Locking Down the Cloud: Countering Automated Attacks
by Jess Iandiorio
At last year’s Cloud Security Alliance Congress, Philip Lieberman raised an issue that brought home to me why automation is now a must-have when it comes to security. Not just for cloud security, for all computer security.
In his talk, Philip, who is the founder and president of Lieberman software, which sells cloud IT administration and privileged identity management tools, detailed some of the techniques employed by a new breed of hackers, who are often backed by nation-states.
These attackers have moved beyond the smash-and-grab-style and are now using a "low and slow" approach, quietly infiltrating a cloud environment without detection, then stealthily monitoring a target's cloud activity for a period of months, or even years.
Because this type of attack is becoming automated, Lieberman advocated for the use of automated password management for access to cloud systems, which makes sense.
This is not the kind of attacker you catch with manual techniques. You have to fight automation with automation.
That’s one reason why Fred Menge has become a fan of automation.
“Automation is best implemented in areas where humans are not effective at identifying security issues,” he told me.
Fred mentioned that placing an intrusion detection system and an intrusion prevention system in strategic areas and having it monitor anomalies on the network is effective.
Utilizing automated provisioning and de-provisioning access controls such as an identity manager system when and where possible, is a good way to turn down all user accounts of a former employee expeditiously.
Automating log monitoring and alert monitoring is also a valuable use of cloud automation, he added.
To J Wolfgang Goerlich, vice president at the security consulting firm, VioPoint, it’s time for a paradigm shift: The old ways of securing IT simply will not scale with the new ways of deploying IT.
“Cloud computing has become synonymous with automation,” he told me, “and this automation must reach into the security domain.”
“There was a time when the number of server instances per IT staff member was relatively low, and the rate of change was maybe once every three years during a refresh cycle,” he recalled. “During those days, IT staff could check all servers for vulnerabilities and secure all the systems manually.”
As the rate and scope increased, this was no longer possible.
Without automation, the IT staff is reliant on periodic sampling; that is, they check a subset of the servers quarterly or annually. But manual security operations leads to blind spots; several servers may be overlooked, unpatched, and unprotected.
This plays into the classic modus operandi of a computer criminal, who is looking for a weakness in a relatively unused and forgotten server. By exploiting this weakness, the criminal gains a foothold in the environment, and uses this foothold to pivot further into the system.
“Automated vulnerability management and security monitoring aims to eliminate these footholds,” Wolfgang said. “By looking at the entire environment at regular intervals, automation reduces the likelihood of overlooked weaknesses that invite criminals in.”
So checking a sample of the environment no longer cuts it when attackers are conducting relentless, comprehensive “low and slow” automated scans of your system.
Much better: Checking the environment weekly or daily, and across the
entire environment automatically, as opposed to manually.
Fortunately, getting there is not difficult. In fact, the ideal approach, according to Wolfgang, is a phased approach.
That’s because, as he says, “Automation is a double-edged sword: It can improve everything everywhere quickly, or it can quickly damage everything everywhere.”
The idea is to avoid scenario No. 2.
So Wolfgang’s recommendation: Start with a select number of security features and applying them to a select number of server instances.
As the IT team becomes comfortable with the changes, expand the number of servers until the scope includes all of the cloud compute environment. From there, expand to the next set of security features.
“The methodical approach reduces the chance of a security change impacting end-user functionality,” Wolfgang said, “and it provides time for the IT staff to train on the new tools and processes.”