Attack and response: Cloud-native cybersecurity vs. virtual machine security

Cloud-native workloads and containers are inherently different. Understanding how to keep them secure starts with understanding the ever-evolving nature of threats.

cloud blueprint schematic

Which is more secure: virtual machines (VMs) or containers? The truth is that securing containers and cloud-native workloads is different than securing VMs, and it all starts with understanding attack and response and the ever-evolving nature of threats.

For years, the security ecosystem has been in response mode. When an attack happens, the immediate reaction is to ensure security elements put in place can help prevent those attack behaviors in the future. Yet today, vulnerabilities exist in 35 percent of websites, according to a 2016 Symantec Internet Threat Report. More persistent, sophisticated and proliferating threats require security teams to rethink their approach.

Cloud-native security can give you stronger capabilities of protecting against attacks before they happen, creating an airtight security environment. It starts with understanding today’s threat environment.

The ABCs of threats

The types of threats that wreak havoc on data centers are relatively simple. Oftentimes your adversary is tons of script kiddies that look for known vulnerabilities, and use known tools to take advantage of old versions of software running in your environment. Or, you’re securing against more sophisticated attackers which hinges on preventing your weakest applications which they’ll try to uncover through investigation into everything in your application environment—the data center, the domain names, the subnet, the exposed services.

When attackers ultimately find a weakness, they will typically inject and execute shellcode to break from the boundaries of the applications, into the operational environment the application runs in. Attackers will then try and elevate their privileges in the hacked environment, aiming to connect to a “command and control” machine to control the hacked machine remotely, and continue their exploration. This can understandably cause loads of issues for a company.

Cloud-native cybersecurity is different

It’s time to challenge conventional wisdom when it comes to the traditional VM environment and reactive tactics, where anything on the VM is something that requires attention—whether that’s an admin browsing from the machine or someone attacking the application. Cloud-native cybersecurity takes a different approach. By zeroing in on the application itself on one hand, and “shifting left” into the creation process of the application on the other, security starts much earlier.

Following the threat scenario above, I’ll talk about three ways container and cloud-native cybersecurity is different from VM security, and why it’s better suited to today’s threats.

Protection against vulnerabilities

In the attack above, script kiddies could discover known vulnerabilities to break in. In a cloud-native environment, you can reject vulnerable software before it gets to production. When a developer accidentally slips a known vulnerability, or even something non-compliant, into production, it’s flagged immediately without contaminating the production environment.

The immutability of the workloads, and the automatic barriers to push something into production, validates that the workloads are kept compliant and hygienic over time. When a new vulnerability is discovered, it allows the security team to see exactly which workloads are affected and strategize on addressing the issue.

When it comes to more sophisticated attackers, their key to attack is mapping an environment. With automatically orchestrated cloud-native workloads, your micro-services are dancing around the cluster and harder to track over time. Cloud-native security also allows you easily detect scanning attempts, or anomalous probing of a service across multiple machines.

With traditional VMs, it’s almost impossible to keep a hygienic environment, and it will never have the same type of visibility into the “app” in an orchestrated scenario.

Shellcode injection prevention

As noted above, attackers try and inject shellcode and while you always want to stop that, it is hard to do so for unknown vulnerabilities, worse yet even for known vulnerabilities. Most vulnerabilities lie in the application level, and deciphering the specific application to protect against relevant threats is hard to do on an ongoing basis.

Cloud-native security addresses this problem with whitelisting and protection from known threats. For the first time ever, you can automatically whitelist which traffic should and shouldn’t get to your application automatically. VM security is completely blind to the application specific elements, or to the larger context of the application, especially in orchestrated systems where the IPs of the application might change on an hourly basis.

Regarding protection from known threats, one of the major issues with existing web application firewalls (WAFs) is that it is very hard to configure it correctly for every exposed service. Cloud-native security can help with that too, as it can automatically configure the WAF to plug into the specific application, including deciphering it if needed.

Privilege elevation

Typically, the first thing an attacker will do is get a shell that will allow them to run arbitrary code. If they want to hop to a different machine, they can skip the privilege elevation, but they must “break away” from the application flow if they want to do anything.

Here, cloud-native security again revolutionizes your capabilities. In the past, it was about guesswork to determine attack patterns. Now, you can very easily whitelist elements on the host or in the micro-service level and the devops and developer can show you exactly what is supposed to happen. For example, you can block actions or put alert on them, thus protecting the environment post the initial point of infection.

Why it works

Effective enterprise security is cloud-native cybersecurity. It’s a speedier, transformative way to reduce risk in the enterprise, warding off the root causes of attacks versus reacting to treat symptoms afterwards. It helps you create a far better security environment than you can get with traditional, manual and developer-agnostic VM security.

In my next piece, I’ll talk about the three other ways cloud-native security protects enterprises against threats.

Copyright © 2017 IDG Communications, Inc.

How to choose a low-code development platform