Security solutions that use continuous intelligence can derive real-time insights into cloud-native app security threats.
Modern cloud-native applications are often hard to secure due to their complex nature. They are highly distributed, comprised of open-source software and libraries, include numerous microservices (many of which are provided by third parties), and gain and provide easy access to data via APIs. As such, identifying cloud-native app security issues and protecting against threats is beyond the scope of traditional tools that simply monitor operations.
Some recent developments put the potential cloud-native app security problems into perspective. For example, a recent research study identified 450,000 Kubernetes API servers. And of those, 380,000 allowed some form of access. The researchers noted that: “While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended, and these instances are an unnecessarily exposed attack surface. They also allow for information leakage on version and builds.”
That makes cloud security all the more challenging, requiring better observability and insights into the interdependencies within cloud-native applications.
Another factor getting a lot of attention is the fact that the core open-source software and libraries used in many cloud-native applications are susceptible to attacks.
One such vulnerability was associated with the Apache Log4j software library. According to the Computer & Infrastructure Security Agency (CISA), “Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.”
The problem is that the software has been widely used for years. And it is embedded in many applications. Modern application development techniques based on microservices, APIs, and composable elements mean it is easy to incorporate such software into numerous applications without even knowing by simply re-using components that perform Log4j’s core functions. Low-code/no-code methods allow for even easier use and re-use of components, thus amplifying the problems.
And in April, CISA added the remote code execution (RCE) vulnerability affecting the Spring Framework to its Known Exploited Vulnerabilities Catalog. The designation was based on evidence of active exploitation.
In both cases, the vulnerabilities are in software that is very commonly used and is incorporated into a broad range of applications and services. The Spring Framework “provides a comprehensive programming and configuration model for modern Java-based enterprise applications – on any kind of deployment platform,” according to Spring. “A key element of Spring is infrastructural support at the application level: Spring focuses on the plumbing of enterprise applications so that teams can focus on application-level business logic, without unnecessary ties to specific deployment environments.”
In the case of the Spring Framework vulnerability, a newly disclosed remote code execution flaw could potentially be exploited to allow unauthenticated attackers to take control of a system. Similar to Log4j, Spring is widely used, and many organizations may not know exactly if or where it is in use.
This month, new attention was given to the leak of credentials to numerous open-source projects. Specifically, Ars Technica reported: “A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories.”
How SOAR can help with cloud-native app security
Modern cloud-native apps are becoming increasingly complex and harder to secure. Those responsible for protecting the company from cyber threats must quickly assimilate data from multiple logs, traces, and alerts from security information and event management (SIEM) systems and other security technologies. They must then quickly derive insights into looming threats in real time and instantly take action. Increasingly, the way to accomplish that is by using SOAR (security orchestration, automation, and response).
One of SOAR’s biggest strengths is its ability to apply automation to security operations (SecOps). By automating processes, SOAR frees up analysts’ time, which they could use for more strategic initiatives rather than spending it on repetitive, menial tasks. Specifically, tasks previously performed by SecOps staff, such as vulnerability scanning, log analysis, and ticket checking, can now be automatically executed by a SOAR platform. In addition, artificial intelligence (AI) and machine learning can be applied to derive insights. SOAR solutions are often used to elevate threats if human intervention is needed, make action recommendations, and automate responses. They use continuous intelligence to derive real-time insights upon which a company can base its response to a threat.
Such automation is critical today. The pace at which threats are evolving is increasing the demand for qualified security professionals. The only problem is that many companies are finding it harder and harder to adequately staff a team of cybersecurity professionals.