In today’s multi-cloud world, companies struggle to manage data exfiltration and malicious traffic across cloud service providers (CSPs).
Enterprises have limited control, visibility, and network security across multi-cloud deployments. Bad actors across the globe are using new methods to evade traditional network security measures. Data exfiltration and botnet operations may not be countered effectively due to traffic funneled through security choke points or third-party appliances serving as choke points. Furthermore, a coordinated strategy to protect against malicious activity could be difficult to execute if organizations have separate cloud teams dedicated to managing a different CSP; separate cloud teams create organizational redundancies and high mean-time-to-resolution (MTTR).
What Is “Data Exfiltration”?
We will focus on unauthorized access to data that is re-rerouted to unapproved third-party destinations, which can cause reputational and financial damage to an organization.
Data exfiltration can occur when:
- Corporate data falls into the hands of adversaries through phishing.
- Malware spreads across an organization’s network and infiltrates other devices. Some types of malware lay dormant on a network to avoid detection by an organization’s security systems until data is exfiltrated subversively or information is gradually collected over a period of time.
- An insider intentionally contacts a malicious host to exfiltrate information and export sensitive data.
- An employee uses a Tor relay node to anonymize themselves.
- An employee uses the organization’s cloud resources to mine cryptocurrency and sending information to the Bitcoin blockchain.
What is a Botnet and Why Should You Care?
A botnet is a network of hacked machines across the world that is controlled by an attacker using Command & Control (C&C) software running on a server used as the command center. C&C software is used to send commands to systems compromised by malware to perform Distributed Denial-of-Service (DDoS) attacks on other organizations or critical infrastructure, steal data, send spam, and allow the attacker unrestricted access to the device and its connection.
Security in Multi-Cloud Architectures
Cybercriminals use different techniques to remain undetected for months or years, while data exfiltration or botnet operations are detected only after the damage is done. To add to the complexity, organizations operating in a multi-cloud environment may have an even harder time detecting data exfiltration or botnet operations if each cloud is managed by a different team within the enterprise, requiring more coordination between teams to implement the necessary security.
One security approach is an Intrusion Detection System (IDS), which monitors a network, searches for known threats and suspicious or malicious traffic, and sends alerts upon detection of issues. An IDS relies on searching for available attack signatures and anomalies from normal network activity.
Another method is to use third-party SaaS services. To support this method, traffic must be directed towards the service to perform inspection, which means shipping traffic out of the network for analysis. Many third-party SaaS services also depend on a default route or agents installed on workloads.
Finally, organizations can also use third-party appliances. Traffic must be directed towards these appliances for inspection. We cannot forget that shadow IT may also spin up new environments or make changes redirecting egress traffic.
How Distributed Threat Enforcement Improves Security Posture
Internet access is pervasive in the cloud. This creates business risk. If infrastructure has been compromised, IDS and IPS systems may not be able to detect and prevent data exfiltration, crypto-mining, and Tor activities due to lack of visibility and proper altering. You can improve your security posture with distributed threat inspection, a service that complements existing security solutions to provide an added layer of protection.
This solution is un-surprisingly simple: when you first own the network through a repeatable network architecture with a common data plane, distributed threat enforcement will be a natural consequence. Through threat visibility across all “gateways”, threats are identified more quickly, and remediation can be done automatically. This also makes it easier for an enterprise to simplify their processes, workflows, and security investments, allowing them to reduce risk and accelerate the resolution of security events with actionable context.
Introducing ThreatIQ with ThreatGuard
ThreatIQ with ThreatGuard is a new method for cloud network security within the Aviatrix platform that offers distributed threat visibility. It is multi-cloud native network security to identify and block traffic to known malicious destinations.
Imagine distributed threat visibility and control built into the network data plane by default, providing a complementary security solution with full multi-cloud support.
ThreatIQ analyzes Netflow data that is sent to CoPilot in real-time. Threat inspection is on by default and is built into the network transit at every hop. CoPilot analyzes all traffic and compares it with a database of known malicious hosts. This is a great example of when an intelligent data plane becomes security-aware.
ThreatGuard acts as the remediation mechanism based on CoPilot analysis. If blocking is enabled, these findings are sent to the Aviatrix Controller which then pushes firewall policies to all Aviatrix gateways in the data path blocking the traffic in real-time. Notifications can also be sent to specific users or distribution lists.
What Makes ThreatIQ and ThreatGuard Unique?
From a security perspective, customers routinely bolt-on third-party devices to this data path to inspect traffic leaving the network. Aviatrix already provides a novel transit-based network architecture that is repeatable across all CSPs for passing network traffic. ThreatIQ with ThreatGuard also layers in security inspection and enforcement, which adds a layer of protection to complement third-party security devices and provides end-to-end visibility of traffic leaving the cloud network.
How Does It Work?
ThreatIQ is a detection mechanism that complements existing security solutions by monitoring traffic in real time as it crosses the network, providing an added layer of protection beyond NGFWs.
Figure1: ThreatIQ shows where in the network the malicious host attempted to communicate.
ThreatIQ also offers geographical visualization and threat analytics to show where the malicious hosts are located, time series analysis, and threat classifications/severity. You can also export a tabular representation of the threat intelligence for further analysis.
Figure 2: Geographical location of malicious hosts (top).
Figure 3: Tabular view of threat intelligence can be exported for further analysis or filtered for more specific information.
ThreatGuard is an optional mechanism that can be turned on by the customer to act upon findings by ThreatIQ. ThreatGuard can offer to send alerts to specified individuals or distribution lists and can provide automated remediation of identified threats by blocking future traffic to the threat IPs on every gateway. This eliminates the delay involved in manual administrative action and review. It embeds security across the Aviatrix multi-cloud data plane enabling every network node to provide security inspection and enforcement.
Figure 4: Alerts generated by ThreatGuard and sent to a designated recipient.
Furthermore, ThreatGuard provides the option to block all traffic to the malicious host. Firewall policies against malicious hosts are automatically applied at every gateway within the cloud network.
Figure 5: ThreatGuard view showing statistics on firewall rules applied to malicious hosts.
Customer Anecdotes and Impact
One of our customers with whom we piloted ThreatIQ immediately became startled upon looking at the geographical view of known malicious destinations communicating with their network. The client’s security team immediately got to work and found out that workloads were communicating back and forth with Tor servers, which are used to anonymize web activity. The security team manually implemented the necessary security groups to block such traffic since, at the time, Aviatrix had not yet built the ThreatGuard feature. Now that ThreatGuard is built, the client’s security team will no longer have to apply manual intervention to block known malicious hosts.
What was also interesting to note was that the client was using Aviatrix only for a portion of their cloud infrastructure. It is quite possible that if Aviatrix was used for their entire cloud infrastructure, more compromised instances would have been found.
Other clients either found bitcoin mining activity or bad actors that were known to create malicious bot activity. Bitcoin mining activity means that enterprise cloud resources (which are expensive and which the enterprise pays for) were being used to make money for bitcoin miners. Malicious bot activity means that a hacker (i.e., the botmaster) has hacked cloud instances to perform data exfiltration or illegal activities.
Aviatrix gives the control, visibility, and security that enterprises always wanted in the cloud. With the official launch of ThreatIQ with ThreatGuard, we expect to hear similar stories from more customers.
Conclusion
Internet access is pervasive in the cloud. For security personnel, safeguarding connectivity, gaining visibility, and remediating threats have never been more challenging. Even with NGFWs, third-party toolsets, and automation, organizations must look for new ways to ensure critical business workloads are protected without slowing business agility and be able to remediate identified threats quickly and pervasively across the multi-cloud footprint.
ThreatIQ with ThreatGuard is a method of network security that truly takes advantage of the data plane in the cloud and improves the security posture. Furthermore, it:
- Complements existing security services by providing visibility at the network layer
- Eliminates dependencies on traffic being identified at the edge or in security pockets
- Survives local changes which may allow Internet egress traffic to utilize alternative paths
- Supports business agility and growth keeping consistent security guardrails through expansion
- Enables a consistent multi-cloud traffic inspection method independent of local NGFW presence
- Provides a multi-cloud native approach to automated remediation
See ThreatIQ with ThreatGuard in Action
Let us show you how you can take control of your multi-cloud environment with industry-leading security, visibility, and advanced networking features.
Schedule a demo to learn why hundreds of customers already use Aviatrix to solve these other cloud networking challenges as well. For example:
- Enterprise-class cloud networking visibility and troubleshooting
- Overcoming overlapping IP issues
- High-performance encryption in the cloud
- Next-Generation Firewall insertion, performance, and visibility in the cloud
- Cloud Networking in AWS, Azure, GCP, and OCI
- FQDN Egress Filtering
To schedule a demo of ThreatIQ with ThreatGuard, or the Aviatrix platform’s other features, please visit: https://aviatrix.com/schedule-demo/
Related Resources
Lightboard 3-minute overview on ThreatIQ with ThreatGuard: click here
3-minute demo of ThreatIQ/ThreatGuard UI: click here
About Author
Syed Ali is part of the Technical Marketing team at Aviatrix and is an Aviatrix Certified Professional. He is an experienced IT/SI consultant with experience at a Big 4 management consultancy, where he provided systems implementation and strategic advisory services to clients in the public sector, transportation, and consumer packaged goods verticals. He holds MSc Computer Science, BMath, and BBA degrees.
Aside from his interest in cloud networking, Syed is also passionate about community involvement and supporting the growth and development of the emerging workforce and younger generations. He resides in the Toronto, Canada area.