Page 148 - Cyber Defense eMagazine June 2024
P. 148

However, this flexibility comes with its own set of challenges, especially in terms of security. A study
            revealed that a staggering 90% of teams using containers and Kubernetes experienced security incidents
            in their environments, highlighting the urgent need for robust threat detection and response strategies
            tailored to cloud native ecosystems.




            The Evolution of Threat Detection

            Traditional threat detection methods, such as signature-based approaches, have proven inadequate in
            cloud native environments. Signature-based methods rely on predefined rules to detect known threats,
            but they struggle to keep pace with the rapid onslaught of new threat actors and require thousands of
            signatures  to  every  known  threat.  This  leads  to  high  false  positive  rates  and  an  inability  to  catch
            sophisticated attacks that exploit legitimate processes or user permissions.

            Similarly, black box anomaly detection, while promising at the outset, lacks transparency and struggles
            with a lack of input into cloud native attacks. Millions of such attacks would be needed to create a truly
            accurate detection model with this approach. These limitations underscore the necessity for a paradigm
            shift in threat detection methodologies tailored specifically for cloud native environments.



            Introducing Behavioral Threat Detection

            One of the key pillars of behavioral threat detection is the concept of workload fingerprints that capture
            the hierarchy of processes, programs, and files of a running workload. Workload fingerprints serve as a
            baseline for normal behavior within an environment, allowing organizations to detect any deviations or
            drifts from this baseline. In this approach, the more appropriate usage of AI is not in the detection itself,
            but in the classification of what has been detected, if it is part of a known attack.



            Operationalizing Behavioral Threat Detection

            Implementing behavioral threat detection involves several crucial elements:

               1.  Baseline Creation: Establishing a baseline of normal behavior through workload fingerprints,
                   capturing the expected behavior of containerized workloads.
               2.  Detecting Anomalies via Drift: Continuously monitoring and analyzing workload behavior for
                   deviations  from  the  established  baseline,  leveraging  AI-driven  analysis  to  identify  potential
                   threats.
               3.  Apply Detection to the Software Supply Chain: Verifying the integrity of software throughout
                   the SDLC by comparing baselined behavior with current behavior, akin to an SBOM for runtime
                   behavior.
               4.  Real-time Posture and Context: Applying real-time context across identity, infrastructure, and
                   workloads to attackers’ behavior






            Cyber Defense eMagazine – June 2024 Edition                                                                                                                                                                                                          148
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   143   144   145   146   147   148   149   150   151   152   153