Pre-runtime vulnerability scans or runtime protection: Which is better for your IaaS security?

Under Armour’s famous slogan sums up the mission perfectly: We Must Protect this House.

As adoption of cloud services continues, security teams must rethink the strategy for securing their Infrastructure as a Service (IaaS). But how do they protect this house while acknowledging the cloud has unique needs?

Shifting from on-premise to the cloud
Cloud servers require a different security approach, one that meets the speed and scale needed from modern production environments. Since most agent-based runtime protection solutions tend to diminish performance, organizations often choose to conduct only pre-runtime vulnerability scans for their workloads rather than implementing runtime protection.

This poses the question: pre-runtime or runtime protection, which is better for your IaaS security?

In an ideal world you should have both
A big advantage of pre-runtime security is it does not require an agent and therefore it has no impact on performance. In addition, pre-runtime scans are useful for detecting and fixing known vulnerabilities before deployment. However, known vulnerabilities are only one attack vector. There are many ways an attacker can get into the server, such as through credential stealing or misconfiguration, which is what we have seen often in previous attacks — for example the Capital One breach.

Perhaps the biggest disadvantage of pre-runtime security scanning is a lack of visibility into the production environment. Not knowing what processes, code or commands are running is problematic because it leaves organizations blind in runtime and does not detect actual breaches.

If we’re talking about coverage, then runtime protection is the better option because it defends against the full spectrum of threats.

The only question remaining is, what should be prioritized first?

Think of your IaaS as a house
While you can fix the locks on the doors (aka patch the basics) to eliminate simple threats, sophisticated perpetrators will still find a way to get in. We must assume that attackers are savvy and they will find gaps in cloud infrastructure and deployment.

Therefore, you install a security camera (equivalent to runtime protection) to gain full visibility inside the house. Having full visibility is great but of course you will still want to secure the locks or continue to patch the basics.

Since there are benefits to both controls, the question still remains what should be prioritized first?

CI/CD process
Another advantage of runtime protection is the ease of implementation and the speed of onboarding. Pre-runtime solutions can be a big undertaking in the CI/CD process because they can interfere with the developers’ processes and agile code development. This can take up significant time because not only do you need buy-in from the developers who might not have security as their top priority but you also need to fix all the detected vulnerabilities before you can really gain value. Many CISOs describe such processes as at least a two year project. However, with a good runtime protection solution security teams can be fully ramped up in less than 24 hours.

If you are a small team, such as a startup, and integrating into the CI/CD process is easy in your organization, then prioritize pre-runtime protection to tackle vulnerabilities in your code. That way, your IaaS might not suffer from internet wide spray-and-pray campaigns. On the other hand, if your IaaS might be specifically targeted or you are a part of an enterprise where integrations might be slower, prioritize runtime security to gain visibility and breach protection capabilities as quickly as possible.

Conclusion
Cloud use is growing which means more sensitive data is being stored there. Traditional solutions for protecting endpoints and servers do not translate well to today’s cloud environments which require speed, scale and container awareness. For all of its strengths, pre-runtime vulnerability scans should not be relied on solely to protect cloud workloads because they cover only one attack vector and leave security teams blind in runtime. Runtime protection, on the other hand, detects actual breaches without a limit to a single attack vector.

When given the choice, we believe that runtime protection provides a better return on investment (ROI) since it covers a wider range of threats and is usually much faster to implement. Organizations that have the resources should utilize both methods if they want to stay protected against a wider scope of threats and reduce their attack surface.

We can’t help but wonder if Under Armour knew their famous slogan would apply to cloud security back when they founded the company more than 20 years ago.

To learn more IaaS security watch the recording to our latest webinar with SANS. Watch now

Request free access to our Cloud Workload Protection Platform (CWPP) which defends in runtime against unauthorized and malicious code: intezer.com/intezer-protect/

Intezer

Count on Intezer’s Autonomous SOC solution to handle the security operations grunt work.