Best Practices to protect your cloud workloads

By: Scott Holt

As security practitioners, we are often given problems that have obscure solution sets available. Problems such as “make sure we are not in the headlines!”, “we need cloud security,” or the laughable idea of being unhackable gets thrown around.

One thing we’ve seen plenty of is security ops scratching their heads to create a usable audit log for security or compliance for their Linux fleet. There are a number of ways to approach it and even fewer solid options. In this blog post, I’ll go through an ideal stack.

Linux Infrastructure Detection and Response:

Not surprisingly, we’re big fans of the emerging market of Linux Infrastructure Detection and Response (IDR) solutions. Cmd and Linux IDR solutions like our own are highly focused on workload and runtime protection. It throws the traditional Endpoint Detection and Response  (EDR) and Endpoint Protection Platforms (EPP) playbook out the window for a solution that targets Linux more effectively, rather than focusing on a cat and mouse game of tracking every package and hoping that attackers never recompile their binaries (hint: they definitely do). It instead focuses on the bottleneck of user behavior, often incorporating frameworks such as the MITRE ATT&CK framework

IDR is a mix of User-behavior authentication (UBA) and EDR, with the ability to proactively block malicious actions on servers. IDR or some type of host-layer visibility should be a fundamental building block in your Linux security.

Privilege Access Management:

Whether you’re going with an older more established Privileged Access Management (PAM) vendor, or some of the newer lightweight Access Management (AM) solutions on the market. The fact of the matter remains, if  your organization needs to determine who has access to your infrastructure, ensure that it is being upheld and provide an audit trail for all activity. Access management tools allow you to define access and integrate into your Intrusion Prevention System (IPS or IDP) of choice. A good choice of AM allows you to programmatically provision and deprovision access (Yes, you can say goodbye to excel sheets!). Even if you’re migrating to immutable infrastructure, the person who has access to build machines is all the more important. 

Cloud Security and Posture Management (CSPM) / Vulnerability Management:

While not being the same thing, this market has seen serious consolidation between CSPM and vulnerability management recently, so we decided to loop them together. Regardless of what you’re using here, we want to make sure our systems are patched and our internet facing assets are up to date and properly configured. On multiple occasions we have left internet-facing applications and an out-of-date web server up and running with Cmd installed to monitor the attacker behavior. Without fail, our servers pop with cryptominers in less than 24 hours, every time. With scripts and scanners, people are looking for any available compute that can be abused, but that’s the least of your problems when you see what can happen from a leaky S3 bucket. Some type of scanning is an absolute must for your cloud, on-premise, and k8s deployments. If you have them all you may find it tough to get all in one solution, but there are quite a few available options.

EDR, EPP and Anti-virus (AV):

While not a necessity, many compliance folks or auditors are beginning to require an AV agent on Linux. There are a number of solutions out there that can scan on a regular or periodic basis to determine hash values and if all of your packages on the machine are safe. Our suggestion would be to find a lightweight solution and opt for performance first, as these solutions can often cause significant unexpected performance issues. In use cases like build machines where there can be thousands of zipped files, scanning each one can double or triple your workload.

If you think of your Linux servers like a house and you want to protect the contents in your home (sensitive data etc), each one of these components is building a defense system. An AM tool is the key and lock to the front door. You lock the front door to make sure it isn’t easy to get in and only give keys  to the people who live in the home and possibly share them when necessary. 

Our vulnerability management is locks on the windows. While the lock on the front door may be a good deterrent, it doesn’t do much good if you’ve left a window open. By continually scanning we ensure that those locks are not left open. Finally, the Cmd IDR platform is similar to having cameras span the property. While we are pretty sure we have locked down our systems, having runtime security allows you to validate and continually check to see that only the correct users are entering and also ensure that they are doing what they are supposed to on those machines. After all, it is a shared server, not a private residence.

This is generally how we begin to break it down, of course there are many more layers. Things like firewalls, network layer monitoring, and much more but we wanted to break down some of the common items we hear about and what are truly must have items for your Linux server fleet. Check out our clickable demo to see how Cmd helps solve these issues.

Get Started

Gain true visibility
in minutes_

Ramp up your Linux defense strategies
and see what you've been missing.



Share via
Copy link