Bogdan Botezatu, senior e-threat analyst at Bitdefender, explains the benefits hyperconvergence can offer businesses, but also the cybersecurity issues it can present.
It is no secret that the cybersecurity landscape is evolving at a rate of knots. Enterprise security professionals are finding themselves faced with an intensifying range of attacks, both in terms of scale and sophistication. This issue is compounded by higher reputational and financial stakes than ever for companies that find themselves to be breach victims, along with stretched resources and security budgets. In fact, research from Bitdefender shows that companies are only able to stop, or even detect, 64% of cyberattacks with their current resources.
As organisations look to scale and develop within the fast-moving world of modern business, virtualised environments and hyperconverged infrastructures are becoming increasingly commonplace. The idea behind hyperconvergence is the simplification of the operation and management of data centres, through combining the computing, storage and networking components of the data centre into a single, software-driven appliance. The simplification comes from the fact that the technology providing this capability comes from a single vendor.
However, alongside the clear benefits that hyperconvergence can offer businesses, the strategy brings with it a range of additional security considerations and threats. In particular, the widespread utilisation of Advanced Persistent Threats (APTs) by malicious actors requires a mitigation strategy that extends way beyond the capabilities of traditional endpoint security software. So, how do APTs work? And, more importantly, how can enterprise security teams detect and combat them?
Combating APTs – virtually impossible?
APTs work by exploiting vulnerabilities in either popular applications or within the operating system itself, to gain persistency on a targeted machine. Persistency means that, regardless of whether traditional security solutions are in place, the advanced piece of malware can evade detection and even disable security mechanisms to exfiltrate data or perform cyber-espionage.
For example, rootkits and bootkits are two examples of highly sophisticated malware that can compromise guest virtual machines (VMs) and remain persistent in the background of operating systems for long periods of time, making detection particularly difficult for traditional security solutions. In this instance, traditional AV solutions and advanced malware end up fighting for control of privilege and visibility within the operating system, leading to an endless battle.
The other issue that APTs present is the ‘zero-day’ factor – never-seen-before samples of unknown malware that target unpatched vulnerabilities in an operating systems or popular applications. The traditional cybersecurity industry approach to dealing with malware has been to identify new strains as soon as possible and neutralise them, often using techniques such as machine learning algorithms to categorise unknown malware samples based on similar features such as signatures and behavioural heuristics.
However, this approach is largely ineffective in dealing with APTs. That is down to the fact that malicious actors employ memory manipulation techniques that cause legitimate applications to behave illegitimately – and this is not something that is currently detectable via traditional AV tools. So, the challenge here is twofold – how can an organisation defend a new attack vector in the form of its hyperconverged infrastructure, against threats that are almost undetectable? A new approach is required.
Solutions that live up to the hype
The most important step for security professionals in protecting virtualised environments is to implement a dedicated solution to do so. This tool should work at the raw memory ‘hypervisor’ level, and incorporate machine learning to predict, prevent, detect and remediate known and unknown threats, including advanced attacks. The best solutions of this nature are optimised for virtualisation, but do not make any compromises on protecting the entire data centre, including physical servers, desktops, laptops or mobile devices that are part of the environment.
A key consideration when looking at any security solution for a hyperconverged data centre is its potential impact on the performance of applications – any delays caused can have a significant impact on productivity and overall bottom line. Therefore, any effect on performance must be minimal; otherwise, the benefit of strong security will be offset by the lower level of performance in the data centre, and this is a compromise that no business should have to make.
Hyperconvergence technology offers enterprises a unique opportunity to transform their data centres, turning them into more efficient and higher performing IT assets that support a more agile, fluid business. At the same time, a perfect balance must be struck between optimal security measures that still allow the benefits of a software-defined data centre to shine through.
For more advice on how to defend your company against cyber attacks, visit the cybersecurity section of UKTN.