Why Monitoring East-West Traffic is Crucial for Cloud Security

Why Monitoring East-West Traffic is Crucial for Cloud Security

Many of us have long relied on network firewalls to defend against digital threats. The problem is that these technologies and others like them have never provided complete protection. This is especially apparent in the age of cloud computing.

This blog post will illuminate how the firewall’s weakness rests in the way it detects network traffic. I’ll then discuss how these flaws enable attackers to reach critical information assets. Finally, I’ll conclude by exploring how Lastline can detect these types of malicious activity.

The Traditional Way of the Firewall

Firewalls are designed to help us manage our North-South traffic, or traffic entering and exiting the network. As noted by CSO Online, the purpose of firewalls is to prevent unauthorized content and code from entering the network. Such functionality is not meant to interfere with the flow of data packets vital to the business.

Firewalls are fixtures in network defense strategies. Network World reports that an estimated 80 percent of us are running next-generation firewalls (NGFWs). Many of us use these tools to inspect traffic with the help of Deep Packet Inspection (DPI) and Intrusion Detection and Prevention Systems (IDPS).

How Things Have Changed

Firewalls might have provided sufficient security back in the 90s. But network traffic has evolved since then. Cisco’s Global Cloud Index made this point clear all the way back in 2014 when it noted that 76 percent of traffic traversed the data center in an East-West direction (Just 17 percent of traffic moved in a North-South direction at that time).

Even though East-West traffic is the predominant source of network traffic in the cloud, just a few of us use security controls to monitor this traffic. As Infosec consultant Manahil Ahmed Khan explained in a presentation for South Asian Network Operators Group (SANOG) 27, most security controls look exclusively at the North-South traffic. Only about 10 percent of East-West traffic ever sees a security control.

Without proper safeguards, attackers can abuse a lack of East-West traffic visibility to move laterally around the network once they’ve slipped past a firewall. A previous blog post from Lastline highlighted how threat actors generally move laterally in one of two ways. In the first approach, they scan for open ports that are listening as well as machines that suffer from known security vulnerabilities. They then abuse those weaknesses to move laterally.

In the second method of lateral movement, digital attackers use a phishing email to infect a machine with a keylogger or another type of information stealer. This malware secretly collects credentials entered by the user on the infected machine and sends this data to the attackers. At this point, the threat actors leverage these details to impersonate the victimized user and authenticate themselves on legitimate services. They can then use access to look for other shares, credentials and privileges. Such information forms the basis for their ability to move laterally to other parts of the network so that they can compromise the intellectual property and/or customer data of their target.

How We Can Better Monitor East-West Traffic in the Cloud

Some of us might look at the security gaps identified above and think that deploying additional firewalls to cover East-West traffic is an appropriate response. But it’s not. Raghu Raghuram, COO of products and cloud services at VMware, tells us why in an interview with Information Security Media Group:

“The nature of application traffic is that each application is broken up into many parts, sometimes tens or hundreds of components. If you were to use the same techniques that you use for controlling North-South traffic [from device into the cloud] and apply it to East-West traffic, then there would be a massive explosion in the number of firewalls you would need … and in the complexity of the routing that has to happen.”

Instead of adding to the complexity of both our networks and the challenge of defending them, we should focus on protecting our networks overall. We can do this by using Lastline Defender for Cloud to obtain critical visibility over our cloud environments. In particular, we can use this solution to inspect East-West and North-South network flows for potentially malicious content.

In addition to helping us monitor traffic, Lastline Defender can help block lateral movement. It does this by using Lastline’s Global Threat Intelligence Network to scan for metadata and payloads for known threats. It also uses unsupervised AI to detect protocol and traffic anomalies and supervised AI to create classifiers that recognize malicious network behaviors and previously unknown malware.

Learn more about how Lastline Defender can help monitor your East-West traffic in the cloud.

Suresh Kasinathan

Suresh Kasinathan

Suresh Kasinathan has more than 20 years of experience in design, development, integration and deployment of cutting-edge products in the areas of public cloud, storage, virtualization and networking products.In his current role as a Principal Cloud Security Architect/Product Manager at Lastline, Suresh drives the strategy, roadmap and feature definitions for Lastline’s Network Detection and Response solution for public cloud.Before joining Lastline, Suresh was a Principal Cloud Security Architect at Cavirin where he architected and implemented a public cloud cyberposture intelligence and continuous closed-loop security solution. Prior to Cavirin, Suresh was a Principal Cloud Security Architect at BlackRock Inc, a financial services company, where he hardened its AWS Security posture. Before BlackRock, Suresh was a Principal Cloud Solution Architect at Microsoft where he helped big enterprises migrate their workloads to Azure. Suresh has also held engineering roles at Netgear, Cisco Systems and Netscape/AOL.He holds a Master’s degree in Computer Science from Arizona State University.
Suresh Kasinathan