Security operations (SecOps) analysts have some of the most challenging roles in IT security. On the front lines in a ceaseless fight against determined adversaries, it is their job to detect, investigate, contain and remediate emerging threats to the organization. But the longer it takes them to do so, the more opportunity threat actors have to achieve their goals. In this high-stakes game, seconds count. Cloud environments can add time and complexity by making it harder to link network data to cloud resources.
This is why, when it comes to network detection and response (NDR), enriching network traffic data, like Zeek logs, with additional metadata can add invaluable context and, crucially, make SecOps analysts more effective.
The Challenge
SecOps can be easier in on-premise environments. Often this is because analysts have a much better grasp of where resources are on a network, assisted by the fact that the related IP addresses and network identification details of core network assets rarely change. Even if workloads move from one data center to another, they can be tracked fairly easily. This is not the case in dynamic, ephemeral cloud and container environments, where layer three networking is abstracted away from the higher-level tasks of running workloads or presenting data.
In the cloud, everything is more elastic and portable – moving within the cloud network as computer resource requirements change. Assets can appear and disappear at a high frequency across multiple data centers, changing IP addresses and other identifying details. Due to the abstraction involved, it becomes extremely challenging to attribute network traffic to specific cloud or container assets – such as instances, hosts, pods or containers.
So, when an analyst tries to attribute suspicious traffic from their Zeek logs to a given cloud asset for further investigation, they often have to contact the infrastructure team for assistance. These colleagues will then have to dig through logs to check which instance or service was associated with a specific network identifier at a specific point in time and therefore generated the traffic in question.
This is not only a drain on already stretched IT resources but may also give threat actors valuable time to exfiltrate data, deploy a ransomware payload or complete other objectives.
Streamlining SecOps
Now, imagine if there was a way of linking critical point-in-time data on cloud assets – like worker node IP, pod name, service function or namespace – to network traffic data at the time of collection. It would ensure that SecOps analysts could quickly and easily attribute network log data to specific cloud/container assets. Now it matters much less that resources constantly change IP addresses because there’s a far easier way to close the evidence gap and accelerate NDR activities. And in so doing, infrastructure teams are left to work on higher value tasks – optimizing their productivity as well as that of SecOps analysts.
Enhancing cloud visibility and context in this way doesn’t just benefit security. It could also surface valuable insight in areas such as bandwidth usage by different business units, which could be leveraged to enhance data-driven decision-making. Adding rich cloud metadata to network logs could help organizations contain breaches before they can impact the organization. It could also be the secret ingredient to much broader business success.