Within the broader digital transformation that’s reshaping entire economies, cloud adoption stands out as a particularly sudden and significant shift, accelerated by the move to remote and hybrid work during COVID-19.
While some organizations choose to lift and shift their applications or invest in re-architecting them for cloud, many elect to pursue a hybrid approach. However, one thing is certain: cloud expenditures continue to grow at a remarkable rate. In fact, Gartner forecasts that cloud spending will reach almost $600 million in 2023, a nearly 21% increase over 2022.
Introducing cloud environments also introduces new business risks. Cloud environments are complex; they expand the threat surface, come with their own unique set of threats and challenges, and the specialized expertise needed to safeguard your cloud assets is in high demand and short supply.
While organizations recognize the need for cloud security solutions and 24/7 MDR (e.g., Cloud Security Posture Management and Cloud Workload Protection), many neglect to consider the role that managed Network Detection and Response (NDR) plays in the cloud.
As this post will cover, NDR within the cloud is essential not only for a comprehensive cloud security strategy, but also for helping to provide complete, unified visibility across your entire IT environment, which is integral to lowering your mean time to respond (MTTR) and stopping threats before they can turn into business-disrupting events.
Cloud Protection Challenges
Clouds are popular for good reasons, but they introduce new security challenges. In response to these challenges, cloud-specific tools have been created and though these tools are important, they nevertheless suffer from a few significant, overlapping shortcomings, such as:
- Narrow application domains: There are many point solutions available for the cloud, with each addressing a specific aspect of cloud security.
- Limited visibility: It’s difficult to get comprehensive visibility into all aspects of cloud infrastructure and cloud computing.
- Shared responsibility model: AWS users often assume they are being secured by AWS, however under the shared responsibility model, this is not the case. AWS itself notes that customers are responsible for network traffic protection.
- Integration challenges: Integrating cloud security tools with existing security infrastructure and processes can be complex — incompatibilities, interoperability issues, and the lack of standardized APIs between different tools and cloud platforms can impede seamless integration and result in operational inefficiencies.
- Mitigate data breaches: Securing sensitive data is the customers’ responsibility and only visible/accessible to the AWS user to set correct safeguards.
- Customization and compliance: AWS provides a baseline for security of the infrastructure, but your individual organization may have different security requirements that must be followed.
Cloud Security Posture Management (CSPM)
The key benefit of a CSPM solution is its ability to provide continuous monitoring of a cloud environment, which allows you to quickly identify and remediate security risks — ideally before bad actors spot the same vulnerabilities. Given that misconfigurations are the biggest threat to cloud security, there’s no doubt that CSPM is the primary cloud security solution that every organization using cloud services should have.
24/7 MDR with CSPM helps organizations create and maintain a secure cloud environment by scanning for misconfigurations, vulnerabilities, and compliance issues and then responding to remediate policy violations 24/7. In doing so, MDR with CSPM provides visibility and control over cloud resources, helping you respond quickly to detections and maintain a strong security posture and prevent cyberattacks. CSPM also helps to maintain compliance with industry standards and regulations by providing automated compliance checks and reporting.
However, while CSPM solutions help maintain a strong security posture, they aren’t designed to provide real-time threat detection and response at the network level.
Cloud Workload Protection (CWP)
While CSPM focuses on configurations, the goal of Cloud Workload Protection Platforms (CWPPs) solutions and 24/7 MDR is to protect your workloads by detecting malicious activities in the specific context of those workloads and responding rapidly in real- time.
The limitation of CWPP solutions is that they narrowly focus on individual workloads and gather telemetry that is limited to only those workloads on which they’re deployed. So, they aren’t designed to take a broader view. A second thing to keep in mind when considering how CWPP solutions fit into the wider security stack is that threat actors often seek to (surreptitiously) disable these controls, which can hide malicious activity.
While CWPPs do a good job of securing compute instances and monitoring risk — and many support multiple Infrastructure-as-a-Service (IaaS) providers and other cloud environments — they simply aren’t built to monitor and analyze all network traffic flowing within your cloud environment.
Applying Network Detection and Response to Your Cloud Environment
NDR solutions leverage sophisticated analytical methodologies, including machine learning (ML), to identify malicious network behavior, anomalies, and indicators of compromise (IoCs) masked to look like legitimate activity. Since NDR predates the cloud, early iterations of NDR technology monitored and analyzed network traffic within an organization's internal network infrastructure.
However, with the increasing adoption of cloud computing and the expansion of network perimeters, NDR solutions have evolved to encompass cloud-based and hybrid environments. As a result, modern NDR solutions are adept at providing unified visibility and threat detection across both the on-premises and cloud-based networks that comprise today’s hybrid IT environments.
Given that all cloud workloads rely on network communication, network data serves as a powerful source of truth for cloud-oriented security analysts, incident responders, and forensic investigators.
In the earlier days of cloud adoption, capturing this network data was a challenge. However, the emergence of network taps from major cloud service providers (CSPs) and third-party packet brokers has addressed and overcome much of the complexity and the most common barriers that made it difficult to apply NDR within the cloud.
More importantly, today’s NDR solutions are specifically designed to work in dynamic cloud environments, providing visibility and detection capabilities that are optimized for cloud workloads.
Plus, in contrast to cloud-specific security tooling, NDR solutions can detect a wide range of cyber threats (e.g., malware, phishing, and network-based attacks) in real-time. This real-time monitoring and reporting also supports compliance requirements, helping organizations to manage regulatory risks.
eSentire in Action: Using NDR to protect AWS workloads
Let’s now look a bit more deeply into how Network Detection and Response helps to safeguard cloud workloads.
Amazon Web Services (AWS) is one of the leading cloud platforms, trusted by organizations large and small. But failing to monitor network traffic in an AWS cloud can expose an organization’s environment to DDoS attacks, malware infections, phishing attempts, unauthorized access attempts, data exfiltration, advanced persistent threats (APTs), and more.
To mitigate these risks, eSentire MDR provides network traffic inspection and response capabilities for AWS environments, in part by leveraging the AWS VPC Traffic Mirroring service that allows eSentire to capture and inspect network traffic in AWS at the packet level.
By combining behavioral analysis and full packet capture (PCAP) data — on top of the visibility provided by CSPM and CWPP solutions — organizations can get the comprehensive view of network traffic needed to detect anomalies, identify and respond to threats that may bypass traditional workload protection measures, and gain deeper insights into potential security threats.
For example, network analysis can detect:
- Command-and-control (C2) channels, even when the traffic itself is encrypted
- DNS tunneling
- Anomalies in SSL/TLS certificate usage
- Traffic patterns that may represent data exfiltration
- Abnormal network activity that may be indicative of zero-day attacks
But to stop threats in their tracks, detection needs to be linked to timely response — which is why Network on AWS uses an in-band method to disrupt traffic within the AWS cloud. When suspicious activities are detected, the eSentire virtual network sensor can disrupt malicious traffic by integrating with industry-leading physical/virtual firewalls (eSentire's Network on AWS solution interfaces with leading firewalls from Palo Alto Networks, Cisco, and Fortinet). Plus, an automated policy is then implemented in real time to block that malicious IP in the future — no manual intervention required.
There’s no single solution to solve all security challenges in the cloud: Cloud Security Posture Management, Cloud Workload Protection, and Network Detection and Response all have important roles to play. NDR excels at providing detection and containment within the perimeter, defending against more advanced threats that take advantage of gaps in CSPM and that can evade CWPPs. In fact, as organizations continue to scale in the cloud, NDR will play a critical role in safeguarding these investments; in its 2022 Gartner Market Guide for Network Detection and Response, Gartner projects that more than half of network detections will be cloud-based by 2027.
Plus, because NDR solutions also apply to on-premises environments, they can provide a unified view of threats within the wider IT environment, and feed other solutions (e.g., XDR, SOAR, SIEM, etc.) with the signals and context they require to be most effective.
To learn how eSentire MDR for Network on AWS can help you build a more resilient cloud security operation, connect with a cybersecurity specialist today.
