Cloud computing is the powerhouse of today’s digital economy. Organizations across all industries are increasingly migrating their workloads and IT infrastructure to the cloud. This trend has only intensified since the beginning of the global pandemic, as organizations became increasingly remote, relying on more digital technologies. In fact, Gartner® forecasts worldwide end-user spending on public cloud services to grow 20.4 percent in 2022, to a total of $494.7 billion¹.
As organizations move their workloads to the cloud, hackers inevitably follow suit, targeting public and private cloud infrastructure with their attacks. According to an alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), cybercriminals are targeting public cloud infrastructure and Linux systems to increase the impact of their ransomware campaigns. They exploit known vulnerabilities and common misconfigurations in popular public cloud infrastructure to gain access to a larger number of organizations. Attackers are also increasingly targeting cloud infrastructure for use in their cryptojacking campaigns, where they hijack an organizations’ cloud computing power and surreptitiously use it for crypto-mining operations.
Misconceptions about Linux and container security
The vast majority (90%) of public cloud infrastructure is run on the open-source operating system, Linux. Unfortunately, despite the rising threat to cloud workloads, many Linux operating systems in enterprise organizations today remain unprotected. Some IT security professionals and developers mistakenly believe that Linux is secure by default, or that attackers mainly focus on Windows operating systems. Others believe their Linux environments are not at risk because they are completely isolated, or they think their existing antivirus solutions provide sufficient protection. Still others understand the benefits of cloud workload security solutions, but mistakenly believe that the negative impact to performance efficiency is too great, so they simply accept the risks and leave their cloud workloads unprotected.
With organizations migrating more and more of their sensitive data to cloud infrastructures and attacks continuing to increase, they cannot afford to ignore the security risks any longer.
Agentless vs. agent-based security solutions
When it comes to selecting a cloud workload security solution, one of the first questions a security professional must decide upon is whether to use an agentless or agent-based solution. Agent-based solutions require the organization to install code on the systems being monitored, while agentless solutions communicate directly with APIs about the resources being monitored.
Benefits of agentless solutions include little-to-no performance impact, easier management, nothing to deploy, and minimal configuration needed. However, with that said, it’s important to recognize that there is no such thing as a truly agentless approach. Even solutions described as “agentless” have some form of agent that helps get semantic or metadata from inside the instance and translate that data into whatever system is being used so the information can be correlated and provide results, such as alerting when malicious or suspicious activity has occurred. It’s also important for security professionals to understand that an agentless approach is not preventative in nature. In the case of public clouds, there are no remediation capabilities available in agentless offerings.
Agent-based solutions, in contrast, provide much faster detection because they have built-in components and modules that can introspect at a faster rate, delivering real-time and even preventative protection rather than merely identifying security events after they occur. One of the biggest benefits of an agent-based approach is the ability to automate remediation. Overall, an agent-based approach enables a more holistic and resilient security framework for cloud workloads.
Critical capabilities for cloud workload security
When evaluating cloud workload security (CWS) solutions for Linux and container environments, there are critical capabilities that organizations should look for. These include:
- Risk Analytics – A good CWS solution should include security controls that can assess the cloud workload in real time, including scanning for vulnerabilities and misconfigurations. It should be checking to ensure that everything is aligned with best practices and industry standards such as CIS Benchmarks. Risk analytics capabilities like these are an important way for security professionals to “shift left” and identify potential threats earlier by understanding how vulnerable the organization’s cloud environment is and what level of risk it faces. This enables security teams to take preventative action to become more secure and catch attacks earlier in the kill chain when they do occur.
- Patch Management – Once vulnerabilities have been identified using risk analytics, a CWS solution should provide patch management capabilities. Not every security vendor is able to provide patch management specifically designed for Linux distributions, which can be susceptible to scan-based vulnerabilities as well as dependency and utilities vulnerabilities. Security professionals should seek out solutions that have been purpose-built to protect Linux and container environments.
- Network Attack Defense – Many advanced threats today, such as ransomware, aim to remain under the radar as they quietly move laterally throughout the organization’s network. It’s critically important that organizations have the ability to respond to attacks at any point in the process, from initial access to lateral movement within the network, to data exfiltration. Security teams need cloud workload controls that not only detect threats, but also prevent attacks from happening, whether over FTP, SSH, or SCP.
- Advanced Anti Exploit (AAE) – If a threat cannot be stopped or mitigated in time, or if an organization doesn’t have the right controls to tackle active threats, then the business needs more advanced technologies, such as Advanced Anti Exploit (AAE). These technologies can identify sophisticated threats upon execution, from monitoring connections to e-trace monitoring (important for identifying container escape, when a threat has escaped the boundaries of the container to take over a host and operating system). AAE capabilities are essential for use as a detective or preventative control.
- Integrity Monitoring – Integrity monitoring of cloud workloads enables security professionals to identify potential threats, even among activity that is considered “normal.” It provides insightful information and actionable data that allows security analysts to quickly focus on things that are out of the ordinary, such as unapproved changes, rather than activities that may appear unusual but are part of a trusted process or trusted publisher, so they are likely safe.
- EDR/XDR – Last but certainly not least is the combination of endpoint detection and response (EDR) and extended detection and response (XDR) technologies. XDR is the next evolution in EDR, providing greater visibility over all assets, including endpoints, networks, identities, and cloud workloads. It provides necessary visibility and context around any malicious activity or vulnerability that cannot be hardened. XDR solutions monitor and perform sophisticated analysis on security data so analysts can quickly and easily see what is happening and leverage response capabilities to stop attacks in their tracks.
In today’s increasingly cloud-centric business landscape, underpinning all of these security capabilities must be enterprise grade cloud workload protection. In cloud and hybrid environments, traditional security tools struggle with resource consumption, escalating costs, and complexity. Security teams need a cloud workload protection platform designed with a light footprint and simple, centralized management. An organization can have the most modern security controls, but if it doesn’t have ease of management for the security, the technologies will be worthless. Bitdefender Cloud Workload Protection provides all of the critical capabilities described above and is designed specifically for Linux and container security, facilitating the speed and ease of response, whether automated or manual.
Learn more about Bitdefender Cloud Workload Protection and how it can help protect your Linux and container environments.
Gartner® is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.