The trend in cloud solutions is progressing unabated and does not stop with cybersecurity. Time for the team of Tabidus Technology to take a critical look at the pros and cons of this approach.
For years, companies have increasingly relied on clouds to provide their data and parts of the IT infrastructure more flexibly and cost-effectively. Many cybersecurity vendors have also discovered this trend and move their security mechanisms and other services to their data centres rather than running them on-premises at their customers’ location.
The use of clouds over local networks is generally a controversial topic. Though there are many benefits, there is also a dark side. How does this work in the case of antivirus vendors? What should be considered when using security mechanisms from the cloud? The IT security association Tabidus Technology (www.tabidus.com) has dealt with the most important aspects around this topic and provides insight behind the scenes:
Smaller updates and faster response
The first use of clouds by antivirus vendors resulted from the steady increase of malware in the cyberworld. This increase meant vendors required an ever-increasing level of knowledge, which had to be delivered in the form of virus signature updates. At some point, a critical size of update packages was reached, which was more difficult to deliver.
The use of a cloud solves this problem and at the same time represents another advantage. Instead of the entire knowledge of a security vendor, only the most important information is provided by download. The remainder is available on demand in the cloud and is queried by the local security technology only when required. This not only reduces the size of the update packages to be downloaded, but also provides new information faster. While the delivery of a new package can take several hours, the data in the cloud can be immediately updated and made available. This is particularly important for zero-day threats.
Advanced examination techniques
Identifying current malware requires advanced security technologies such as sandboxing or machine learning. However, these technological approaches require appropriate equipment and know-how that is not available to every customer.
Antivirus vendors therefore operate a range of extended examination options in their data centres that go beyond classic virus signatures. These are supplemented by a team of virus analysts who take care of the current threat landscape around the clock. By using a cloud, these additional techniques and the know-how of the experts are made available to customers automatically.
Security through the community
In addition to using advanced approaches for malware detection, community thinking also plays a vital role in a cloud. Typically, a security vendor uses a whole range of data centres in different areas. With these, the vendor receives a broad range of feedback from its customers which it can then bundle.
The advantage of this is that global patterns can be detected. Depending on which HASH values, in which regions appear and how they spread over time, conclusions can be drawn and new threats identified. On the other hand, the community approach has the great advantage that a customer can benefit from the damage sustained by another customer. When a new malware circulates in one part of the world, that information immediately becomes available to all other customers worldwide and they are prepared for the arrival of the threat.
Clearly, there are significant advantages to the use of cloud technology in cybersecurity. Nonetheless, there are also downsides which must be considered.
The Connection is Broken: What Now?
Cloud solutions operate within the data centres of the respective provider. As a result, the cloud needs to be reached over network connections to use it. But what happens if this is not possible?
There can be many reasons for this. Not only the complete failure of the Internet connection, but also individual malfunctions in routes of the Internet provider. Cutting of the connection to the cloud can also be a specific target for malware and hackers. By blocking an entire network protocol or specific addresses and ports, the flow of information from the cloud is quickly disrupted.
Which security potential is still available locally in the event of a cloud failure depends on the respective vendor. However, this can quickly become a big problem, especially for cloud-only solutions, as the broken connection also removes all protection.
Speed is the Key
A variety of examination methods are used to monitor and detect threats. These can range from scheduled on-demand scans to on-access real-time monitoring. When using security techniques from the cloud, questions must be raised as to which is suitable for the respective field of application.
The essential aspect is the speed at which a cloud query takes place. In most cases, a local component must trigger the process, transfer data to the cloud, and receive a result from there. This can take just a few seconds. In those application areas where the processing time can be neglected, such as scheduled scans or checking emails, this may be sufficient. In the case of real-time monitoring, where every millisecond is important, cloud-based techniques have clear disadvantages. A local technology situated within the computer’s high-performance memory is far superior to network transmission.
Which Data Stays?
An important aspect when using cloud solutions is the data transfer. Which network protocol is used to upload which information from my local network to the provider’s data centre?
In this context, there are various possibilities that are handled differently from provider to provider and depending on the requirements of the security technology. In one case, only a pure HASH value is transmitted and a result is queried. In another case, a complete file is uploaded for analysis. It may also include additional information such as a customer ID, the operating system used, installed software, or specific events required to assess security status.
It is therefore necessary to clarify which transmission the respective provider makes. Do I agree that my own development or a sensitive document may, without my immediate consent, be copied to the vendor’s data centre? In which country are my data stored and is this lawful for me?
The use of cloud-based security mechanisms has many security benefits and can have a positive impact on threat detection. However, be careful and check which data transfer is required for it. Do not use cloud-only approaches and choose the cloud service that best suits the application area. Detailed information about the cloud usage of the respective provider should be considered and ideally several independent vendors should be used in order to achieve the maximum detection rate and reliability.
If you want to know more about modern threat detection and the benefits of the agile method of malware protection, we recommend our whitepaper “Keeping Your Data Safe: Threat Detection Optimisation For Enterprises”. Simply click below for your free copy:
Keeping Your Data Safe: Threat Detection Optimisation For Enterprises