Threat Hunting and the Cloud - A Dynamic Tension

Jul 18, 2017 | by Arthur Fontaine

In the 1920s, fitness innovator Charles Atlas developed and introduced the Dynamic Tension exercise method. The essence of Dynamic Tension is that it pits muscle against muscle, with a workout intensifying proportionally for both muscles as force increases. As generations of comic book fans have learned since, nobody kicked sand in Charles Atlas's face after that!

The dynamic between cloud and IT security displays similar characteristics. The more cloud-focused an organization's IT strategy is, the more stress is placed on its IT security posture. The reasons are pretty simple: the cloud creates a larger attack surface, with new and different data sources to monitor for threats. But it's not just more data; in the current cloud environment, core security capabilities and APIs are typically less mature than on-premises counterparts, which have had much more time to evolve and harden.

That tension is not going to change the trajectory of cloud adoption - a disruption that's underway and accelerating. Benefits of the Cloud are now apparent to all: less capital expense, greater business agility, more flexible computing capacity, fewer operational issues, and ease of innovation. Perhaps your organization is among those with an explicit "cloud first" IT strategy, requiring all new or expanding workloads to be evaluated first on the Cloud, rather than a traditional data center deployment mode.

While cloud computing makes security more difficult in many different ways, there are specific challenges for the threat detection and response function. Visibility is the key to full and effective threat detection, and accessing cloud data takes extra steps compared to on-premises data. In a cloud-centric world, for a threat detection solution to see everything, it must be able to run anywhere.

Without specific tools and approaches, the Cloud can create a substantial blind spot in an organization's IT infrastructure. Indicators of compromise go unseen; ones that would be picked up easily if the same application were deployed on-premises. For alerts generated on-premises, critical correlation data can be missed, leaving an incomplete view of the full scope of an attack.

Integrating cloud data can be done, but remains a fairly complex process. Most cloud environments offer hypervisor-level system logs, which can be analyzed in the Cloud or sent to an on-premises solution. Security and application logs work much the same way, although with increasing data volumes the architectural considerations become more complex: performance and cost need to be balanced when considering which data to analyze, and where and how to process it.

Packets are trickier, as most cloud services have not yet exposed full packet capture capabilities. Independent services have cropped up to expose packets in ways that make analysis possible. Going forward we can expect packet access to become easier, with some level of capability exposed by the cloud vendors. Endpoint coverage in the Cloud is limited as well, at least without deploying specialized agent software to provide OS-level visibility and protect proprietary or personal information.

Additional complexity is introduced because organizations seldom have a single-cloud strategy. Therefore, threat detection solutions must "talk" to multiple clouds. The ability to capture, normalize, and enrich data across environments is a core requirement of an effective threat detection platform.

And then there's the rapid pace of innovation on the Cloud itself. Containerization (e.g., Docker) is a good example. As more and more applications are containerized, you need a way to see and connect to these instances as they are continuously spun up and torn down.

All of these considerations inform the strategy behind our newest version of the RSA NetWitness® Suite, RSA's market-leading threat detection and response platform. We've worked hand-in-hand with customers and industry analysts to design the most cloud-friendly solution on the market.

To start with, the modular structure of RSA NetWitness Suite conforms easily to any cloud deployment requirement. It's the "run anywhere, see anything" principle, and enables the type of performance and cost optimizations discussed earlier. The solution can run on the Cloud, or data can be collected and enriched in the Cloud before transmitting it to an on-premises instance for analytics. RSA makes it easy with pre-built images available for customers in cloud marketplaces.

The radical visibility and scalability of RSA NetWitness Suite is also well-suited to the Cloud. Integration with hundreds of security and application solutions supports the most diverse IT infrastructures, wherever they're deployed. And its distributed architecture can keep up with the largest cloud deployments, removing an important inhibitor presented by competitive offerings.

How are you handing the dynamic tension between cloud and security? As Charles Atlas taught us nearly a century ago, finding the balance is key. Find out more about how RSA NetWitness Suite can help your cloud strategy by visiting us at

Author: Arthur Fontaine

Category: RSA Point of View

Keywords: Cloud Computing, RSA NetWitness Suite, Security