October 23, 2020 Security operations
Joren McReynolds

It’s time for better cloud workload security

Consolidated security technologies have opened holes in coverage for threat detection on cloud workloads.

The cloud has been an unstoppable force over the last decade or so. In its infancy, the cloud was met with trepidation and caution in the enterprise, due in large part to security concerns. In many cases, however, the business reasons for moving to the cloud were simply too overwhelming to ignore. As the business question shifted from “if cloud” to “how cloud,” security teams were left with the mandate to adapt and identify ways to make it work.

Those early days that were marked by enterprise wariness and hesitation stand in stark contrast to today’s cloud-hungry world. Today, instead of mulling over whether the cloud is right for your business, you’re more likely to be asking questions like how many clouds, what type of clouds, how to get those clouds to integrate, and, of course, the significant question of how to secure the workloads that comprise these clouds.

Cloud adoption was already at full speed prior to COVID-19, but the conditions brought on by the global pandemic have only accelerated it, with many organizations turning to cloud infrastructure as a means to support remote work quickly and with less capital. To put things into perspective, consider a recent Gartner forecast projecting that even while global IT spending is expected to decline 8 percent in 2020 under COVID-19’s influence, spending in the public cloud services sub-segment is expected to grow 19 percent.

The data shows it pretty clearly: The cloud is no longer a science experiment or a small fraction of a business’s infrastructure portfolio. Cloud has become the lifeblood of how a business operates, connecting internal and external stakeholders with the systems, data, and people they need to run and grow their business. As a result, we now have more intellectual property, personally identifiable information (PII), and private data in the cloud than ever before.

Cloud has become the lifeblood of how a business operates, connecting internal and external stakeholders with the systems, data, and people they need to run and grow their business.

Solving for security

Most cloud workloads are Linux—roughly 90 percent of all AWS workloads, 90 percent of all Google Cloud Platform workloads, and about half of all Microsoft Azure workloads. This isn’t by accident; Businesses choose Linux for cost (open source), reliability, and scale. However, adversary behaviors, tactics, and techniques are not well documented or understood for Linux, which is explored more fully in our last blog.

While we may not know the state of the art for Linux systems exploitation and compromise, nor the state of the art for defending against those threats, one thing we do know is that Linux attacks are on the rise. In September, researchers from cybersecurity firm Kaspersky identified a trend of a growing number of threat actors executing attacks against Linux devices as well as developing Linux-specific tools—a trend made more alarming when taken together with Kaspersky’s observed uptick in enterprise use of Linux for critical servers and systems.

Linux is following a similar story arc to macOS. Most malware, exploitation research, and documented attacks were originally observed for Windows. As macOS market share increased amongst consumers and businesses, things changed very rapidly. The same is occurring for Linux: With a large majority of businesses using cloud, and cloud powering the dozens of SaaS applications that businesses use for sales, marketing, data science, and otherwise, the value proposition for Linux-focused research and attacks has steadily increased. The rapid change in the attack landscape (or our understanding of it) for macOS led to the emergence of security products like next-generation AV and Endpoint Detection and Response (EDR) / Endpoint Protection Platform (EPP) solutions for macOS. We’re now seeing a similar transformation for cloud, with more documented attacks, greater focus, and product markets such as Cloud Workload Protection (CWP) and Cloud Workload Protection Platforms (CWPP).

Engineering a strategy

Corporate IT has been combating phishing, malware, and targeted attacks for quite some time. A common lesson learned: Prevention and reduction of risk is your best investment, but you must assume controls will fail, and therefore you should invest in additional tools, people, and processes to effectively detect and respond to threats that find a way past your security controls and into your environment.

More often than not, the people, processes, and technology used in corporate IT to implement preventative controls and reduce risk are different than the people, processes, and technology used to detect and respond to threats. This is due to a number of reasons: different skill sets, specializations, and means of implementation are a few. Both the people and products involved can only sustainably specialize in so many areas. In the interest of achieving the best outcomes, corporate IT is willing to invest in multiple tools and teams of people that specialize in their area of focus. This dynamic is not playing out the same in the cloud for a number of interesting reasons…

Primarily, cloud security is a relatively newer thing, with a different set of stakeholders and constraints. Further, the engineering or DevOps teams who are typically responsible for purchasing and implementing a solution are finding themselves responsible for security outcomes for the first time. They are the driver, while the security team (primarily operating in IT/corporate) may or may not be an influencer or consumer of the output. As such, the engineering and DevOps teams are searching for a single product that can do almost anything, with the hope that it’s one ring to rule them all—one vendor, one piece of technology, with all of the desired security outcomes.

Market research firms and analysts have taken note of this, and as such, the cloud workload market has started from a place of providing a “platform” (CWPP), attempting to deliver against a multitude of outcomes. While the bill of goods sounds compelling, many of us have lived through the contract-and-expand cycles of consolidation and specialization in other security verticals and products. Customers are starting to realize that each of the “modules” offered in these platforms are not created equal, and in many cases, warrant an additional investment—especially when it comes to areas of specialization like threat detection and response. It’s unclear why the cloud market thinks it can achieve a different outcome than the one learned and observed from IT/security teams through experience.

It’s unclear why the cloud market thinks it can achieve a different outcome than the one learned and observed from IT/security teams through experience.

Navigating a cloudy market environment

There are very few products on the market that are focused on finding threats on cloud workloads. Almost the entire CWPP market is focused on the left-hand side of the DevOps equation—i.e., finding and preventing risks and vulnerabilities.

The challenge teams are facing with CWPP is that many of these providers are simply attempting to do too much. Their roots aren’t in threat detection, but they tacked a threat detection capability on top of an offering that also does a dozen or so use cases, so they can be seen as the comprehensive solution. Engineering/DevOps didn’t want five different products to manage, they wanted one. However, time has shown that it is a difficult, expensive, time-consuming, delicate process to deliver outstanding outcomes in a lot of different focus areas.

Endpoint Detection and Response (EDR) products focused on threat detection and response outcomes. However, similarly to the market pressures outlined above, and in part due to the push to drive more shareholder value, EDR has been “transformed” into Endpoint Protection Platform (EPP)—another platform, and a lot of new use cases. Time will tell if these platforms become a master of none in an attempt to deliver against vulnerability management, identity, and other use cases, potentially losing the roots that made them successful in the first place. Rewinding from that potential future to the present, we are seeing that while Linux has been a tertiary investment for most EDR/EPP vendors, the business opportunity for the CWP market has proven too strong, resulting in a lot of rebranding and marketing, attempting to sell EPP as cloud workload protection, without accounting for the unique constraints, challenges, or use cases that customers care about.

This will result in an interesting race. You have the original CWP platforms, many of which aren’t household names, have a relatively small market share, and don’t meaningfully deliver on threat detection outcomes. You also have a few EPP vendors who are primarily focused on threat detection outcomes (but treat Linux as a tertiary investment after Windows and macOS), who are looking to rebrand and repurpose existing technology to compete in this new CWP market. So we have different technologies, different philosophies, different sales motions, and a really young market of customers and prospects trying to find where to put their time and money in order to achieve meaningful results.

What’s the forecast?

We regularly hear from our customers that cloud workload protection is an area they are concerned with and want to invest in further, but existing solutions are leaving them with more questions than answers. If our customers’ challenges are representative of the broader markets’ questions and challenges, then there is an opportunity for someone to challenge existing incumbents and deliver a product that exceeds threat detection and response expectations in a way that meets DevOps and cloud requirements and workflows.

 

Breaking down the modern security operations center

 

Cloud workload security: 7 reasons why it’s complicated

 

Onboarding log: My first 30 days at Red Canary

 

Zero in on the alerts that matter with Red Canary’s Alert Center

Subscribe to our blog