Automating Threat Mapping for Multicloud Environments

As enterprises adopt to micro-services and cloud based architecture, they are slowly moving from a single cloud deployment to a multi-cloud deployment involving a mixture of private and public cloud platforms. Multi-cloud deployments will accelerate in future due to myriads of benefits they offer. We observed that many of our large customers are using multiple public cloud providers for various reasons:

• Reliability: Deployment on multiple public cloud reduces the risks of any downtime and service failure.
• Platform specific functionality/Capability: Customers are using particular cloud providers for specific needs. For example, some prefer to use Google Cloud for AI/ML tasks, Azure for Windows functionality etc., while they might prefer AWS for serverless functionality.
• Reduce dependency: Adoption of multi-cloud strategy helps customers reduce dependency on particular cloud infrastructure and avoids vendor lock-in problems in future.
• Cost: Depending upon their infrastructure needs, some cloud services are cheaper for customers.

While there are many advantages of hybrid and multi-cloud deployment, it also complicates monitoring and securing your infrastructure for various reasons as described below.

• Cross Cloud Visibility: In-built tools provided by cloud service providers obviously work only for that particular cloud service provider. There is lack open/free cross cloud tooling for visibility.
• Increased attack surface: Multi-cloud deployment uses a diverse set of services and libraries resulting in increased attack surface. Multiple endpoints further exacerbate this problem.
• Integrity Monitoring: Monitoring tools provided by CSPs are specific to those CSPs and output logs in different inconsistent formats. There is no uniform way to holistically monitor the integrity of the whole infrastructure.
• Incompatibility: Different non-uniform and legacy security tools no longer work on all the existing cloud infrastructure.
• East-west traffic explosion: Network traffic across multiple clouds can no longer be easily analysed. Cloud specific traffic mirroring solutions solve only part of the problem. This gives rise to blind spots and enables attackers to move laterally within the infrastructure easily without being detected.
• Extra complexity: There is also added complexity of multiple clouds due to multiple configurations, network settings etc. which developers and security analysts have to deal with to detect and protect from attacks. As attacks get more complex and multi-stage attacks become more common, we need a standard way to visualise and monitor application infrastructure across different cloud infrastructures.
• K8s, Service Meshes, Serverless … : Adoption of service meshes and orchestration tools like Kubernetes further complicate the visibility and hence security issues.

Deepfence Unifies Cloud Native Workload Protection

Deepfence uses lightweight non-intrusive user-space sensors to provide solutions for the above mentioned problems in multi-cloud deployments as shown in the architecture diagram. Our community edition ThreatMapper addresses first two problems, namely Visibility and measuring attack surface whereas our Enterprise Edition addresses the other security challenges like integrity monitoring, east-west traffic analysis (including visibility into encrypted traffic) and multi-stage attack prevention as well in hybrid and multi-cloud architecture.

Deepfence provides both macro and micro-level visibility upto process level details and consolidates all the available information to provide a uniform centralised view to holistically manage all your security needs in contrast to piecemeal solutions available today. Our last few articles focused on integrating three most popular cloud platforms today: AWS, Azure and Google Cloud. We also described how to manage your vulnerabilities using ThreatMapper and how to integrate the results with popular SIEM tools.

Topology Visualization

Deepfence Runtime APIs

Deepfence Runtime APIs abstract all cloud provider, kubernetes, service mesh and container runtime specific gory details from users. Think of this as one uniform API to visualise, manage and control security aspects for services running anywhere i.e. managed pure greenfield container deployments or a mix of containers, VMs and serverless platforms on Azure, AWS, and Google cloud.

Our powerful set of APIs enable users to automate their security analysis and response process such as vulnerability scanning as well as retrieve, delete and compare the vulnerabilities found.

This example python script shows how some of these APIs work to authenticate, enumerate the hosts and start vulnerability scans on a subset of nodes.

Essentially, you can use the runtime API to stream your multi-cloud infrastructure over a websocket and programmatically consume all changes happening across your infra and take actions like scanning a new pod that came online or scanning a group of VMs provisioned recently, down to the level of process or an individual connection.