What is cloud network security?

Executive summary

Cloud deployments are essential to most modern enterprises, whether that means migrating all operations to a virtual private cloud (VPC), utilizing public cloud infrastructure or maintaining some type of hybrid environment of public and private functionality. Whatever the configuration, the organization must balance the demand for speed, efficiency and robust connectivity against a security infrastructure that protects every network component from threats and misuse. Network security is essential no matter what type of network the enterprise maintains.

However, there are important differences between the task of securing a traditional, on-premises network and any version of a cloud network. Cloud network security presents a distinct set of challenges and capabilities; maintaining security in hybrid environments presents additional difficulties.

Cloud service providers (CSPs) maintain the physical security and much of the networking infrastructure for their private and public cloud customers. The cloud also includes security groups and prevention tools, such as next generation firewalls, as well as flow logs that provide some visibility into workflows, applications, container orchestration and identity and privileges.

However, as organizations seek more robust and mature cloud security solutions, they are finding it necessary to expand their approach beyond prevention and gain a more comprehensive view of cloud workflow patterns. Security teams see the need to augment tools with monitoring and contextual network evidence that provide a comprehensive view into complex and rapidly changing cloud environments.

Cloud network security presents a distinct set of challenges and requirements, and there are additional challenges that come with monitoring hybrid environments. To achieve the visibility that enables comprehensive network monitoring and threat hunting, SOCs need security solutions that incorporate cloud-specific functionality as well as mechanisms for capturing and analyzing network traffic in any type of security deployment.

Advanced network monitoring solutions, such as best-in-class network detection and response (NDR) platforms, incorporate cloud-specific functionality, and can help SOCs achieve a unified view of their organization’s network infrastructure.

Why is cloud network security important?

As cloud environments evolve, security teams have been able to assess the capabilities of virtual private cloud (VPC) data sources and security groups implemented by service providers. While VPC logs do provide insights into security, fundamentally these data sources support monitoring of performance, application-level usage and identity. While all these aspects of the cloud are related to security, they do not provide the depth and granularity needed to monitor for activity that may be related to cyber intrusions or misuse of cloud resources.

This is not to say that cloud-native tools and logs are ineffective. In addition to supporting DevOps teams and IT workflows, they can provide useful context and oversight. But their value to the SOC is enhanced when they are augmented with telemetry from cloud network traffic, especially when the majority of cloud traffic runs over encrypted channels, such as VPNs.

Furthermore, attackers have become adept at exploiting cloud vulnerabilities such as misconfiguration in subnets and security groups, inadequate data controls and lack of oversight; “Cloud-conscious” intrusions that target cloud workloads increased 110% in 2023 over the year before. Vulnerabilities introduced by shadow IT and user negligence have also helped fuel the trend. Attackers are also targeting cloud environments with tactics, techniques, and procedures (TTPs) that have proved effective against prevention systems in on-premises networks.

Ultimately, one security axiom that governs on-premises network also applies to cloud deployments: Intrusion prevention is not foolproof. Malicious actors who take the time to understand the cloud, and where misuse or imperfect setup provide opportunities, will continue to breach native defenses. Network security monitoring, which supports advanced threat detection, is necessary to achieving cloud defense in depth.

How cloud network security monitoring differs from on-premises monitoring

On-premises network monitoring runs off an organization’s existing hardware and will deploy a physical TAP or SPAN port to generate copies of network traffic. To collect cloud network traffic, security teams will rely on virtual taps, packet brokers or cloud-native taps.

Overall, on-premises monitoring is harder to scale due to the physical limitations of hardware, but it is generally easier to collect relevant data in a static architecture than in cloud environments, which add native tools and workflows rapidly.

What makes cloud network security monitoring challenging?

The rate of change in cloud environments often means there is more to monitor than security teams can manage. It is difficult to maintain visibility into how the organization is using the cloud when new workflows and tools come online or offline rapidly and scale at need. To have complete visibility into how the cloud is changing and operating, security teams must be able to connect network data to the cloud control plane and data plane.

However, the cloud’s ephemeral existence creates additional challenges to network security monitoring. For example, cloud networks recycle IP addresses at a frequency that can make connecting them to a specific workload or orchestration tool a time-consuming process. Analysts must correlate data from the CSPs control plane with feeds from the network’s data plane, unless they have access to network monitoring tools that can automate much of the process.

Trying to understand what hosts are communicating is just one aspect of the monitoring challenge. Ephemeral cloud assets can benefit users but are hard to scan from a security perspective. A landscape that changes rapidly and constantly makes it difficult for security teams to collate and evaluate relevant data and maintain a clear picture of what they’re tasked with defending.

The cloud infrastructure created by CSP’s is often abstract. While the shared responsibility model designates security of that infrastructure as the provider’s responsibility, the lack of visibility into its configurations can leave SOCs boxed out of a comprehensive understanding of how the cloud network is operating. Since the major CSPs deploy different tools and configurations, SOCs may struggle to visualize the network traffic in multi cloud environments or develop best practices for usage and monitoring.

While cloud networks generate an abundance of logs, keeping track of all the incoming data, and prioritizing the most important logs, can be difficult for SOCs that do not have access to tools that automatically control log data. The quality of network data can be swamped by an excessive quantity of data and alerts that lack context.

Why is cloud network threat intelligence important?

As security teams adapt to the cloud and become aware of cloud-specific cyber threats, there is a clearer case for focusing on threat hunting and incident response as well as intrusion prevention. Given the challenges of configuration and over-relying on shallow VPC logs, SOCs need a reserve of threat intelligence to anticipate and hunt for evidence of intrusions and deliberate misuse within cloud environments.

Platforms that can extract richer network metadata and pair it with current threat intelligence can give security teams the means to understand cloud attack patterns and search for indicators across the cyber kill chain. Attacks that can be mapped to the MITRE ATT&CK cloud matrix can be detected at phases such as lateral movement, command and control (e.g., via tunneling or DGA) and data exfiltration.

What are key features of a cloud network security solution?

Cloud network configuration best practices will vary from organization to organization, and depend on what types of services and tools they need and what CSPs (and how many) provide infrastructure. That said, there are guidelines regarding functionality that can be applied to most cloud network security solutions.

Deployment that is suited to cloud infrastructure. The network security solution should be based on cloud formation templates that simplify setup, deployment and configuration of network sensors and integration with cloud taps or packet brokers. The solution should be easily extensible, since cloud environments are frequently adding or removing tools and services. A dynamic environment requires monitoring capabilities that are correspondingly adaptable and scalable.
Agnostic technology. Cloud infrastructure is based on a wide variety of traffic sources, orchestration tools, encryption protocols, security groups and firewalls, service meshes, cloud-native security tools and data storage solutions. Security and monitoring platforms that are highly adaptable and configurable to multiple layers of cloud infrastructure streamline deployment and help to close visibility gaps.
Quality evidence and context. Increasing the number of alerts does not benefit most SOCs; most are already combatting alert fatigue. What the cloud network security solution should generate is contextualized, correlated data that helps the SOC write new detection rules or conduct investigations into what cloud services are set up, which are communicating, and which tools are in use. The solution should streamline data collection from cloud systems and automatically generate logs that go deeper into the traffic than VPC flow logs.
Detections and collections based on current threat intelligence. Cloud-based attacks designed to bypass security groups and evade flow logs leave behind evidence on the wire. A cloud network security monitoring platform should map cutting-edge intelligence to threat investigations and traffic analysis.

How network detection and response supports cloud network security

Network detection and response (NDR) is a platform originally developed for monitoring on-premises physical environments. As cloud deployments became common, NDR architects began to tackle the distinct challenges related to monitoring virtual networks and workflows. Today, most NDR platforms deploy in complex environments that include on-premises (physical and cloud), hybrid and multi cloud networks.

An NDR platform can provide a comprehensive view of an organization’s network, and capture rich telemetry that goes deeper and wider than cloud-native security tools, particularly in hybrid environments. It can provide a far more detailed picture of the network layer and connections to applications, services and endpoints.

Many NDR products incorporate intrusion detection systems (IDS) or similar functionality, including signature-based and anomaly-based detections that match suspicious traffic against known attack patterns. Additionally, they are helpful to skilled analysts engaged in cyber threat hunting, incident response and forensic investigations.

How Corelight’s Open NDR enhances cloud network security

Corelight’s Open NDR is a force multiplier platform that enriches cloud-based security tools, endpoint detection solutions and data aggregation by capturing, analyzing and contextualizing essential network telemetry.

Leveraging the open-source Zeek® network monitoring platform, Corelight helps its customers harvest rich insights from their cloud network data that exist beyond CSP’s native security tools. Zeek’s conn.log provides essential data about every network connection and the CSP control plane data to dramatically reduce the time and effort SOCs spend correlating telemetry, especially in multi-cloud deployments.

Corelight’s Open NDR bolsters cloud network security through a broad array of threat intelligence and insights into traffic, including:

Encrypted Traffic Collection. Most cloud traffic (including attacker traffic) is now encrypted. Rather than depending on decryption, which can be impractical for privacy reasons as well as expensive, Corelight’s platform includes an Encrypted Traffic Collection (ETC) that bundles observable traffic data, such as timestamps and packet sizes, with protocol data and behavior. ETC includes collections for VPN, SSH, RDP and other encrypted connections.
Entity Collections. Increasing the number of alerts does not benefit most SOCs; most are already combatting alert fatigue. What the cloud network security solution should generate is contextualized, correlated data that helps the SOC write new detection rules or conduct investigations into what cloud services are set up, which are communicating, and which tools are in use. The solution should streamline data collection from cloud systems and automatically generate logs that go deeper into the traffic than VPC flow logs.
Advanced analytics and threat intelligence. The Corelight platform leverages the open-source community, proprietary data and MITRE ATT&CK navigation to provide SOCs with rich analytics into tactics, techniques and procedures observed on cloud and on-premises networks. Threat detections include insights into C2, data exfiltration and lateral movement and specific exploits, such as Log4Shell andCobalt Strike.
AI and ML-driven alerting. The platform leverages large language models and other tools to synthesize alert data, summarize findings and suggest next steps.
Comprehensive oversight of hybrid networks. Corelight’s cloud sensors map to AWS, Google and Azure. The platform seamlessly integrates data from cloud and on-premises networks, giving organizations with complex networking the underlying connectivity and visibility SOCs need to stay alert to emerging threats.

Summary: Network security is the backbone of cloud security

Strong cloud network security is the key to defense in depth. NDR and other network-centric security tools bolster the performance of cloud-native security solutions, and best-in-class platforms can scale as needed in cloud deployments.

Rather than a replacement or competitor, NDR is a force multiplier in cloud environments. It provides the SOC with ground truth of cloud network activity, and allows defenders to look beyond VPC flow logs to uncover evidence of stealthy cloud attacks that evade preventative tools.

Learn more about how Corelight’s cloud security solutions can deliver unified visibility into your organization’s networks.