Detect risks such as network intrusions, cryptojacking, and insider threats across Amazon Web Services (AWS), Microsoft Azure, and Google Cloud environments
The virtual perimeter in public cloud environments is more vulnerable to attacks than a physical perimeter in on-premise environments. Organizations need to vigilantly monitor network traffic in the cloud and detect suspicious activity. However, network security in public cloud environments requires a different approach for several reasons:
Inline network security solutions can negatively impact important cloud architecture benefits such as bursting and auto-scaling. An out-of-band approach is necessary.
Traditional network monitoring tools create security blind spots in the cloud since they cannot be deployed for monitoring traffic to API-driven services, or to monitor east-west traffic at scale. An out-of-band approach is necessary.
While the cloud enables agility by allowing users to create and modify resources on-demand, this often occurs without any IT or security oversight. As a result, a simple network misconfiguration can expose sensitive applications to the internet.
Alerts based solely on network configuration changes could inundate security teams with false positive results if the changes were deliberate. As a result, configurations must be continuously correlated with network traffic and other threat intelligence sources to truly assess risk.
The RedLock Cloud 360™ platform monitors north-south as well as east-west traffic. This enables it to detect risks such as network intrusions, cryptojacking, and insider threats.
The RedLock Cloud 360 platform provides out-of-the-box network policies that reflect established security best practices. It continuously assesses the policies and trigger alerts if violations are detected. For example, the platform can identify sensitive resources and trigger an alert if it detects direct traffic to them from the internet.
The platform monitors north-south traffic for ingress threats such as network intrusions, reconnaissance attacks, cryptojacking incidents, and data exfiltration. It accomplishes this by ingesting network flow logs from your public cloud environment. However, this alone is not sufficient for accurately detecting suspicious activity. For example, knowing that a resource is receiving network traffic from the internet is not very meaningful. Instead, the platform uses AI to correlate the netflow logs with data from your public cloud environment and third-party threat intelligence sources to identify suspicious activity. In the earlier example, a more meaningful alert would be if the identified resource is an unpatched MongoDB instance that is accepting a connection from a suspicious IP address.
As organizations move towards microservices, it becomes imperative to monitor east-west traffic as well. The ingestion of netflow logs provides the RedLock Cloud 360 platform with visibility into this traffic. Correlating this with data from your public cloud environment and third-party threat intelligence sources enables the platform to identify malware infected instances, lateral movement, and other types of Advanced Persistent Threats (APTs).
The platform’s graph analytics enables quick investigations of threats and analysis of downstream impact by simply drilling down on a resource. It also provides you with an audit trail to view time-serialized activity for any given resource. This allows you to review the history of changes for a resource and better understand the root cause of an incident, past or present.