READ TIME: 2 minutes, 57 seconds
tl;dr: ProtectWise and Nubeva work together to enable IT organizations to acquire cloud packet traffic and send it to on-prem network, detection and response tools. The process allows for complete visibility and control in the public cloud, and helps analysts determine where to focus their efforts to ensure security in the cloud.
CTA: Need more information? Watch the on-demand webinar, including a demo of both Nubeva Prisms and ProtectWise at: https://info.nubeva.com/detect_respond_in_the_cloud
The public cloud became reality more than a dozen years ago. Still, data show that more than 60% of enterprise organizations use public cloud platforms, two-thirds of IT pros lie awake at night thinking about how to monitor and secure their data in the cloud. Only recently has a solution been created to solve a long-standing visibility gap into enterprise resources and workloads hosted in the cloud.
In a recent webinar featuring Nubeva’s latest collaboration with ProtectWise – now owned by Verizon - senior sales engineer Greg Kruck explained the priority: “Security, above all else, matters most – and that means visibility in the public cloud to perform analytics, detection and forensics.”
Kruck outlined three best practices used today to achieve public cloud security, including:
- Analyzing complete data sets. SecOps must be able to perform threat analytics on cloud workloads to ensure application and network reliability. This includes diving deep on strings and application traffic over non-standard ports and using anomaly rules to identify HTTP and FTP sessions that are abnormal. With careful insights into available traffic, organizations can defend assets and data. But packet traffic must be available before analysts and their tools can go to work. Availability, processing, grooming and distribution of packet traffic from the public cloud becomes the all important first step to analyzing complete data sets.
- Treating on-prem and cloud traffic with the same level of scrutiny. Kruck believes its critical to collect, analyze and review both data center traffic and public cloud traffic with the same level of detail and focus. Extending the boundary of enterprise security parameters into the cloud helps the IT organization achieve its security goals while gaining the advantages of the public cloud.
- Retaining cloud network traffic for contextual purposes. Baselining patterns of packet traffic and creating traffic flow maps helps IT discern between normal and threatening behaviors. In order to create baselines and have those comparators, capturing, indexing and retaining robust pcaps is important. Forensics related to past traffic assists with intelligence and helps IT admins recognize the difference between a known exploit or a new security risk.
All of these best practices, however, aren’t possible without the right solutions in place. ProtectWise offers tools that help IT focus on and anomaly protection. Using Network Detection and Response, ProtectWise sensors can conduct full packet forensics and threat hunting. To get, process, refine and distribute cloud packets, ProtectWise relies on packet brokers like Nubeva to receive protected, encrypted cloud packet data then unpack and analyze the information to make it searchable to threat hunters.
“We use probabilistic methods to look at anomalies that are packed in unusual ways,” says Kruck. “The solution is able to identify a timeline and create a network story using the packets, headers, and body of http to provide depth and breadth in the instances in question. Nubeva Prisms provides us with this visibility into cloud workloads, feeds the packets to sensors and enables to do the forensics.”
The Nubeva Prisms solution is easy to deploy and use. Prisms acquires traffic from cloud workloads, processes and filters the packets to the tools that are in place – in the cloud or on-prem. Prisms, a cloud-native agent, is designed to do this as it sits on top of cloud workloads.
Once the packet data hits the ProtectWise solution, sensors ingest the information, compresses, encrypts and passes it on to the enterprise customer’s VPC. IT analysts can then get visibility into the traffic flowing in the cloud and on-prem to identify threats within the traffic.
“With network detection and response rules in place, analysts can see a timeline for each event and quickly take action to resolve or mitigate threats,” added Kruck. “For example, a malware download or file download might help analysts identify issues. This solution gathers the full packet capture data, pins that data to a ticket and the analyst can view the stream of information using the single-screen platform.”
As the dynamic nature of the public cloud continues to evolve, the demand on workloads can change multiple times a day. The Nubeva and ProtectWise solution allows IT to automatically deploy agents, capture needed cloud packets and get that traffic to tools – providing the visibility IT needs to do analytics and forensics.