Seeing Through the Clouds
Cloud computing has been a major disrupting force in networking, and with good reason. When used properly, it allows organizations to be more agile, scalable, and mobile. Cloud is currently experiencing massive adoption, with the public cloud market projected to hit $191 billion by 2020, according to Forrester Research.
However, securing the cloud has been a struggle for many organizations. According to the Cloud Security Alliance, 73 percent of companies say security concerns are holding them back from undertaking cloud projects. The cloud faces all of the same security threats as a traditional network, and more. In order to take full advantage of this trend, organizations must learn to adapt their security strategy to the cloud.
One of the primary challenges to securing the cloud is the lack of visibility. The first step to a security strategy that includes cloud is regaining visibility and real-time situational awareness of activity taking place in a cloud environment.
Network Telemetry for Better Cloud Security
One way to address this problem is to regain visibility through NetFlow and other forms of network telemetry. NetFlow is a protocol first developed by Cisco that automatically logs all network transactions and is inherent in many routers, switches, and firewalls.
You can think of NetFlow as similar to a phone bill. It doesn’t contain the contents of a conversation, but it records various aspects about the conversation, such as:
- Sender and receiver IP addresses
- Sender and receiver ports
- Amount of data transferred
Traditionally, NetFlow is garnered directly from network infrastructure devices. Once it is collected and analyzed with the right tools, security operators can gain a comprehensive view of all communications on their network and uncover signs of malicious or anomalous behavior.
The challenge to gaining this level of visibility in the cloud lies in its use of virtual-machine-to-virtual-machine (VM2VM) communication, which does not natively produce NetFlow in the same manner as traditional networks. The Cisco Stealthwatch Cloud License, a virtual add-on to the Cisco Stealthwatch system, was designed to address this problem and extend comprehensive visibility and security analytics to the cloud.
It works by deploying lightweight digital agents to each of your organization’s cloud servers. These agents then monitor traffic, create NetFlow records for each transaction, and transmit it back to Stealthwatch via the Cloud Concentrator.
This setup allows security operators to gain real-time visibility and insight into what is happening in their cloud deployments. As NetFlow is collected, Stealthwatch analyzes it for signs of known bad behavior such as malware propagation. In addition, it builds a baseline of expected network traffic, and triggers an alarm when any host behaves abnormally.
For instance, a host normally accesses only a few megabytes of data from the cloud a day, but suddenly downloads gigabytes of information from a sensitive cloud server. This could be a sign of an insider threat or an outside attacker who has infiltrated the host machine attempting to hoard data in preparation for exfiltration. With Cisco Stealthwatch Cloud License, security operators can detect this behavior happening in cloud environments quickly enough to respond before sensitive data is lost.
Cisco Stealthwatch with the Cloud License can help you detect a variety of threats including malware, distributed denial-of-service (DDoS) attacks, advanced persistent threats (APTs), and insider threats, whether they are active on your on-premise network or in public, private, and hybrid cloud environments.
To learn more about how to protect your cloud initiatives, read our eBook Seeing Through the Clouds: Cloud Visibility Improves Network Security.