Why End-to-End Visibility Is Critical To Secure Your Apps In A Serverless World
One of the universal truths in technology is that security always lags behind innovation. Companies must move quickly as they seek to innovate, increase efficiencies and be disruptive in ever-crowded markets. Living on the bleeding edge means you will get a few cuts, but the risk of not adopting new technologies is greater than those of a few system failures or breaches. One challenge is that it is often not apparent what new risks exist until boundaries are pushed. Take the modern automobile as a real-world example. The earliest horseless carriages had no concept or need for seat restraints. As vehicle speeds increased, seatbelts were needed. As injuries climbed, safety started catching up to the risks with the invention of airbags, followed by collision warning systems, modern autonomous emergency braking and self-driving cars.
Where we’re going, we don’t need roads
With the breakneck speed of the cloud, virtual injuries are all too frequent. The new way of operating in the cloud is pushing the enterprise to its limits. Where we once focused our security efforts on securing single monolithic applications and servers, the new modern app is spread across containers, microservices, and different cloud providers. Nearly everything is provided to the enterprise “as a Service” by vendors. From IaaS, PaaS, and FaaS, to NaaS and SaaS, pick a letter and there probably is a corresponding cloud vendor offering a matching service. As these cloud compute resources become more distributed and abstracted, it’s simply too much for humans to operate and maintain. Thus, developers have responded with an “everything as code” approach, combining rich APIs with scripts and configurations. This approach treats infrastructure, operations, configuration management and security as “code,” all driving towards more automation, scale and resiliency. But the adage, “with great power comes great responsibility” is very appropriate in this age of cloud computing.
This everything-as-code approach is the root of modern observability, which has grown from traditional simple log monitoring, application performance monitoring (APM), and infrastructure metrics to redefine how developers write applications from an observability design approach. The observability driven design framework helps developers understand and articulate operational and security use cases into the functional and non-functional requirements during design and exploration. This leads developers to develop applications with the highest compatibility with other frameworks, such as GitOps and zero trust, and service the analytical needs of all stakeholders across IT and business. This naturally evolves to optimize the architecture of telemetry pipelines and control planes for automation. Such that modern services and infrastructure are written to integrate with widely adopted and standards-based declarative telemetry pipelines (CNCF landscape, OpenTelemetry) and automation control planes (Sensu), which unlock the organization’s ability to accelerate AIOps and digital transformation.
How do we secure applications and data spread across so many cloud services in an environment where developers have been empowered to spin up new resources and deploy new code faster than their defenders can adapt? It’s like trying to navigate in a world where roads reroute themselves and maps are redrawn by the minute. With all the changes brought by this digital transformation, it’s critical that companies continue to consider the security implications of this evolution and retool to secure this new serverless world.
A novel threat to serverless apps
Recently, Cado Labs discovered the first malware specifically targeting the AWS Lambda service. AWS Lambda is an event-driven, serverless computing service that can perform any defined computing task, from serving web pages to processing data to calling other APIs or interacting with various AWS services. Cado named this new variant of malware “Denonia.” They described the following challenge of securing such functions: “Short runtime durations, the sheer volume of executions, and the dynamic and ephemeral nature of Lambda functions can make it difficult to detect, investigate and respond to a potential compromise. Under the AWS Shared Responsibility Model, AWS secures the underlying Lambda execution environment but it is up to the customer to secure functions themselves. [Denonia] demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks.” [Muir, Matt. “Cado Discovers Denonia: The First Malware Specifically Targeting Lambda.” The Cado Blog. Cado Security, April 6, 2022]
Modern security for modern apps
Sumo Logic has been operating and helping customers navigate these challenges for over twelve years. What started as a small team of machine data nerds has evolved. The fledgling idea to leverage the cloud to empower businesses with real-time analytics delivered as a service is now an advanced cloud-native platform that provides observability, security and automation to almost every aspect of cloud computing. Key to our driving mission is the democratization of data and telemetry across ITOps, DevOps, and SecOps, and to “bring light to dark” with our cloud analytics and cloud security data lake. We believe only reliable information and context can produce better decisions and remove uncertainty. To get there, we’ve built one platform for application reliability and security delivered and consumed as a secure SaaS.
With new threats like Denonia, it’s imperative that organizations have a platform that correlates the many different services and streams of machine data generated by the modern IT stack. For AWS, this means seamless integration with AWS CloudTrail, CloudWatch, VPC Flow, GuardDuty and SecurityHub—to name a few. Security and development teams can leverage Sumo Logic’s unified platform to achieve real DevSecOps in order to “shift left” and improve their security posture. It’s agile enough to track changes in configurations and services without requiring hours of manual tracing and discovery efforts. It triages both security and application alerts and failures into a single organization queue. This is backed by detection content updated and responsive to the changing threat landscape—perfect for threats like Denonia. Sumo Logic Cloud SIEM manages hundreds of out-of-the-box detection and correlation rules, and we update these rules globally on average twice every week. As an example, we analyzed and deployed rules for detecting exploit attempts to all of our Cloud SIEM customers within 24 hours of the public announcement of the Log4Shell vulnerability. As attackers would update the obfuscation of the JNDI string, we rapidly and continuously updated our rules to catch the additional techniques.
In the case of Denonia, its payload was designed to monetize the attack by using infected resources to run cryptomining software, sometimes referred to as crypto-jacking. But the damage could be much more serious. Organizations should ask themselves if their AWS credentials or keys were stolen, how long would it take them to identify indicators of compromise? Is there sufficient visibility into cloud services and the network traffic they generate, such as communication with the Monero server as in Denonia’s case? Would a spike in CPU and memory usage be noticed by the development team or would those outliers be lost in the metric noise? How many tools would be needed to tie together application tracing data, metric data, log data and security signals? This correlation on its own often takes time, costs money and reduces cyber resiliency. The strength of Sumo Logic’s cloud-native analytics solution is it delivers observability, tracing, SIEM and SOAR capabilities all within a single platform.
Author Chas Clawson is cloud SIEM engineer at Sumo Logic. Read more Sumo Logic guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.