Cloud Security.
Cloud applications and resources are gradually growing as more companies adopt public and private cloud solutions. This has been caused by the growth of remote working and the need to reduce cost of IT infrastructure. Attackers of IT infrastructure have identified this also as an area to exploit.
Cloud security are a set of policies, procedures and controls designed to protect against unauthorized and malicious access to cloud infrastructure.
Public Cloud.
Public clouds are cloud solutions where the cloud provider owns the infrastructure, physical network and hypervisors while the organization owns the data and its security. When an organization is using public cloud, cloud security is a shared responsibility between the organization and the Cloud Solution Provider.
Organization should be careful to ensure that the cloud solution provider has secured the cloud platform.
Private Cloud.
The organization owns all the resources as the cloud is hosted in the organization's data center. The security of the cloud is primary a responsibility of the organization.
Factors to consider for a cloud solution:
1. Visibility
Cloud security should allow the administrator to have a bird's eye view of the cloud infrastructure. Administrators should be able collect inventory, view network connection, view data and the running applications.
2. Compliance
Cloud is associated with regulations and guidelines that must be met to avoid legal fines. Compliance has usually been cumbersome for some organizations, but cloud security solution has made it easier with already predefined policies.
3. Threat Protection
Threats are also a major concern for all cloud platforms. Each organization must be able to protect against all types of threats.
4. Access Control
Cloud access should also authenticate and give access to users according to a set guideline. This is to ensure that data and applications only accessed by authorized users only.
Cloud Security Technologies.
1. Cloud Security Access Broker (CASB)
CASB is a solution that acts as an intermediary between users and cloud services. CASB allows organization to set security policies that affect cloud resources. The policies will apply to all devices connecting to the organization cloud resources regardless of device type or location. CASB is also able to identify unsanctioned cloud application and unmanaged devices being use by users.
2. Secure Web Gateway (SWG)
SWG protects an organization from web and online threats by offering internet traffic filtering. SWG sits between Users and the internet. Administrators can create polices that block all traffic that goes against company policies for both internal and remote workers. SWG has essential security technologies like URL filtering, application control, data loss prevention, antivirus, and https inspection.
3. Zero Trust Network Access (ZTNA)
ZTNA authenticates users and devices before allowing access. ZTNA uses a principle of never trust authenticate first which blocks users from accessing all resources unless they are explicitly allowed.
ZTNA reduces the exposed resources when credentials are compromised and reduce threats, which malicious staff may deliberately cause.
4. Cloud Security Posture Management (CSPM)
CSPM is a cloud based security solution that identifies misconfigurations across diverse cloud infrastructure. CSPM gives administrators visibility to misconfiguration and offer remediation recommendation to Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS).
CSPM is also used for compliance monitoring, incidence response and DevOps integration on cloud platforms.
EDR
What is an Endpoint Detection and Response Solution?
An EDR solution records and stores endpoint application, system and network behaviors. Using data analytics techniques, EDR detects suspicious activities, provide relevant information, blocks malicious activity and provides remediation suggestions to restore affected systems.
EDR solutions should provide the following capabilities:
1. Detect security incidents
Endpoint are installed with lightweight agent, which collects security relevant telemetry. This includes running processes, where the endpoints are connecting to and what files are being accessed. The agent also collects any details that may be used to detect an attack. This data can also be useful during a forensic analysis after an attack.
2. Detect and Respond to threats in real time.
EDR system protect against two types of threats.
Threats we have seen before.
This are the threats that have been seen previously, the EDR database contain the
information of this threats.
This may include the file name, file hash values, IP address or any other signature to identify a threat.
When a specific details matches the database record of a threat, EDR automatically blocks.
New Threats.
New threats emerge as black hat hackers try new ways of exploiting organization's IT infrastructures, and no record will be found on the databases of the EDR.
EDR use advanced algorithms to detect behavior patterns that are similar to malware attacks.
Eg. A malware hidden in excel macros, the EDR will notice excel altering system settings which is abnormal for excel application. EDR automatically blocks the operation.
We also have fileless attacks, where attacker’s exploits legitimate software used in an organization; this can only be detected by behavior of the application.
3. Forensic Investigate security incidents.
Some of the threats may bypass our security system and the faster the threat is contained the better. For administrators to contain a treat, they need to have relevant data. EDR becomes very important because it collects all the relevant data that make forensic analysis much faster. It becomes very easy to identify the origin of the attack and what resources were compromised.
EDR provide capabilities to isolate infected resources during the investigation phase to prevent spreading of the threats in the network. Administrators are also able to create Indicators of compromise for the specific threat. This becomes a guideline for IT teams alter their security approach to ensure that the attack will be contained in the future.
4. Provide remediation.
EDR is able to rollback events that were created by a malware. These changes may have affected the registry, files, system and even the network.
EDR deletes all created application, blocks malware network activities and terminates all processes initiated by the malware.
Importance of EDR.
1. Identify undetected threats.
2. Understand how the attack took place.
3. Fast response to attacks.
4. Reduces false positives.
5. Reduces cost for recovery from an attack.
Ariel Technology has years of experience on Cyber Security. We have partnered with global vendors to provide the best security solutions that suites your requirement.
We will walk with you in the implementation and maintenance journey to ensure you get the value of your investments.
Contact us for a Demo and POC