Determining risk by quantifying “known knowns” and “known unknowns” has always presented security teams with something of a challenge, but we’re closer than ever to being able to accurately gauge the exposure of the business.
This is because we no longer have to rely on periodic assessment such as Application Performance Monitoring (APM) which can only ever give us visibility of a fixed point in time but can instead now monitor and interrogate data continuously using observability. It’s a potential game-changer in how we measure security but first of all, let’s consider why we need to do it in the first place.
Why measure?
Establishing how effectively your networks and systems are protected provides you with a baseline so you can judge if you are compliant, and it allows you to assess the risk exposure of the business. This can then be used to inform the security strategy, deduce the risk appetite of the business, and plan further investment. However, measuring cloud security presents new challenges, yet teams are continuing to try to assess the security provision using the same tools and techniques as they used with on-premises systems.
Assessing security in the cloud is problematic due to a lack of visibility of resources, rapid changes which can result in misconfigurations, and a lack of skilled cloud resources, with many struggling to know how to implement security controls in the cloud. And while many consultants and security service providers offer security assessments as part of the sales cycle, teams are often reluctant to try these because of the commitments involved.
Intrusive assessment
Often such assessments require manual effort and the installation of agents, lack full visibility (where there is no agent, systems effectively become invisible) and are time-consuming as they can run for weeks or months. Thankfully this is now changing with the advent of API-based testing. This can automatically assess the security posture of the organisation in just half an hour without the need for any agent installation and can be used to instantly establish an inventory of all cloud assets, report on instances of misconfiguration, and control violation and compliance with established security standards and regulations.
But what about the ongoing assessment we talked about at the beginning? How do you gain visibility into your cloud infrastructure in near-real-time? What benefits does this confer over and above point-in-time measurement?
Don’t just monitor – observe
Observability allows us to measure or infer the performance of cloud systems based on outputs. Unlike monitoring which relies on logging events and determining if these need to be acted upon, observability collects much more information on performance and behaviour. In addition to event logs, it also captures metrics and traces the journey of a service through different systems, which means it is constantly collecting ‘good’ and ‘bad’ data in order to analyse system and service performance.
If we take the concept of observability and apply it in a security context, we have much more visibility and have the flexibility to interrogate the data using any number of questions without the need to redesign the process each time. Now we are no longer constrained to checking specific metrics such as misconfigurations, Mean Time to Detection (MTTD) and Mean Time to Response (MTTR). Instead, we can develop KPIs based on just about anything, and this data feed needn’t be storage-intensive, as numerical KPIs can be stored as metrics that take up very little space. These KPIs, in turn, give us trends, which tell us what has changed, which is tremendously useful in helping spot zero-day events that, by definition, are unknown and unlikely to be on our watch list.
So, where APM agents first gave us telemetry on network performance, the logs, metrics and distributed tracing offered by observability promise to deliver next-level insight needed to secure the cloud. It provides finger-on-the-pulse monitoring, and because it captures all data in near-real-time, can be queried at will and provide an accurate view of exactly how the cloud is performing. Indeed, we believe it will be essential in providing security teams with the visibility required to manage their microservices and to the expansion of the cloud with hybrid and multi-cloud deployments.
If you’d like to find out more about API-based security posture assessments or how observability can be used to boost your visibility of the cloud and create continuous awareness, contact us today at info@4datasolutions.com or on 0330 128 9180.