Public cloud infrastructure requires a new approach to security. We’ve all heard that line, but what does it actually mean? There is little stopping you from, say, deploying agents in the cloud to monitor traffic and detect threats and bringing other on-premises techniques to bear. But as anyone who’s ever attempted this before will tell you, the resulting impacts from, for example, using legacy staffing paradigms, can undercut the business incentives that led to cloud adoption in the first place.
Most organizations adopt the public cloud because it allows them to be responsive to the business, boost the availability of their services, and – most of all – lower their operational costs by providing exactly the computational resources they need when they need them. In the cloud, organizations can scale their operation up quickly, without the need for additional manpower to manage and provision equipment.
These benefits allow organizations to move quickly as their business needs change, but the benefits can be reduced or eliminated because of the wrong security strategy based on tools that don’t fit the new approach or that require manual processes. With that approach, every time an organization changes their cloud environment (which is designed to do so frequently), the security process imposes overhead to adjust to the changes including paying for services potentially no longer needed, contract adjustments and manual deployments to new assets, and manual change control steps. This approach undermines the business value of moving workloads to the cloud in the first place.
Security built for the cloud
To adequately protect workloads in the public cloud, you need security purpose-built for the dynamic environment of the public cloud. Cisco Stealthwatch Cloud was created to help secure public cloud workloads while remaining easy to use and efficient. It is a cloud-native method to detect early-stage indicators of compromise and gain visibility in your public cloud.
Here are a few of the key benefits of Stealthwatch Cloud:
An agentless approach
Software agents are a management nightmare. Requiring a person to manually deploy agents anytime a new virtual machine is spun up is the antithesis of an automated, easily scalable environment. Even in environments where agents are configured into an automatically deployed build, ensuring correct operation, maintaining upgrades, and testing for non-interference, consumes valuable people time and inserts delays and costs. In environments that support it, such as Amazon Web Services (AWS), Stealthwatch Cloud uses VPC Flow Logs and other native sources of telemetry. This means it is able to monitor the entire IaaS environment, including VPC-to-VPC traffic and external IP addresses, without the need for software agents.
Similarly, security tools that require heavy management and configuration can consume numerous man-hours and act as a roadblock. Instead you need something that is simple to deploy and can automatically adapt to an ever-changing environment.
Because Stealthwatch Cloud relies on native data sources such as VPC Flow Logs, deployment can be accomplished in minutes by simply giving Stealthwatch Cloud read-only access to these logs. In addition, all of Stealthwatch Cloud’s analytics require no configuration. The role of each entity in the public cloud environment is automatically determined based on its behavior, which means security analysts do not have to spend time manually classifying devices and cloud resources.
Stealthwatch Cloud is a software as a service (SaaS) solution. There is no need to maintain hardware or apply patches, and new features are added automatically on a monthly basis. Ultimately, this approach massively reduces the time spent implementing and managing the solution.
Low-noise, effective alarms
By far the most resource-draining issues encountered by organizations deploying advanced security are false alarm notifications. Most organizations are already struggling with too many security alerts. According to the Cisco 2017 Annual Cybersecurity Report, only 56 percent of security alerts are investigated, and out of those only 28 percent are deemed legitimate alerts. A noisy security solution in the cloud can consume time from security analysts or worse yet, lead to legitimate security events going uninvestigated and unremediated.
Stealthwatch Cloud was created with a laser-focus on being both low noise and accurate. For example, a typical 10,000 endpoints environment produces an average of 2-3 alerts a day. To validate that customers are finding value in the alerts, whenever an alert is triggered, Stealthwatch Cloud requests feedback on the alert’s relevance. Customers currently rate 96 percent of alerts as ‘helpful.’ In other words, when Stealthwatch Cloud asks for your attention on something that it has found, the chances are excellent that you’ll be glad you responded. More significantly, this kind of accuracy gives you a security solution that meets the performance and change-rate demands of your public cloud business case.
Modeling makes the difference
How does Stealthwatch Cloud accomplish all of these benefits when so many other security analytics solutions fall short? Stealthwatch Cloud uses a technology called Dynamic Entity Modeling, which utilizes machine learning and advanced analysis to constantly adapt to the environment and produce actionable security intelligence.
As Stealthwatch Cloud consumes data, it creates a model – a kind of simulation – of every device and network entity. This model determines the entity’s role, what its normal behavior looks like, what other entities it interacts with and when, and how it will likely behave in the future. Based on this model, Stealthwatch Cloud detects when an entity behaves in a way indicative of threat. For instance, if an AWS resources only communicates with internal hosts but suddenly begins connecting to an external server, it could be a sign of compromise.
Dynamic Entity Modeling allows Stealthwatch Cloud to keep up with the ever-changing environment of the public cloud, while accurately identifying security-relevant events. It is built with the high scale, rapidly changing environment of public cloud infrastructure in mind and it flexibly adjusts to your cloud-based business as you would expect.