The rapidly rising tide of cybersecurity attacks has naturally driven security and IT managers to strengthen their perimeters and bolster their defences. But without paying similar attention to what’s happening on their internal networks, they are leaving massive blind spots that could potentially produce catastrophic results.
Adequate network visibility has long been recognised as critical to rapidly detecting and responding to malicious attacks on any network. This visibility is crucial to picking up on the telltale signs of compromise or attempted compromise – whether they are generated by brute-force outsider attacks, insider-led compromises, advanced persistent threats, or compromised endpoints that piggyback on holes in conventional perimeter defences.
Whatever the vector, attacks will ultimately generate anomalous traffic that should be detectable by tools that raise red flags to guide further investigation and management of its outcomes. Unless this happens, study after study has shown that attacks can linger, undetected, for months – one recent study pegged the lag time at an average of 200 days – before they are found.
Cloud-based security solutions offer some reprieve by facilitating access to cutting-edge security tools. Little wonder that research firm Frost & Sullivan expects that demand for cloud-based security tools will grow by 60 percent through 2020, outpacing demand for on-premises solutions.
This growth will be driven in part by adoption of cloud-based productivity tools, and even more so by the shifting of company infrastructure to public-cloud platform as a service (PaaS) and infrastructure as a service (IaaS) environments.
Existing security problems, however, don’t go away just by shifting computing and security capabilities to the cloud. Businesses taking this step need to understand that with the benefits of cloud-based delivery come a range of new challenges – and unless they are addressed from the beginning, they can generate new problems that manifest in a range of ways.
“Even in non-traditional areas, businesses are starting to move things to the cloud and see real advantages,” says Gigamon distinguished sales engineer Ian Farquhar said. “But just moving stuff to the cloud doesn’t make security issues go away. This can complicate performance and network management issues because you don’t have the access to that workflow if it’s not managed as it is on-premises.”
Moves to adopt cloud-based solutions should always be complemented by efforts to address the security of those solutions. This means finding a way to gain a high degree of real-time visibility into the inner workings of the cloud platforms that the company has adopted.
This can be harder than you might think. Public cloud services offer some degree of monitoring, but their views and reports tend to focus on information about the availability of the underlying IaaS and PaaS platforms. Those metrics won’t tell you much about what’s going on inside the virtual machines they are hosting for your company, except that they seem to be running fine.
This is why it’s crucial to not treat cloud as a black box – but, instead, to deploy virtual infrastructure that provides the same degree of visibility that you get from your own on-premises monitoring systems. Since most existing network-monitoring tools have little to offer when it comes to the cloud, the wrong choice can leave security practitioners flying blind.
Tapping into the cloud. Resolving this conundrum is a major consideration for companies of any size. Companies like Gigamon have addressed it by developing virtual ‘taps’ that sit inside customers’ virtual environments, keeping a watchful eye on their activities and reporting back to a centralised monitoring console.
Those reports are presented through a ‘single pane of glass’ view that positions on-premises activities next to cloud-based activities. This allows companies to not only monitor both environments to the same standards – but allows for comparison between the two environments.
Such comparisons offer another way to pick out anomalous behaviour that can point to compromise, or attempted compromise, by outsiders or insiders. Since cybercriminals are increasingly targeting their attacks against specific organisations, an alarm on one of the two environments can serve as an early warning system. After all, if one part of a company’s data and application infrastructure is being attacked, it’s highly likely that the same thing can be happening on the other part of its infrastructure.
Detailed monitoring of both cloud and on-premises environments “really derisks that decision to move to the cloud,” Farquhar says. “Unmanaged risk is a problem that businesses deal with every day. You’ve got to have that capability to understand and control what’s going on.”
Better visibility of cloud and on-premises data is also proving crucial to helping companies better understand the flow of data onto and off of their networks. Contemporary compliance and governance standards require strict control over the flow of information such as credit cards and personally identifiable information (PII), which often follows standard formats that can be readily identified by network taps.
“You don’t want credit-card numbers being transmitted in the clear across to the public network,” Farquhar said. “The ability to look into a data stream and understand how data is being transmitted, is something that a lot of organisations will value.”
When implemented across the environment, heightened visibility will provide a high degree of visibility into all network traffic – empowering network and security managers to take very real steps to improve their ability to spot and react to security incidents. Doing so will reduce risk to the business and help minimise the potential impact of a security attack on infrastructure, whether it’s located on-premises or in the cloud.
“Several years ago, the idea that companies should have visibility of their networks was somehow controversial,” Farquhar said. “But it’s not a question anymore: customers absolutely understand that they need visibility. There are many things happening in the cloud – security incidents, performance issues, and network issues – and they all need visibility.”