Cloud Cybersecurity: Use Next-Gen MDR for Cloud SecOps

Paladion
By Paladion

February 14, 2020

Today’s security operations (SecOps) face many obstacles including the lack of skilled people and too many security technologies to manage. These challenges force organizations to take a reactive mindset when it comes to cybersecurity.

What’s more, put these challenges in the cloud and even more problems arise:

  • Cloud-specific threats
  • Issues when implementing shared security models
  • Access control issues

The only way to ensure robust cloud cybersecurity is to implement AI-powered managed detection and response (MDR). Using MDR allows your SecOps teams to unify security tools and utilize a delicate balance of automated and manual responses for the most complete cybersecurity.

Want all the details on how to improve cloud cybersecurity?

Download our eBook: Guide to Next-Generation Cloud SecOps

Get the eBook

Ensure Cloud Cybersecurity with
Paladion MDR

Paladion’s Next-Gen MDR uses AIsaac, a patented AI platform first deployed in 2011. It achieves proactive results by mining a customer’s security data on a 24/7 basis across three dimensions:

  • SOC monitoring: looking for known threats, based on rules and signatures
  • Threat anticipation: searching for known attackers by correlating external threat intelligence
  • Threat hunting: using AI and machine learning models to detect anomalies that indicate the presence of malware or APTs

cloud cybersecurity - AI.saac

Figure 1: Screenshot of AIsaac-MDR's Active Discovery process, showing suspected attack sites and their connections across cloud assets.

This broad detection process takes a proactive fight against malicious actors across the public cloud. It can ferret out threats in cloud assets on most platforms (e.g., Azure, Google, AWS), operating systems, as well as in containers (e.g., Docker), microservices, and cloud consoles. The platform can also detect threats coming from SaaS solutions like Box and Salesforce. There are few, if any, places for APTs or malware to hide with this approach. Machine learning models make it hard for threats to evolve and escape detection.

In addition to broad, continuous detection of threats and vulnerabilities, AIsaac performs regular configuration and compliance assessments. This approach is essential for strong security because misconfigured cloud systems are where APTs and comparable malware lurk. An out-of-compliance VM, for instance, can be hijacked and used for more invasive penetrations.

Taking this proactive approach leaves nowhere for cybersecurity threats to hide.

Why Do You Need to Be Proactive with Cloud Cybersecurity?

Next-Gen MDR platforms detect the presence of APTs that get overlooked by reactive processes. For example, Paladion MDR caught a hidden banking trojan that went undetected by existing Symantec EPP, FireEye EDR, Qradar SIEM, and a Next-Generation Firewall (NGFW). In another case, Paladion detected an attacker’s lateral movement between dev and production instances of a website – movement that anti-malware and firewalls missed.

Implementing AI and Machine Learning in Cloud Cybersecurity

AI and machine learning are now commonplace in cybersecurity products. AI.saac takes those technologies even further and has a proven track record. It is powered by neural nets as well as by supervised and unsupervised natural language processing (NLP).

AIsaac processes 25 billion security events per day.

cloud cybersecurity - chart

Figure 2: AIsaac-MDR leverages advanced security analytics to group attacks across two dimensions, based on threat actors and attacks.

cloud cybersecurity - intel process

Figure 3: Tactical threat intel process, where commodity threat data (e.g., cloud sources, open sources) is collected, parsed, and scored before being curated through validation and correlation. The result is a collection of operationalized threat data used by the AI.saac platform.

The High-Level Architecture of MDR

Figure 4, below, shows a simple reference architecture of Paladion’s AI-Driven MDR working in a hybrid cloud environment, a typical usage scenario for Paladion’s customers. The AIsaac platform is the heart of the solution, running on Paladion’s own cloud infrastructure. APIs enable integration with existing security tools like SIEM and IPS, as shown on the left side of the diagram.

cloud cybersecurity - architecture

Figure 4: High-level reference architecture of the AIsaac platform operating in a hybrid cloud environment.

The system deploys agents across all digital assets, including on-premise servers, cloud instances (e.g., AWS and Azure), Virtual Private Clouds (VPCs), and Virtual Networks (VNets), and endpoints like mobile devices or laptops. The agents and integrated security tools feed event data into the platform’s detection processes. These, in turn, anticipate, hunt, and monitor for threats.

APIs connect the platform’s response processes to external ticketing solutions. Both detection and response processes are visible to end-users at the Paladion SOC as well as to the customer’s SecOps team members.

AIsaac-MDR offers a “single pane of glass” in which to engage in threat detection and response management.

Required Components for Managing Cloud Cybersecurity

Paladion's MDR contains multiple services and core technologies along with hundreds of AI models, use cases, and playbooks.

  • Core technologies: Threat intelligence, impact analyzer, endpoint detection and response (EDR), UBA, network traffic analysis, advanced threat analytics, triage, big data SIEM, one-touch integration, and deep forensics
  • AI models: ML algorithms such as classification, clustering, regression, association, and pattern matching; deep learning algorithms such as standard neural networks (NNs), convolutional neural networks (CNNs), recurrent neural network (RNNs), and intelligence automation

cloud cybersecurity - components

Figure 5: Components of the AIsaac-MDR platform, from an end-user perspective.

Threat Response

Paladion works with clients to clearly outline what types of threats can be automatically responded to and which require human intervention. In the case of the latter, threats are auto-contained to limit the damage until a human can be brought into the loop.

Incident Analysis

AI.saac investigates the impact, attacker, attack campaign, and extent of the compromise to determine the appropriate amount of resources that should be allocated.

For example, for a malware or intrusion alert, the incident analysis process automatically discovers if there are indicators of compromise (IoCs). The platforms assess if the attacker is communicating with other workloads and then considers other elements, such as “What is its ‘blast radius’?” or “Is it part of a campaign from a known threat actor?”

The main goal is to contain threats and swiftly stop their spread.

Auto-Containment

If the alert is deemed to be severe enough to be considered an actual incident, the platform initiates an automated containment process to stop the attack and its impact. The solution automatically suspends rogue accounts and quarantines infected machines, preventing the spread of infection. Arresting the spread of the attack may involve reconfiguring network security groups (NSGs), removing workloads, or initiating a kill process using endpoint detection and response (EDR) solutions.

Automated Remediation and Orchestrated Response

The Paladion threat response sequence flows from auto-containment to automated threat remediation. This process may include automated steps like orchestrating actions among SecOps team members. Paladion incident responders quickly collaborate with the customer’s SecOps teams to contain, mitigate, and recover from an incident. SecOps teams can execute threat visualization and run automated playbooks with supervised machine learning algorithms guiding the whole process.

The platform is also capable of orchestrating an incident response. The goal is to contain attacks in minutes, orchestrate an effective response, and destroy the root cause of the attack. After automated responses, there may be human follow-up, stakeholder notification, machine repairs, or other recommendations.

For events requiring client input, a Paladion Incident Responder reaches out to the customer with a complete incident analysis to orchestrate a full, coordinated response. This response spans across both the Paladion team and the customer’s SecOps staff.

The platform guides the SecOps team in forensics breach investigations and helps to resume regular customer operations as soon as possible. Of course, the system learns from each incident and evolves customer defenses to perform better in future events.

Improve Cloud Cybersecurity with Paladion MDR

Next-Gen MDR powered by artificial intelligence from Paladion is the solution to improving cloud cybersecurity within your organization. By coupling advanced AIsaac technology with MDR, your SecOps can shift to a proactive mindset and stay ahead of threats both now and in the future.

Want all the details on how to improve cloud cybersecurity?

Download our eBook: Guide to Next-Generation Cloud SecOps

Get the eBook


About

Paladion