The case for novelty: securing the dynamic attack surface of cloud-native applications and microservices
It’s not just software development and operations that change when moving to agile cloud-native and microservice architectures. Changing how security fits in is also key. Modern environments present a new attack surface, which is exposed primarily through networking and introduces two major new properties:
- The attack surface frequently morphs as interacting microservices get deployed and updated over time.
- The attack surface is tied to the complex programmable infrastructure of one or more cloud platforms.
This dynamic, sprawling attack surface needs to be protected continuously. This new challenge gives us the exciting opportunity to innovate and re-think security processes and technologies, from Prevention through Detection and Remediation.
Digital controls for cybersecurity, courtesy UMass
Prevention is about setting security-conscious best practices in development and operations. The basics are familiar, like scanning for known vulnerabilities. The bigger open issue for modern environments is to continuously ensure Least Privilege access in the face of rapid change and complexity. This bounds the blast radius of exploits. Least privilege should apply to software, infrastructure, and even operators, and encompass not only basic access but also confidentiality, integrity, and authenticity of data in-transit, at-rest, and in-use.
Today it’s too hard to reliably achieve least privilege protection. Operators face a plethora of relevant mechanisms to configure, from network infrastructure (VPN, VPCs, NACLs, NSGs, IP subnets, route peering, NATs, IAM roles) through application layers (credentials, client & server X.509 certs, JWT/SAML, Kerberos tickets). Linux, Windows, and container orchestrators like Kubernetes, Swarm, and Marathon provide yet more such mechanisms. Getting all this right all the time is hard.
Regarding detection, the dynamically changing shape of the modern attack surface makes it no longer correct to naively classify behavior changes as suspicious anomalies. Frequent and significant changes in behavior are now normal and expected. Instead, we need smart visibility into system behavior.
Visibility needs to be deployment and policy-aware and must understand the environment at all levels of abstraction, from L3-L7 microservice-to-microservice flow visibility down to individual instances, containers, processes, and serverless functions. It should uncover timely security insights, and should make it easy to compare actual behavior against the behavioral boundaries described by the least privilege policy. The user experience of visibility tools must be intuitive and robust, and easily navigated for large-scale dynamic graph topologies.
Detection also requires online and offline analytics to classify measured behavior as normal, suspicious, or confirmed attack, with low false positives & negatives. Detection should leverage the dynamic capabilities of the infrastructure to kick in deeper inspection on demand wherever needed to delve into suspicious behavior. Ideally, detection provides meaningful diagnoses of security issues with pinpoint accuracy and correctly prescribed remedies.
Remediation, too, can change in novel ways to better fit the new attack surface of cloud-native microservice environments. Interactions between microservices could be intelligently filtered and rate limited, and quarantined when necessary, all without the need for dedicated security appliances. In addition, public clouds make unique remedies possible. For example, some denial of service attacks can be averted simply by discarding public IP addresses and allocating random new ones.
At Banyan, we’re making such security innovations real and practical. Our goal is to bring together people, processes, and technologies to engineer novel solutions for this dynamic, sprawling attack surface by leveraging the new capabilities of modern, software programmable infrastructures.
We’ve launched an initial version of Banyan security platform working with early adopters and you can sign up here for early access. We’d love to work with you to tailor our solution to your specific use cases.