TL;DR: The Nation State security stance can be a much bigger challenge in the cloud than in the data center. Without full cloud network packet traffic, security teams, incident responders and threat hunters are left playing a guessing game of what-if and inference. Instrumenting your public cloud for full packet capture of all resources for replay, investigation and optimization is not only possible, it is easy. By combining short and longer term cloud storage with cloud packet visibility, filtering and distribution solutions your SOC, NOC and High Availability teams can move from inference to information.
When it comes to cloud security there are many different solutions that an organization can adopt to boost their preventive security posture. Unfortunately, preventive security is only half the battle. We live in an era of “it’s not if, but when” when it comes to breaches. Figuring out what actually happened is often more difficult than simply reacting to fix the problem or patch a vulnerability after the fact.
So how can anyone effectively and completely react to what has already happened to their cloud networks?
Logs provide a partial answer. Flow records may provide additional insight. The final piece of triad is the aggregation, processing, storage and distribution of actual packet level data.
You may ask why packet level detail is required? Why do I need to keep that level of information when I have flow logs, alerts or application logs? First and foremost, there are several GRC requirements that mandate collecting all data which may compel collection of packet level data. But if you don’t fall into that bucket, the same data is also the best asset for troubleshooting and root cause identification. Need to know exactly what happened last night at 11:55pm? Pull the actual traffic and replay it using your security tools.
Finally, full packet capture is absolutely critical for forensic investigation. If a specific security event happened in the last 7 days, you now have the complete data haystack to go searching for the needles.
While managing this amount of data in a traditional datacenter can be daunting, in the cloud it is trivial. There are three main issues to focus on:
The length of time you store the data
The amount of data collected and stored
The location of the data that you move and store.
First, it is critical that data is retained for no longer than necessary. Some companies may already have regulatory requirements or guidance on how long their data can be stored. If not, a common starting point is to focus on 1 week or 1 month as general storage guidelines.
Second, keep in mind when you are determining how much data to save, that you can leverage services such as Amazon Glacier or Azure Archive Blob Storage, which are a fraction of the cost compared to traditional S3 or Blob storage. Keeping 72 hours of packet data in S3, then moving the data to Glacier for another 30 days is one strategy that allows your security teams to data mine or replay recent trends and traffic patterns as they engage in their threat hunting, incident response or network optimization.
Instrumenting this strategy for all sources at all times is the nation-state approach. Piecemeal and selective implementation creates gaps out of necessity. Using only logs or flow data leaves out the most important and detailed part of the picture. When a breach happens or anomalies are detected, SOC teams are left in the lurch hoping that IT can restore pcaps from old backups so that they can replay at least some of what happened. Meanwhile breaches expand and threats move unencumbered throughout the network while security teams play catch-up. And that’s the best case scenario.
Adopting a nation-state approach at cloud scale is a challenge. The only way to do this at scale, across your entire cloud is to use a fast, easy, and inexpensive solution to mirror traffic in you cloud; Enter Nubeva Prisms. Nubeva Prisms is the most-advanced, policy-driven, cloud packet networking solution to activate and enable security and monitoring tools. Nubeva Prisms is engineered for the nation-state approach, collecting, filtering and replicating cloud packet traffic to tools, storage and systems used by your SOC and NOC teams.
In your physical data center, you had security, network and application teams that use a cadre of tools to protect and optimize your business systems. They would grab traffic out of your compute environment with Network Packet Brokers, SPANs/TAPs, etc. to feed the tools your teams relied upon. Now in the pubic cloud, physical access goes away but your teams and tools still need packet traffic. Furthermore, the elastic nature of the cloud means resources producing packet traffic cannot be pinned down. They are always ebbing and flowing. It’s not as simple as saying “I want to tap traffic out of that application”. It’s one machine today, it might be 6 tomorrow and in a completely new region the day after. Relying on systems that require OS reboots to see and secure those systems is a non-starter. Selective visibility or partial monitoring is not a nation-state approach and is a non-starter.
The only solution is to adopt the one system engineered for a cloud native, nation-state posture - Nubeva Prisms. Simply deploy Nubeva Prisms across your environment. For the VMs in a specific VPC, simply mirror their traffic to a local in-VPC destination. Manage the storage duration, auto archive, and auto-delete features as needed to manage storage costs. Now your security teams are ready to react to, investigate and test anything that happens. Or more importantly, they can track down what happened by reviewing actual data as it traversed your cloud.
Schedule a one-on-one tech-talk with our cloud experts today. No sales. Just solutions.