Using continuous intelligence to address cloud-native application security challenges

Using continuous intelligence to address cloud-native application security challenges

Security solutions that use continuous intelligence can gain real-time insights into cloud-native application security threats.

Modern cloud-native applications are often difficult to secure due to their complex nature. They are highly distributed, made up of open source software and libraries, include numerous microservices (many of which are provided by third parties), and fetch and provide easy access to data via APIs. As such, identifying cloud-native application security issues and protecting against threats is beyond the scope of traditional tools that simply monitor operations.

Some recent developments put potential security issues with cloud-native applications into perspective. For example, a recent research study identified 450,000 Kubernetes API servers. And of those, 380,000 allowed some kind of access. The researchers noted that: “While this does not mean that these instances are completely open or vulnerable to attack, it is likely that this level of access was unintentional, and these instances are an unnecessarily exposed attack surface. They also allow leaking of version information and builds.”

That makes cloud security even more challenging, requiring better observability and insights into interdependencies within cloud-native applications.

Another factor that draws a lot of attention is the fact that the core open source software and libraries used in many cloud-native applications are susceptible to attack.

One of those vulnerabilities was associated with the Apache Log4j software library. According to the Information Security and Infrastructure Agency (CISA), “Log4j is widely used in a variety of consumer and enterprise services, websites, and applications, as well as in operational technology products, to record security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.”

The problem is that the software has been widely used for years. And it is integrated into many applications. Modern application development techniques based on microservices, APIs, and composable elements mean that it is easy to incorporate such software into numerous applications without even knowing it, simply by reusing components that perform the core functions of Log4j. Low code/no code methods allow for even easier use and reuse of components, amplifying the issues.

And in April, CISA added the remote code execution (RCE) vulnerability affecting the Spring Framework to its Catalog of known exploited vulnerabilities. The designation was based on evidence of active exploitation.

In both cases, the vulnerabilities are found in widely used software that is incorporated into a wide range of applications and services. The Spring Framework “provides a comprehensive programming and configuration model for modern Java-based enterprise applications, on any type of deployment platform,” according to Spring. “A key element of Spring is application-level infrastructure support: Spring focuses on installing business applications so that teams can focus on business logic at the application level, without unnecessary ties to specific deployment environments.”

In the case of the Spring Framework vulnerability, a recently disclosed remote code execution flaw could be exploited to allow unauthenticated attackers to take control of a system. Like Log4j, Spring is widely used and many organizations may not know exactly if or where it is used.

This month, new attention was paid to the leaking of credentials to numerous open source projects. Specifically, Ars Technica reported: “A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access developers’ private accounts on Github, Docker, AWS, and other code repositories.”

See also: Cybersecurity must be ELEVATED to address current threats

How SOAR can help with cloud-native application security

Modern cloud-native applications are becoming increasingly complex and difficult to secure. Those responsible for protecting the business from cyber threats must quickly assimilate data from multiple logs, traces, and alerts from security information and event management (SIEM) systems and other security technologies. Then they must quickly gain insight into imminent threats in real time and take action instantly. Increasingly, the way to achieve this is through the use of SOAR (Security Orchestration, Automation, and Response).

One of SOAR’s greatest strengths is its ability to apply automation to security operations (SecOps). By automating processes, SOAR frees up analysts’ time, which they could use for more strategic initiatives instead of spending it on repetitive and menial tasks. Specifically, tasks previously performed by SecOps personnel, such as vulnerability scanning, log analysis, and ticket verification, can now be performed automatically by a SOAR platform. Additionally, artificial intelligence (AI) and machine learning can be applied to gain insights. SOAR solutions are often used to escalate threats if human intervention is needed, make recommendations for action, and automate responses. They use continuous intelligence to obtain real-time information on which a company can base its response to a threat.

Such automation is essential today. The rate at which threats are evolving is increasing the demand for qualified security professionals. The only problem is that many companies are finding it increasingly difficult to properly staff a team of cybersecurity professionals.

Leave a Comment