Check for bad effects instead of suspicious traffic
Being a part of the security industry for many years, we loved to watch all of the traffic coming and going from a network or even the servers. There was never enough data and as security folks we wanted to watch every inbound and outbound packet, because, well, it could be malicious. We’d copy all of the traffic when necessary, sift through it, and try to find events that could be from hackers. We’d even throw tons of costly hardware at the problem just to review traffic in real-time. All of this was done to achieve one goal: find attacks before they entered the network and did damage.
Specifically, we would place sensors at key choke points in the network or places where we could see a great deal of the traffic. The sensors could be placed in what was called detection mode, where a copy of the data would be sent to the sensor, or in prevention mode, where all of the traffic would pass through the device. Either way, the sensor would review each packet, collection of packets, or user sessions against a set of known bad “signatures” or just try to identify anomalous behavior. The theory was very similar to anti-virus technology, where known bad packet flows would be detected and propagated to all customers. The industry worked so well at this they generated tens of thousands of signatures.
Security in cloud environments better enhanced in other ways
With compliance becoming an ever-increasing priority and hybrid infrastructures becoming the norm, many traditional IT practices must evolve or die. Perhaps a widely used practice that hasn’t kept up with the evolution of compliance requirements in increasingly hybrid environments is the jump server, often called the jump box.
The original theory for jump boxes made a lot of sense. Set up a jump box as a bastion host inside of your environment that everybody logs into and then you can “jump” to any of the other boxes or servers. The jump box would be a heavily fortified gatekeeper, ensuring that only the correct users could pass it. Audit controls would be placed on the jump box to track all user activity. For those that wanted to level up, multi-factor authentication could be installed at the jump box to make it harder for an attacker to leverage stolen credentials.