What Is Intrusion Detection?
Intrusion detection is the practice of monitoring your network, servers, workstations, and other IT assets for any suspicious activity, malicious actions, or violations of some policy. This practice is an integral component of your company’s infrastructure security.
Many people in security management make a mistake with intrusion detection in cloud computing. If they don’t have hands-on experience in the cloud, they tend to assume it's possible to do things the same way they would in their own environment.
In reality, the application of your security controls in the cloud is going to be significantly different from an on-prem environment. As many cloud systems are exposed to the internet, attackers can target them to infiltrate internal networks. Network and hardware level visibility is vastly different, in many cases more limited, and some resources are ephemeral, meaning they could stop to exist before you even get to investigating an incident on them. A comprehensive cloud intrusion detection system (IDS) is essential to identify minor incidents and stop them from becoming a major breach.
In this article, we’ll explore common intrusion detection techniques that you can use in a cloud environment.
Examples of Intrusion Detection
Traffic Regulation Policy: Traces suspicious traffic across the network, such as an unusually high rate of TCP connections.
Restricted IP Options Policy: An example of an IDS attack policy that targets restricted IP options for a single local IPv6 address, a range of remote IPv6 addresses, and all ports.
Perpetual Echo Policy: An example of an IDS attack-tupe policy that targets perpetual echoes on local port 7 and remote port 7.
E-mail Notification: An example related to an email notification is that IDS detects an intrusion on the local system and sends an e-mail notification to the system administrator.
What Is An Intrusion Detection System?
A device or software application, an Intrusion Detection System monitors a network for malicious activity or policy violations.
How Do Intrusion Detection Systems Work?
By either looking for signatures of known attacks or deviations from normal activity, intrusion detection systems push deviations and anomalies up the stack to be examined at the protocol and application level.
Types of Intrusion Detection Systems
- Network intrusion detection system
- Host-based intrusion detection system
- Perimeter intrusion detection system
- VM-based intrusion detection system
Understanding How Intrusion Detection In Cloud Computing Works
Traditionally, in data center environments, people conduct intrusion detection at the network layer, using tools like Zeek and Snort. These tools process raw network traffic data and then pattern-match for specific signatures, behaviors or anomalies. For example, if you see a login from a different country for the first time, or notice that ten people are logged in simultaneously on the same server, you may recognize it as a suspicious attempt, and you can trigger an alert. Similarly, known signatures for exploits can be matched against network traffic.
However, in the cloud, it’s not as easy to get a copy of the raw network traffic due to the limitations of the environment. The cloud provider typically hosts multiple customers, and is responsible for the physical network, meaning customers do not get direct access to it. Therefore, in the cloud, you must switch to different layers to do intrusion detection.
What Are The Best Intrusion Detection Techniques For Cloud Computing?
We can consider intrusion detection at three different layers:
- Cloud layer
- Network layer
- Compute (Virtual Machines, Containers, etc.)
While the cloud layer is at the top, the network layer and virtual machines both depend on it. Whoever controls the access to the cloud management layer can impact the network and compute layer. Let’s take a look at some effective intrusion detection techniques to use at each level.
Cloud Layer: Explore API logs.
In the cloud, it's imperative to secure authentication, as anyone can try to log into your AWS account from anywhere, for example. However, even after you've secured it as much as possible, people may still break into your cloud management layer, including the APIs. Keys or accounts can be leaked accidentally, the workstation of a DevOps specialist with sessions open can be targeted, and essentially, though prevention is great, we need to assume controls will fail at some point and be ready to detect that happening. So it's essential to do intrusion detection at the cloud layer—one level above compute.
Everything that happens here is really in the control of the cloud vendor, so you're never going to get access to the raw network traffic. What you do get are logs detailing the usage of the APIs themselves, which provide insights on the people who are logging in to the cloud management layer, creating new virtual machines, databases, accounts and much more at the cloud level.
Cloud APIs are not a traditional feature that you’ll find on a standard IDS. In fact, “Cloud IDS” are rarely called “IDS”, as that term is so tied to network and host-based detection methods. A cloud IDS, by comparison, has features that facilitate this scope, allowing security teams to parse logs and set up alerts in a centralized logging environment to notify them if something suspicious occurs here, and sometimes, supports multiple cloud vendors.
Compute Layer: Employ host-based intrusion detection.
Host-based intrusion detection (HIDS) is a system that is capable of monitoring and analyzing the internal data of a computing system. The rise of encrypted network protocols also means that detecting intrusions at the network level is becoming more difficult, cloud or not. Host-based intrusion detection is very good in traditional environments, as a standalone option or even as an addition to network IDS. In the cloud, due to common lack of access to raw network data, it is often the only option for IDS at the compute level.
Osquery can be thought of as a swiss army knife for endpoint security. It provides access to data that lets you detect suspicious activity and vulnerabilities as well as to perform deep investigations. (Tweet this!)
Uptycs is an osquery-powered security solution that you can use to explore host-level data on your network. Learn more in this webinar.
Network Layer: Use VPC flow logs to get network traffic metadata.
In an on-prem environment, such as a data center, you could run Zeek and configure switches to copy all the traffic to it. You typically can’t do this in a cloud environment, and when you can, it is an expensive proposition.
Imagine you’re on Amazon Web Services (AWS), using a virtual private cloud (VPC). If you enable VPC flow logs, it will tell you what machines are connected and where they are connected. You can pair this data with the threat detection service, Amazon Guard Duty, to conduct network intrusion detection. This technique leverages network traffic metadata, instead of full packet capture.
Network traffic on VMs and containers: Implement host-based IDS with osquery to supplement network layer data.
Sometimes the metadata is good enough for you to recognize suspicious activity, but there are other times where you need to get a lot more detail.
Running osquery on all your Linux servers can give you data similar to the VPC flow logs from your cloud provider, allowing you more in-depth insights on which to base your security decisions. As osquery sees all network activity, but from the point of view of the host, you can easily tell which process is connecting to what destination, and correlate that to threat intelligence data. Assuming you're running virtual machines, host-based intrusion detection can supplement your efforts if you don't have all the network layer data.
To read more about Cloud Security and Best Practices, check out our Cloud Security and Fundamentals eBook
Strengthen Your Intrusion Detection System In Cloud Computing With Uptycs
Uptycs is an innovative security solution that runs osquery at scale. With osquery in play, you can assess every command that's performed, every application that's executed, every port that is opened on the server, and also every network connection that's established.
Because Uptycs is located on the host, it bridges the gap to network visibility. So, if you have Uptycs on all of your virtual machines, you'll have excellent visibility at the host layer, and excellent network visibility for intrusion detection at the network level.
Check out our video to discover more about how incident investigation works with Uptycs and osquery.