Data centers are the heart of many enterprises, providing scalable, reliable access to the information and applications that define the organization. As these data centers have become more valuable, so too has the job of securing and monitoring them. However, data centers come with their own unique requirements, challenges, and threats.
Yet, in many ways, data center and virtualized security has been built in the image of the traditional campus network security. The problem is that the data center is not the perimeter. While porting over the models from the perimeter may feel familiar and safe, it can lead to dangerous gaps in security.
Moving Beyond Segmentation to Cyber
Using the network perimeter as its model, the industry has sought to virtualize perimeter controls and move them into the data center. This approach began with the bedrock of perimeter security, the firewall. Initially this included simply porting traditional firewalls to run as virtual machines, and then progressed into more agent-based segmentation models that were closely integrated with the virtualization platform software itself. In both cases, the focus remained on enforcing policy within the data center.
However, creating and enforcing rules is not the same thing as catching an intruder. On the perimeter, firewalling functions are complemented with a variety of threat detection and prevention technologies such as IDS/IPS, anti-malware solutions and web filtering, just to name a few. And like their firewall brethren, many of these perimeter threat-prevention technologies have been ported over to the virtual environment.
Advanced Attacks and Mature Attacks
The problem is that data centers are not simply perimeter 2.0. A data center will often encounter an attacker at a far more mature phase of attack than the perimeter will, and likewise, will experience different types of threats and attack techniques.
Specifically, perimeter threat prevention technologies tend to be heavily focused on detecting an initial compromise or infection (e.g. exploits and malware). The problem is that attackers will often only move against the data center after they have successfully compromised the perimeter.
The attacker may have compromised multiple devices, stolen user credentials or even administrator credentials. Instead of exploits or malware, attackers are far more likely to search for clever ways to use their newly-gained position of trust to access or damage data center assets. This means that a data center will often encounter attacks in a more mature phase of attack that may lack obvious indicators of malware or exploits.
This is prime example where behavioral threat detection models should come into play. More than simply looking for strange or abnormal user behavior, we also must recognize the fundamental behavior of the attack tools and techniques in the hacker’s arsenal.
Compromising administrator accounts, implanting backdoors, setting up hidden tunnels and RATs are all standard operating procedure for an ongoing persistent attack. All of these techniques have telltale behaviors that can make them standout from the normal traffic in your network, provided that you know how to look for it. In some ways you can think of it as a evolution of threat detection that focuses on recognizing malicious verbs instead of malicious nouns. Instead of looking for a specific malicious payload, you can look for what all payloads do.
Preempt the Silos
Next we must remember that attackers do not conform to our boundaries, and that attacks will often span both the campus side of a network as well as the data center. It is crucial that security teams retain full context of an attack even when it spans both environments.
For example hidden command-and-control traffic, network reconnaissance, lateral movement, the compromise of user and admin credentials can all precede an intrusion into the data center. Each of these phases represents an opportunity to detect an attack and it is important for security teams to see as much of this context as possible before the attack reaches the data center.
This is why it is essential to have a unified approach to cybersecurity that spans the campus and data. Cyber attacks are complex interconnected events, and treating the data center security as a separate silo only helps the attackers. However, if we treat the campus and data center as the interconnected resources that they are, we can actually use the complexity of an attack to our advantage as defenders. The more steps an attack has the more chances we have to detect and correlate them.
A user behavior anomaly in the data center is probably not enough on its own to definitively detect an attack, and chasing down every anomaly would probably be a very poor use of an analyst’s time. However, seeing that a host has shown tunneling behavior on the campus network, used knocking sequences that reveal attempts to communicate with a backdoor on a data center server, and also seems to be slowly accumulating data leads to a very definitive diagnosis.
All of this leads us to a point where we need to recognize the uniqueness of the data center and the threats that they face, while also recognizing that this uniqueness does not make them separate. We should look for the attack techniques that are unique to the data center, while retaining the context of everything we have learned in the campus. This can require some planning, but is very achievable.