Intrusion detection is the practice of monitoring your network, servers, workstations, and other IT assets for any suspicious activity, malicious actions, or violations of some policy. This practice is an integral component of your company’s infrastructure security.
Many people in security management make a mistake with intrusion detection in cloud computing. If they don’t have hands-on experience in the cloud, they tend to assume it's possible to do things the same way they would in their own environment.
In reality, the application of your security controls in the cloud is going to be significantly different from an on-prem environment. As many cloud systems are exposed to the internet, attackers can target them to infiltrate internal networks. Network and hardware level visibility is vastly different, in many cases more limited, and some resources are ephemeral, meaning they could stop to exist before you even get to investigating an incident on them. A comprehensive cloud intrusion detection system (IDS) is essential to identify minor incidents and stop them from becoming a major breach.
In this article, we’ll explore common intrusion detection techniques that you can use in a cloud environment.
Understanding How Intrusion Detection In Cloud Computing Works
Traditionally, in data center environments, people conduct intrusion detection at the network layer, using tools like Zeek and Snort. These tools process raw network traffic data and then pattern-match for specific signatures, behaviors or anomalies. For example, if you see a login from a different country for the first time, or notice that ten people are logged in simultaneously on the same server, you may recognize it as a suspicious attempt, and you can trigger an alert. Similarly, known signatures for exploits can be matched against network traffic.
However, in the cloud, it’s not as easy to get a copy of the raw network traffic due to the limitations of the environment. The cloud provider typically hosts multiple customers, and is responsible for the physical network, meaning customers do not get direct access to it. Therefore, in the cloud, you must switch to different layers to do intrusion detection.
What are the best intrusion detection techniques for cloud computing?
We can consider intrusion detection at three different layers:
- Cloud layer
- Network layer
- Compute (Virtual Machines, Containers, etc.)
While the cloud layer is at the top, the network layer and virtual machines both depend on it. Whoever controls the access to the cloud management layer can impact the network and compute layer. Let’s take a look at some effective intrusion detection techniques to use at each level.
Cloud Layer: Explore API logs.
In the cloud, it's imperative to secure authentication, as anyone can try to log into your AWS account from anywhere, for example. However, even after you've secured it as much as possible, people may still break into your cloud management layer, including the APIs. Keys or accounts can be leaked accidentally, the workstation of a DevOps specialist with sessions open can be targeted, and essentially, though prevention is great, we need to assume controls will fail at some point and be ready to detect that happening. So it's essential to do intrusion detection at the cloud layer—one level above compute.
Everything that happens here is really in the control of the cloud vendor, so you're never going to get access to the raw network traffic. What you do get are logs detailing the usage of the APIs themselves, which provide insights on the people who are logging in to the cloud management layer, creating new virtual machines, databases, accounts and much more at the cloud level.
Cloud APIs are not a traditional feature that you’ll find on a standard IDS. In fact, “Cloud IDS” are rarely called “IDS”, as that term is so tied to network and host-based detection methods. A cloud IDS, by comparison, has features that facilitate this scope, allowing security teams to parse logs and set up alerts in a centralized logging environment to notify them if something suspicious occurs here, and sometimes, supports multiple cloud vendors.
Compute Layer: Employ host-based intrusion detection.
Host-based intrusion detection (HIDS) is a system that is capable of monitoring and analyzing the internal data of a computing system. The rise of encrypted network protocols also means that detecting intrusions at the network level is becoming more difficult, cloud or not. Host-based intrusion detection is very good in traditional environments, as a standalone option or even as an addition to network IDS. In the cloud, due to common lack of access to raw network data, it is often the only option for IDS at the compute level.
Osquery can be thought of as a swiss army knife for endpoint security. It provides access to data that lets you detect suspicious activity and vulnerabilities as well as to perform deep investigations. (Tweet this!)
Uptycs is an osquery-powered security solution that you can use to explore host-level data on your network. Learn more in this webinar.
Network Layer: Use VPC flow logs to get network traffic metadata.
In an on-prem environment, such as a data center, you could run Zeek and configure switches to copy all the traffic to it. You typically can’t do this in a cloud environment, and when you can, it is an expensive proposition.
Imagine you’re on Amazon Web Services (AWS), using a virtual private cloud (VPC). If you enable VPC flow logs, it will tell you what machines are connected and where they are connected. You can pair this data with the threat detection service, Amazon Guard Duty, to conduct network intrusion detection. This technique leverages network traffic metadata, instead of full packet capture.
Network traffic on VMs and containers: Implement host-based IDS with osquery to supplement network layer data.
Sometimes the metadata is good enough for you to recognize suspicious activity, but there are other times where you need to get a lot more detail.
Running osquery on all your Linux servers can give you data similar to the VPC flow logs from your cloud provider, allowing you more in-depth insights on which to base your security decisions. As osquery sees all network activity, but from the point of view of the host, you can easily tell which process is connecting to what destination, and correlate that to threat intelligence data. Assuming you're running virtual machines, host-based intrusion detection can supplement your efforts if you don't have all the network layer data.
Strengthen your intrusion detection system in cloud computing with Uptycs
Uptycs is an innovative security solution that runs osquery at scale. With osquery in play, you can assess every command that's performed, every application that's executed, every port that is opened on the server, and also every network connection that's established.
Because Uptycs is located on the host, it bridges the gap to network visibility. So, if you have Uptycs on all of your virtual machines, you'll have excellent visibility at the host layer, and excellent network visibility for intrusion detection at the network level.
Check out our video to discover more about how incident investigation works with Uptycs and osquery.
Tag(s): cloud security
Amber leads marketing at Uptycs with a focus on drawing out and sharing helpful/educational information from osquery, InfoSec and security experts.
Other posts you might be interested in
8 min read | May 17, 2018
Cloud Workloads: Not the same ol' endpointsRead More
7 min read | September 6, 2018
How osquery helps secure your cloud with these two critical CIS benchmark controlsRead More
5 min read | November 1, 2018