Page 52 - Cyber Defense eMagazine Annual RSA Edition for 2024
P. 52

it’s difficult for security teams to detect and track advanced attacks, and they lack the evidence they need
            to investigate and respond to threats and attacks quickly.

            Participants in the SANS 2022 Cloud Security Survey reported a range of visibility issues affecting their
            ability to adapt existing IR and forensic process to public cloud environments, including:

               ▪  Lack of real-time visibility into events and communications involved in an incident.
               ▪  Difficulty correlating data and insights from security tooling on-premises and in the cloud.
               ▪  Immature cloud forensics and IR processes.
               ▪  Lack of access to underlying log files and low-level system information usually needed for forensic
                   examination.
               ▪  Inability to acquire or consume collected forensic artifacts.
               ▪  Compatibility issues with forensics tools.

            Just as with on-premise environments, an accurate record of what happens in public cloud environments
            is contained in the network traffic too. If you can record that traffic, it provides security operations with a
            definitive and indelible source of evidence they can rely on to overcome challenges such as the ones
            listed above.

            While in the early days it was difficult or impossible to access packet level data, as public cloud has grown
            in popularity the ability to access this key evidence has now become possible. In most public cloud
            environments,  you  can  access  the  raw network  traffic  within  your  VPC  or  Virtual  Network via  traffic
            mirrors,  virtual  SPAN  ports,  agents,  and  virtual  packet  brokers.  Recording  this  traffic  lets  security
            operations teams take their well-honed and proven incident response and investigation processes from
            securing on-premise infrastructure, and apply those same processes in cloud environments too.


            Moreover, armed with the same visibility into both cloud and on-premise infrastructure, they can build a
            unified view of activity across the entire hybrid network – enabling them to track threat activity across
            infrastructure boundaries. The same is true in multi-cloud environments.



            Verification and Zero Trust

            As with on-premise infrastructure, applying Zero Trust principles in cloud environments is considered
            best practice. However, to do this successfully, it’s crucial to be able to ensure traffic on your network is
            legitimate and block any that isn’t. You need to verify that access to cloud assets is only granted to
            authorized  and  authenticated  users,  devices,  and  applications,  and  that  this  authentication  and
            authorization is continuously checked and re-verified.

            Deploying always-on packet capture across the entire hybrid cloud gives security teams the definitive
            evidence they need to verify Zero Trust implementations and analyze anomalies. Packets provide the
            proof of exactly what traverses the network, letting teams verify - with confidence - that their Zero Trust
            policies and configurations are operating as intended. Or are not.









                                                                                                              52
   47   48   49   50   51   52   53   54   55   56   57