The Cymulate Threat Research Group has published its latest report, focusing on the effectiveness of native cloud provider monitoring and security solutions when specifically defending Kubernetes infrastructure hosted in cloud environments. The full report is available here, and this blog post serves as a summary to that report.
Key Takeaways: Native Defenses Essential but Not Enough
Cloud-based Kubernetes defense may (and should) start with available native tools but cannot end there. While the native tools provided by each major cloud provider do have value in enhancing cybersecurity resilience, by themselves they exhibit significant gaps in detection and alerting on Kubernetes-specific threat activity. As detailed in this post and expanded on in the research report, native tools have yet to include essential logging and alerting on specific key attack surfaces found in Kubernetes environments. This can lead to both missing evidence of attack activity while allowing threat actors greater dwell time within the environment to cause more damage, theft, and disruption.
Primary Findings: 13.3 Percent Average Detection Rate
The Cymulate Threat Research Group performed 14 Kubernetes-specific threat activities for each of the three major cloud providers’ native Kubernetes offerings. Each environment was also configured with the recommended settings for that provider, using specific settings for Kubernetes whenever such specifics were published and available. Each environment was reviewed by either the cloud provider themselves, or by a third party authorized by the provider for such review.
Native cloud security solutions have shown a varying – and worrying – low degree of efficacy when used as the sole monitoring and alerting system for Kubernetes. Overall, the detection rate for all three providers scored between 6.6 percent and 20 percent successful defense, with an average score of 13.3 percent of all the attacks and vendors combined.
In each of the 14 threat activities, deficiencies were identified. At least one of the three largest providers of cloud Kubernetes infrastructure permitted and/or failed to log each of the activities tested, with all three failing to log sufficient information to identify threat activity in eight threat simulations. The Cymulate Threat Research Group determined that all three of the major providers would require additional tools and technologies to properly perform cybersecurity resilience for cloud Kubernetes environments, even while native tools were able to perform monitoring and alerting effectively for other forms of cloud-specific threat activity.
Conclusions: Cloud-Native Kubernetes Require Similar Tooling as On-Prem Deployments
While native tools within the three major cloud providers are not sufficient to properly protect a Kubernetes infrastructure, this is not a declaration of deficit of any of these providers. Each cloud provider did note – and did document within available knowledge bases and other documentation – that the monitoring tools natively provided were designed to ensure the resilience of the cloud platform and infrastructure. None of the providers made any claims that native tools alone would be sufficient to provide complete cybersecurity resilience for any and all infrastructure that could be hosted within their cloud platforms.
The research makes apparent that Kubernetes infrastructure hosted in cloud providers will require the same tooling, monitoring, and operational techniques used to secure Kubernetes in on-prem environments. Such tools should be able to feed their output into native logging and alerting systems whenever possible, with corresponding correlation rules and alerts manually configured to ensure coverage.
Final Thoughts: Role of Security Validation for
Kubernetes and Cloud
The Cymulate Threat Research Group report on Kubernetes monitoring and security in cloud provider infrastructure (available here) goes into significant detail as to the exact configuration(s) used in each cloud provider, as well as both the witnessed and expected outcomes of each scenario performed. It should be noted, however, that the sequence of testing scenarios used is far from exhaustive and is meant to highlight the issues discovered in using only cloud-native tools-sets to perform cybersecurity resilience operations.
Any Kubernetes environment hosted either on-prem or within a cloud provider should be routinely tested and validated with breach and attack simulation and automated red teaming tools both at initial deployment and over time. The Cymulate Platform, with tools to facilitate attack surface management, breach and attack simulation, and continuous automated red teaming (including multiple testing methods and scenarios specific to Kubernetes) provides a well-rounded methodology for performing such testing and validation. The Cymulate solution for cloud security validation helps assure that any third-party tools will work harmoniously with native tools to provide effective cybersecurity resilience throughout Kubernetes and many other forms of infrastructure, no matter where they may be hosted.