It’s not news that organizations are facing a growing number and frequency of cyber threats, nor that new, sophisticated attacks are evading traditional security tools. But the growing threat that companies face is the complexity of their multi-cloud, multi-vendor environments. With businesses using about five different cloud services on average, threat detection and response have become prohibitively difficult, leaving many companies vulnerable to devastating damages.
In this Q&A, Alert Logic CTO and COO, Onkar Birk, shares his perspective on implementing a more effective multi-cloud security strategy so that companies can protect their digital assets no matter where they reside.
We’ve been hearing a lot about “Left of Boom” and “Right of Boom.” What significance does this have to defining a multi-cloud strategy?
In the multi-cloud, the most common problems, when it comes to identifying vulnerabilities that can lead to potential threats, are based on configuration errors. The benefit of a cloud, whether it’s a multi-cloud or a single cloud, is that you can very quickly spin up an environment, especially a serverless container-type environment.
However, that has a drawback — often, you can spin up an environment without necessarily putting in place all the appropriate configurations, such as identity management access control. If it’s a public-facing environment, you’ll be exposed to vulnerabilities without all those checks. So, human error is going to be one of the biggest issues. Left of Boom specifically addresses that. How do I make sure that I’m constantly scanning and looking at those environments to identify vulnerabilities?
The other issue comes from the promise of the cloud in how quickly you can set up things — people often spin up environments in what they view as a nonproduction environment without thinking about these checks and balances. But just because nonproduction means the environment doesn’t have any data associated with it doesn’t mean that it’s not a conduit to a system that does have data. You may have a device on your network that’s publicly facing, that doesn’t necessarily have data residing on it, but that can function as a conduit to other systems. Now, you’ve opened a new door for attackers.
Also, not everyone patches their systems. In the cloud, you have to make sure that any auxiliary systems that might be connected to your applications are patched and up to date. With our customers, we come across systems that have been unpatched for years, in some instances. You’ve got to be very mindful of what vulnerabilities you’re opening up, how easy it is to do so, and the damage that you can cause doing it.
Multi-cloud exacerbates all of this because you often have skillsets within customer environments that are specific to one particular cloud environment. Knowing what configurations, what access control to put in place in each individual environment, and when to do it requires skill and knowledge. Not every customer has the ability to acquire those skills and that knowledge, so you can actually amplify your problems when you’re multi-cloud.
How important is it to address known and unknown threats in a multi-cloud strategy?
Let’s say you have a breach. You’ve never seen this threat before. You can’t identify it. You don’t know what the vulnerability looks like. So, what is this threat going to do? It’s going to start to infiltrate and expand across your environment. This is what happens in Right of Boom.
How you deal with unknown threats and lateral movement is very similar in that you have to analyze what’s going on. When you’re looking at an unknown threat, you’re analyzing it to understand how it’s doing what it’s doing, so you can create an analytic to detect it going forward. You want to understand the techniques it’s applying and what systems it is going after, because this unknown threat may be targeting specific systems. You want to get visibility of those types of systems and make them a priority. It’s really about investigation and creating an analytic to make unknown threats visible, detect them, and ultimately, stop them.
When it comes to a spread, it’s similar. You want to understand how it’s spreading, what it’s spreading to, and what systems it’s targeting. Is it targeting individual databases? Is it extracting data? Is it trying to get passwords? Is it trying to get financial information? If you don’t know where it’s going, you can’t investigate it, and you can’t stop it.
There are typically two approaches to multi-cloud: A “best of breed” strategy vs. “every man for himself.” What are the differences and tradeoffs for selecting either one?
Using Alert Logic as an example, we selected AWS specifically for a number of reasons. We were looking for a platform that is reliable, redundant, global, open in architecture, and with built-in testing and authorization tools. Having all of that allows us to scale at speed, auto-deploy and auto-scale, so we can go up and down as much as we want based on the number and the size of our customers and the volume of data that our customers provide. Taking that strategic approach allows us to flex at that scale.
When you take a best-of-breed approach — different database, compute, and IAM providers — your process for how you find, analyze, and respond to problems must be flawless. You need to make sure that your data flows from one system to the other seamlessly, and that it’s normalized all the way across. Your testing has to work end-to-end with no gaps. You must make sure there are no handshakes that will fail between one system and the next as you move, because there will be some nuances between them. For anyone building applications, you’ve got to look at cost, and make sure you’re leveraging the best cost model between these systems.
You also have to consider people and processes. If you have multiple tools, you need multiple skills, and you need backup plans for gaps in those skills. I don’t know how many different tools the average person can learn. But there are a lot of tools out there that you have to string together with the relevant skill sets, and most organizations aren’t capable of doing that on their own. They’re going to need larger organizations to support them to make sure they leverage the best out of each tool.
Best of breed sounds like a great plan, but it usually only works for companies that have lots of money and time or that are so small that the cost isn’t going to be impactful to the amount of revenue they’re making. But for everyone else on the planet, best of breed can create challenges when it hits scale.
We most often see the “every man for himself” approach in organizations that are driven by specific functional needs that need to be addressed or that have silos between them (example IT and security teams making infrastructure decisions independently). The downside of this approach is security typically ends up as an afterthought.
Cloud providers such as AWS and Azure have their own toolsets. How important is it to have a common tool as part of a multi-cloud strategy?
It’s very important. Can you rely on the big cloud providers to always provide protection on every capability or service that they launch? If the answer is yes — which has not been the case to date — then great. They managed to create everything for you in one place, so let’s leverage that and correlate that information. Detection capabilities, no matter who provides them, are very important. But without the ability to analyze and separate the signal from the noise, you won’t know how valuable that information is. That’s a problem, because how many resources are you going to throw at chasing something which turns out to be nothing? That’s one of the biggest frustrations most organizations face.
That’s why it’s important to make sure that you’ve got a good managed detection and response (MDR) provider that also provides detection on the individual services. Cloud providers may charge for their detection capabilities. And if they charge for those detection capabilities and you only buy one system, then you’re paying a lot of money for a single capability in a single system. If you can utilize AWS Azure Sentinel, for example, and can afford it, great. You still need the SOC to analyze that information and make sure you’re not getting a whole bunch of noise and false positives, so you can prioritize your efforts.
How Alert Logic can help
To effectively protect a multi-cloud environment, security must be part of your cloud strategy from the beginning. “Bolting on” security at the end increases the likelihood of a successful attack and leaves your security teams overwhelmed by the volume of incidents that need to be addressed.
Alert Logic provides comprehensive coverage of cloud environments with a focus on both Left of Boom and Right of Boom outcomes to deliver protection against advanced and unknown threats. You can learn more about our cloud coverage and get more insights into a secure multi-cloud strategy at the Multi-Cloud Summit.