Home Tech Updates Let’s clear the cloud visibility haze with app awareness

Let’s clear the cloud visibility haze with app awareness

by Helen J. Wolf
0 comment

Increasingly, organizations are moving towards the cloud, initiating new born-in-the-cloud architectures and migrating existing applications to Infrastructure-as-a-Service (IaaS) providers and hybrid clouds via lift and shift or refactoring.

With this transition, they are scaling deployments with more servers and VMs, running high-capacity links, leveraging containers, and routinely adding new observation, security, and monitoring tools.

Furthermore, they often run hundreds or even thousands of apps, which, unknown to IT, may contain rogue software such as crypto mining or BitTorrent. With increasing amounts of application-centric data, it is difficult for IT teams and tools to focus on the most useful activity and avoid wasting resources handling irrelevant traffic.

Let's clear the cloud visibility haze with app awareness

We often inundate security, observability, compliance, and network monitoring tools with low-risk, low-value traffic, rendering them less effective and requiring extreme scaling. In addition, false positives and warnings can overwhelm the teams at NetOps, CloudOps, and SecOps, obscuring the root causes of network and application performance issues and the real threats hidden in volumes of undifferentiated traffic.

Traditionally, IT teams have taken arduous steps to identify applications based on network traffic by wiring ports to specific applications or by writing regular expressions to inspect traffic patterns and identify apps.

Such manual solutions come with their challenges. For example, when changes occur, such as increasing application usage or introducing new applications, NetOps teams must update the network segmentation.

And app updates can change traffic patterns and behavior, meaning IT must constantly test and update their regex signatures. Implementing such contingency measures is difficult for the cloud, if not impossible.

Until now, it has been difficult to isolate cloud traffic by application type and specify whether or not tools inspect it. Visibility is a silo, and filtering options often go only to Layer 4 elements, forcing organizations to route all traffic through their devices or risk missing out on potential threats.

However, it is inefficient and costly to have every tool (intrusion detection system, data loss prevention, advanced threat detection, network analysis, forensics, etc.) inspect packets to filter out irrelevant traffic, as most tool prices are based on traffic volume and processing load.

Although packet broking can reduce traffic, it requires programming knowledge to enforce complex rules. And while some systems provide a level of application filtering, it is difficult to use, identifies a limited number of applications, and typically does not share this understanding. In addition, the filters require ongoing maintenance to keep up with changing application behavior.

A cloud suite with Application Filtering Intelligence (AFI) can bring application awareness to multi-cloud environments. Public cloud (AWS and Azure) or private (VMware and Nutanix) are covered.

A cloud suite automatically extends Layer 7 visibility to identify over 3,500 common business and network applications traversing the network. It lets IT select and deliver only high-value or high-risk data based on application, location, and activity.

Find an AFI that categorizes applications that automatically update as the landscape evolves. This allows a team to act on a “family” of applications instead of setting policies for individual apps. Examples of application families include antivirus, audio/video, database, ERP, gaming, messenger, peer-to-peer, telephony, webmail, and dozens of others.

Each tool is more efficient because it no longer needs to store and process large amounts of irrelevant traffic. NetOps can extend existing tools by prioritizing only core business applications and speeding the investigation of network and application performance issues with easier data isolation.

SecOps teams can extend current tools to a larger attack surface, securing more of the network and preventing sensitive data, such as personally identifiable information (PII), from being forwarded to monitoring and recording tools. For more information on how to take advantage of AFI, please refer to this document.

Not only is identifying applications a serious challenge in the cloud, but getting even basic metadata, such as NetFlow, is problematic in public IaaS. IT can derive basic information, such as which IP addresses are used and by whom, along with port and protocol information.

But what is needed is summarized, context-aware information about raw packets, based on layers 4-7, that provides insights into user behavior, security breaches, customer experience, and infrastructure health.

Advanced metadata attributes increase the visibility of app layers and support a comprehensive approach to obtaining application behavior. When deploying workloads in the cloud, IT can gain critical flow details, reduce false positives by separating signal from noise, identify nefarious data extraction, and accelerate threat detection through proactive, real-time traffic monitoring and forensic troubleshooting.

Observability and SIEM solutions use this information to correlate and analyze log data from servers and security devices. Network security and monitoring tools leverage this metadata to provide the insight and analytics needed to manage the opportunities and risks of cloud deployments.

And administrators can automate anomaly detection, stop cyber threats that overcome perimeter or endpoint protection, identify bottlenecks, and understand latency issues.

Based on layers 4-7, Application Metadata Intelligence (AMI) delivers network and security tools with over 5,000 metadata attributes that shed light on application performance, customer experience, and security. Apps from leading vendors extract and add these elements to NetFlow and IPFIX. Records include:

Identification: Social media users, file and video names, SQL requests. HTTP: URL identifier, command response codes. DNS parameters: 39 elements, including request/response, queries, and device IDs. Email-based IMAP and SMTP communications with sender and recipient addresses. Service identification: audio, video, chat, and file transfers for VoIP and messaging. Customer/Network Awareness: VoIP (SIP, RTP) and Mobile (GTP, HTTP/2) monitoring/signaling and user/data plane sessions.

Advanced L7 metadata can be applied in various use cases. AMI’s main commitment is to provide metadata to SIEM and security analytics observation tools. This can help to:

Identify the use of weak ciphers and expired TLS certificates. Investigate suspicious network activity by detecting unauthorized remote connections, bandwidth usage, connection duration, or an unusual number of SSH, RDP, or Telnet sessions. Detect data exfiltration by monitoring the volume and types of DNS requests involving DNS tunneling and evaluating the domains’ legitimacy. Determine the origin of security breaches with time window analysis of Kerberos, SMB, and HTTP usage to isolate the last and post-protocol activities that led to an incident. Find suspicious behavior that indicates compromised credentials or brute force attacks, such as high-privilege user activity, logins from unauthorized systems or multiple hosts, and HTTP client errors.

While IaaS and private cloud orchestration and management platforms are remarkably resilient, dynamic, and infinitely scalable, they do not provide next-generation network packet brokers (NGNPB) with a deep observability pipeline provided by advanced solutions.

These brokers collect, filter, and distribute all traffic to the appropriate security and network tools and provide the computing power behind AFI and AMI.

You may also like