Remember that panicked phone call? That cascade of urgent emails and Slack messages? What about those war rooms and the screaming urgency to create YAML files to be uploaded to a system that was already down? Yeah, that. I’d like to avoid that in the future if I could.
Cloud attacks require a fast response
My vulnerabilities list labels each issue as critical, high, medium, and low. It seems logical to prioritize anything labeled as critical over anything not labeled critical. So I sort my list and tackle the ones labeled critical. Without any further context, I could use up my valuable time chasing down critical vulnerabilities that are in images in isolated services that don’t touch any sensitive data.
No, thank you. I don’t want to spend all my time on these issues if I don’t get to vulnerabilities buried further down in my list (maybe only labeled as high or medium) that are in images used in critical, highly connected services that store or process data that’s valuable intellectual property.
Dynamic IaaS environments
What if we could turn the high-speed dynamic nature of a cloud environment into a security advantage? These systems are already designed to operate elastically to scale up and down to accommodate for changing volumes of traffic. A security approach that detects attacks and can automatically use the elastic nature of a cloud system to isolate the attack and self-heal the system is possible.
You already operate a system that can automatically spin containers and services up and down based on predefined images to accommodate changing demand. Your system can already route traffic to new containers when you need them and stop sending traffic to containers when you no longer need them. Your existing system can create links, remove links, and delete or move data based on user and service activities.
Automate protection to be responsive
By marrying security detection, runtime monitoring, automation, and policy-driven responses into a cloud native application protection platform, you could set your IaaS applications to self- heal in the face of an attack. You could automatically isolate and replace compromised resources to block or at least buy time in the face of a persistent attack.
What if you had a unified protection platform that:
- Continuously monitors traffic, sensitive data, and security posture in running applications
- Learns normal traffic and configuration patterns
- Automatically detects threats such as abnormal and high risk traffic (DDoS attacks?), abnormal user or API access (data breach?), excessive file encryptions (ransomware?), abnormal operations (cryptojacking?), and malware
- Automatically isolates compromised resources by cutting the traffic to and from them
- Automatically replaces compromised resources by spinning up new images
- Automatically routes traffic to the new, clean resources
- Automatically takes records what happened in the attack for forensics
- Finally, automatically deletes the compromised assets
Modern containerized cloud environments have the functions to do this if they could be connected to a modern cloud protection platform. It wouldn’t even require you to install new agents or sidecars. Unfortunately, your cloud security posture management (CSPM) and cloud workload protection (CWP) cloud native application protection platform can’t do this. If you have one of these products, you already know that they are either simple static reporting functions or are collections of disparate tools that don’t work together.
This is why we’re trying something new. We’ve created Microsec.AI, a protection service that will connect to your cloud environment and will integrate with your service mesh and your data loss prevention (DLP) system to continuously monitor, protect your data, and self-heal your cloud application environments when they are attacked.
