Saturday, November 25, 2017

How to combat the data breach crisis in the public cloud data centre

David Thompson from LightCyber argues that operational activities are the key to bring down the vast majority of attacks in the data centre.

Enterprises worldwide are making the move to cloud environments as their digital transformation strategy becomes under pressure to meet the requirements of the digital economy.

According to Cisco, public cloud data centres will account for nearly 155 million workloads by 2019, outnumbering the number of workloads sitting in private cloud hubs.

However, within the cybersecurity ecosphere there is a recurring data breach crisis still happening.

To challenge this, behavioural attack detection company LightCyber, launched an upgraded portfolio of its Magna products for Amazon Web Services (AWS) to indeed help close that breach detection gap in cloud and hybrid cloud data centres by providing attack visibility for Infrastructure-as-a-Service (IaaS) and hybrid cloud data centre workloads.

Data Economy spoke to David Thompson, Sr. director product management at LightCyber, on the on-going data breach crisis, how to secure the public and private data centre in the booming data economy, and the work the company is doing on this topic.


David Thompson, Sr. director product management at LightCyber

David Thompson, Sr. director product management at LightCyber

DE: How serious is the data breach landscape? 

David Thompson: The data breach crisis is already immense and growing more daunting every day. It puts the operations, reputation and the very existence of organisations at risk.

Attackers can steal customer details, personal and financial information, intellectual property, company secrets and anything else that can be accessed via an internal network.

This is exacerbated by the fact that very few companies have the ability to find an active attacker operating on their network until after the damage or theft has been done.

Adding to the vulnerabilities of on-premise and private networks and data centres is the new frontier of the public cloud data centre, where attackers can hide their operational activities as well as their entry and exit.


DE: What are cloud data centres failing at in terms of attacks detection? 

DT: Currently, public cloud data centres lack the means of detecting active attackers. In particular, this means that the public cloud data centre can be a new ingress or egress point for attackers to gain a foothold into an organisation’s network or as a channel for command and control communications and data exfiltration.

In addition, the reconnaissance and lateral movement that an attacker must employ once they gain access can be done without fear of discovery.

These four types of operational activities must be detected and stopped, if organisations want to protect their assets from attackers.


DE: How does security in a public cloud data centre differ from a private one? 

DT: The public cloud data centre has the added complication that there are few of the basic visibility options available on-premises. The ease of spinning up new cloud workloads is also an Achilles’ heel.

For example, easily created development/test instances may open unintentional new entry points for an attacker.

Many of these dev/test instances may have been intended for a specific purpose at a specific point in time, but they can become forgotten and left up —which is a perfect entry way for an attacker.


DE: Do agree that part of the task to dissuade and stop cybercriminals is in the need to step up legislation and court sentences when possible to apply them? 

DT: It is often said that the best place to fight (sea) piracy is at land, not at sea. In other words, go to the source where their activities are actually monetised.

The same is true in non-state-sponsored hacking. The problem is that such legislation would have to be passed in foreign countries (often to the East…), and would rely on significant international law enforcement cooperation – which is very unlikely.

While legislation, punitive measures and more cyber policing would certainly make things more difficult for attackers who currently face little or no realistic consequences, it would not be enough to prevent attacks from occurring.

It would do nothing in the face of state-sponsored activities. Cybercrime is the most rewarding kind of crime today, and it can be accomplished with ease, and with the lowest risk.


DE: Are operational activities the key to bring down the vast majority of attacks in the data centre? 

DT: Yes, absolutely. The traditional model of security which focuses on tools such as malware or command and control is useless in finding advanced attackers – they can always stay ahead of such static detection technology, or will often avoid the use of such tools at all.

Attackers use common IT and networking tools to advance their attack once they have a foothold in the network (whether on-premise or cloud).

These techniques can only be recognised as anomalous and indicative of an attack through careful behavioural profiling.

Such techniques are not limited to only the most sophisticated adversaries, and yet simply cannot be detected through conventional means.


DE: On LightCyber now, how does Magna increase attack visibility for Infrastructure-as-a-Service (IaaS) and hybrid cloud data centre workloads?

DT: We have added to the Magna family the ability to deploy in the AWS environment and make use of native AWS Flow Logs, as well as the new Gigamon Visibility Fabric technology, to get network traffic from the public cloud data centre and apply Magna’s Behavioural Attack Detection to find active attackers.

This works in combination with our agentless endpoint technology, which now supports both Linux and Windows Servers (both of which are very common in the cloud).


DE: How are machine learning and AI capabilities being used within the Magna range for cloud data centres?

DT: Magna utilises machine learning in the same way it does with the private cloud and on-premise data centres. First, Magna establishes behavioural profiles for all users and IP-connected devices in the cloud data centre to create an understanding of known good activity.

Then, Magna can look for anomalous activity and determine if it is likely indicative of an orchestrated attack. In essence, Magna finds active attackers by their operational activities—things that attackers must do once they gain access to a network—rather than by looking for tools like malware.


DE: What’s the process like when Magna Pathfinder ‘interrogates’ a Linux workstation or server?

DT: Once Magna sees a network activity as suspicious, even if it has not yet fired an alert, it uses the on-demand, agentless endpoint technology in Magna Pathfinder to interrogate a Windows or Linux workstation or server and identify whether any suspicious processes (based on profiled anomalies) are running.

This is augmentative to the details Magna already has about what is happening from the network. It increases the overall accuracy to well above 90 percent and makes the alerting quite actionable, so the security operator knows exactly what is going on, why and where.

Through Magna, or other means, the operator can immediately remediate to stop the attack quickly.