappears, so organizations need to rethink how they’ll keep them secure.
“No matter how your cloud environment is structured, implementing network security is always a good idea,” said Los. “Think about the autonomous tools running in the cloud that you want to protect. What processes are they performing? What other assets are they communicating with? Network security grants you the visibility to find the answers to these questions so you can shore up any vulnerabilities.”
Myth Busted: Packet Capture is 'so 90s'
Chuvakin pressed Los to comment on the notion some security practitioners hold that “packet capture is so ‘90s,” and Los decisively dispelled the myth. “The truth on the network and infrastructure can be found in the content of network packets,” he told Chuvakin. “Full-packet capture allows you to pull apart packets to see the full content, intent, and if anything is hidden within them. Without this ability, your security team is flying blind. Packet sampling isn’t nearly as effective, since it doesn’t allow you to see the complete content.”
Los added that packet capture makes it possible to model behavior at scale. He said this is important because pattern-based security can’t catch everything, and he offered an example to prove his point. Say an organization had deployed a SIEM, an intrusion detection system (IDS), a web application firewall (WAF), etc., but still got breached. What happened? The security and network teams were heavily siloed, meaning the security team couldn’t see the strange behavior on the network that would have indicated a compromise. Instead, they ran a ransomware check, which turned up nothing. “If they had implemented network detection and response (NDR),” said Los, “they would have been able to see huge CPU spikes as well as network traffic to abnormal destinations at odd times.”
“Good security starts with ‘huh, that’s weird’ moments, rather than big red flags, Los observed. “NDR and packet capture allow you to spot those moments in the first place.”