Cloud-Native Security Features Topics 

Endpoint Protection for Cloud-Native Workloads

, , , ,
by Gilad David Mayaan

Endpoint protection is the practice of deploying security systems on endpoints such as servers, workstations and mobile devices used to connect to corporate networks. The purpose of these systems is to detect, prevent and actively mitigate threats on endpoints. 

Endpoint protection solutions can protect endpoints from a range of severe threats including accidental data exposure, malicious data exfiltration, malware such as trojans and rootkits, ransomware, unauthorized access and more.

Legacy antivirus solutions alone cannot stop targeted attacks and advanced persistent threats (APT), as well as unknown or zero-day threats. Endpoint protection platforms include legacy antivirus but add multiple additional layers of security to secure endpoints and the data they hold. Modern endpoint protection solutions are cloud-based, providing a central security console that controls agents deployed on individual endpoints.

There is growing interest in a new paradigm that is considered the evolution of endpoint security: Extended detection and response (XDR) is a cross-layer response and detection technology that collects and correlates information not only from endpoints but also from email systems, applications, servers, networks and the cloud. 

This comprehensive approach provides greater insight into an organization’s technology landscape and enables security teams to more effectively and successfully identify, investigate and respond to threats. This makes XDR uniquely suited to the challenges of cloud-native security.

Endpoint Protection for Containers

Containers are, in essence, a new type of endpoint. Because container environments are so dynamic, container security must be continuous, automated and fully integrated into the development process and the underlying infrastructure, most commonly Kubernetes. 

Container security needs to protect all attack surfaces of the containerized environment—protect the build pipeline against unsafe container images, defend container hosts against vulnerabilities and identify runtime security issues in containers.

XDR can help by collecting data from the environment based on attributes like cluster, node, deployment type, pod name, container image and container ID. It can perform behavioral analysis along all these dimensions, helping teams understand the impact of threats on a Kubernetes environment.

XDR is particularly well-suited for containerized environments because it can combine data from different IT systems and security tools into a coherent attack story. Kubernetes clusters produce different operational metrics than traditional environments and are supported by cloud-native monitoring tools like Prometheus.

XDR can understand these metrics and combine them with data from endpoints, networks and cloud resources. This allows teams to quickly investigate container security incidents from one interface, perform threat hunting in a Kubernetes environment and connect security incidents to network, cloud provider or endpoint-level response automation.

XDR helps uncover threats that traditional antivirus solutions cannot detect, such as unknown malware, infected container images, zero-day attacks and fileless attacks. XDR also allows you to open a remote shell to any element of your Kubernetes environment (nodes or specific containers) to investigate threats, gather forensics, contain and mitigate attacks.

Endpoint Protection for Serverless

Serverless computing is a cloud model that eliminates the need to manage the infrastructure. The cloud vendor runs the server and dynamically provisions machine resources as needed. Popular serverless services include AWS Lambda Functions, Azure Functions and Google Cloud Functions.

While serverless computing offers great benefits, it also introduces security challenges, including:

  • Security visibility challenges—Serverless computing increases the total amount of information and resources, negatively impacting visibility. It creates billions of logs daily—too much data to derive intelligence for true observability.
  • A bigger attack surface—Each function includes protocols, vectors and attack points. As a result, the attack surface increases exponentially; multiplied by the number of functions you’re running. 
  • Too many permissions—Cloud-native workloads use more resources, which translates into more permissions to manage. Determining permissions for all these interactions can prove challenging. 
  • Observability—Serverless applications use many services from several cloud vendors, across different versions and regions. Understanding the attack surface and various potential risks requires a comprehensive view of the serverless ecosystem. However, as the application propagates, this view becomes increasingly challenging to build and maintain.

XDR can help by collecting data from serverless runtime platforms including results of security scans, invocation data, errors and distributed traces. It can perform behavioral analysis to identify suspicious activity and threats affecting serverless functions and the applications that rely on them. 

Serverless systems are typically built as an event stream, with upstream services and applications delivering events, which are then processed by serverless functions and passed on to other components. XDR can collect data from all components in the event stream, correlating suspicious events and identifying threats wherever they occur. 

Endpoint Protection for Virtual Machines

A virtual machine (VM) is an application environment or operating system installed on software that imitates dedicated hardware. This type of virtualization offers several security advantages compared to traditional server infrastructure, such as improved availability. It also enables you to isolate VMs from the operating system and physical hardware they run on.

Virtualization has many advantages but poses unique security risks, including:

  • VM sprawl—Occurs when VMs created for certain workloads are later abandoned and spread uncontrollably. This type of unchecked proliferation can result in the compromise of VMs storing sensitive information.
  • Malware and ransomware—Infected VM images and users that do not adhere to security policies can introduce malware and ransomware into VMs. Without adequate isolation and security controls, an infected VM can spread malware across an entire virtual infrastructure.
  • Network configuration—Misconfigurations can allow threat actors to gain unauthorized access to a virtual environment. Common network misconfigurations include allowing file sharing between VMs and leaving unused firewall ports open. 
  • Hypervisor security controls—A hypervisor is an underlying technology that enables you to run virtual machines. Without proper security, it can become a single point of failure for the entire virtual infrastructure.
  • Cloud service provider APIs—Organizations running a hybrid implementation that employs public and private cloud resources are exposed to intrusion attempts via cloud APIs. Cloud provider APIs aim to facilitate effective communication between a virtual environment and a cloud-hosted one. Poorly secured APIs can result in a data breach.

XDR can help by collecting data from VMs and hypervisors, including results of VM security and vulnerability scans, VM image names, network activity and resource utilization. It can perform behavioral analysis to identify unusual activity on VMs which may indicate malware deployed on the VM, unauthorized access, compromise of the VM host, or worse—compromise of the hypervisor control plane.

XDR is well-suited for virtualized environments because it can correlate data from virtualization systems like VMware with networking data collected by network analysis tools and data from endpoint protection solutions deployed directly on VMs. This allows XDR to detect threats wherever they occur in the virtualized ecosystem, both on-premises and in the cloud.

Conclusion

In this article, I explained the importance of endpoint security, and described how you can secure new types of endpoints prevalent in cloud-native environments with XDR :

  • Endpoint security for containerized environments—XDR platforms collect granular data from the container environment including cluster, node, deployment, pod and container, combine it with security events from the rest of the environment and make it easy to identify and prioritize threats.
  • Endpoint security for serverless—Serverless environments are highly distributed and have major observability challenges. XDR can collect data from all components in the event stream, correlating suspicious events and identifying threats.
  • Endpoint security for VMs—XDR can collect data from VMs and hypervisors, including results of vulnerability scans, image names, network activity and resource utilization. It performs behavioral analysis to detect any unusual activity on VMs.

I hope this will be useful as you consider the endpoint dimension of your cloud-native security strategy.

Gilad David Mayaan

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.

Gilad David Mayaan has 54 posts and counting. See all posts by Gilad David Mayaan