Cloud-native architectures help businesses reduce application development time and increase agility, at a lower cost. Although flexibility and portability are key drivers for adoption, a cloud-native structure brings with it a new challenge: managing security and performance at scale.
Challenges in the Cloud
The nature of containers and microservices makes it harder to protect them in these ways:
1. They have a dissolved perimeter, meaning that once a traditional perimeter is breached, lateral movement of attacks (such as malware or ransomware) often goes undetected across data centers and/or cloud environments.
2. With a DevOps mindset, developers are continuously building, pushing, and pulling images from various registries, leaving the door open for various exposures, whether they are operating system vulnerabilities, package vulnerabilities, misconfigurations, or exposed secrets.
3. The ephemeral and opaque nature of containers leaves a massive amount of data in its wake, making visibility into the risk and security posture of the containerized environment extremely complicated. Sorting through interconnected data from thousands of services across millions of short-lived containers to understand a specific security or compliance violation in time is akin to finding a needle in a haystack.
4. With increased development speeds, security is being pushed later in the development cycle. Developers are failing to bake security in early, opting instead to add it on at the end, and ultimately, they are increasing the chance of potential exposures in the infrastructure.
With tight budgets and the pressure to constantly innovate, machine learning (ML) and AIOps — that is, artificial intelligence for IT operations — are increasingly being built into security vendor road maps because it is the most realistic solution to decrease the burden on security professionals in modern architectures, at least at this point.
What Makes ML a Good Fit?
As containers are constantly being spun up and down on demand, there is no margin of error for security. An attacker has to be successful just once, and this is much easier in a cloud-native environment that is constantly evolving, especially as security struggles to keep up. This means runtime environments can now be compromised due to insider hacks, policy misconfigurations, zero-day threats, and/or external attacks.
It is hard for a resource-starved security team to manually secure against these threats, at scale, in this dynamic environment. It may take hours or days before a security profile is adjusted, which is plenty of time for a hacker to exploit this window of opportunity.
Over the last few decades, we have witnessed tremendous progress in ML algorithms and techniques. It has now become possible for individuals who do not necessarily have a statistical background to take models and apply them to various problems.
Containers are a good fit for supervised learning models for the following reasons:
1. Containers have minimal surface area: Because containers are fundamentally designed for modular tasks and have smaller footprints, it is easier to define baseline activity inside and decide what is normal versus abnormal. In a virtual machine, there could be hundreds of binaries and processes running, but in a container, the number is far less.
2. Containers are declarative: Instead of looking at a random manifest, DevOps teams can look at the daemon and container environment to understand exactly what that specific container would be allowed to do at runtime.
3. Containers are immutable: The immutability factor serves as a theoretical guardrail to prevent changes at runtime. For example, if a container starts running netcat all of a sudden, that could be an indicator of a potential compromise.
Given these characteristics, ML models can learn from the behavior, enabling them to be more accurate when creating runtime profiles that assess what should be allowed versus not. By letting machines define pinpointed profiles and automatically spotting indicators of potential threat, it improves detection. This also alleviates some of the burnout among members of the security operations center team because they don't have to manually create specific rules for their different container environments, which helps them focus on the response and remediation rather than manual detection.
In this new world, security has to keep up with the ever-changing technology landscape. Teams must equip their cloud-native security tools to cut through noise and distractions, and find the insight they are looking for and need. Without ML, security teams find themselves stuck on details that don't matter and missing what does.