Cloud-native environments and applications deliver unprecedented agility and scalability in a business climate that demands speed. However, they also introduce extraordinary security challenges that require more rapid event detection and response than the traditional on-premises world. Data often travels through multiple services and storage solutions, leaving security analysts to sift through an extensive data trail of logs from multiple cloud services.
Automation is one of the key benefits of cloud environments, but cybercriminals can use the same tools to accelerate the velocity of their attacks. Dwell time – or the period between initial access and an attack – is measured in days in on-premises infrastructure but mere minutes in the cloud. Effective detection and response require granular visibility across multiple environments, connected SaaS applications, and third-party data sources.
The bespoke nature of traditional data centers makes them more difficult to compromise, notes Crystal Morin, a cybersecurity strategist at Sysdig. “Knowledge of on-premises environments must be developed on a case-by-case basis,” she said. “Cloud environments, though, are more consistent, even across providers. That makes the cloud easier to understand and secure, but it also means attackers know what to look for and how to get what they want.”
Attackers can also exploit the automation, scripting, and APIs inherent in cloud-native architectures to discover information about the cloud environment more rapidly than is possible in unfamiliar on-premises infrastructure. “What works in one cloud is likely to work in another with only slight modifications,” Morin said.
That makes it possible for attackers to move much faster. A recent Sysdig Threat Research Team report found that attackers with stolen credentials can inflict damage in as little as 10 minutes. Traditional detection and response mechanisms can’t match that speed. “If we are manually responding to automated adversarial behaviors, we’ve already lost,” Morin said.
“An effective cloud security defense requires deep observability and proactive speed. Log analysis is an essential defense strategy. Cloud providers collect massive amounts of data about activity in their systems in their network, database and transaction logs. That’s a source of valuable intelligence, but harmonizing log data across multiple providers and tools is a challenge.” Real-time monitoring, deep observability, and automation are needed to detect threat actors as they enter an environment so they can be isolated and shut down.
One factor favoring defenders is that cloud cyberattacks follow a predictable path. Threat actors use API calls to scan a victim’s infrastructure to identify opportunities for lateral movement and misconfigurations, which are the leading vulnerabilities in cloud attacks. This activity shows up in security logs. Real-time log monitoring can trigger alerts that an attack is underway. Log analytics can detect behavioral anomalies consistent with an attack, such as multiple authentication attempts or repeated API scans. “The more they move, the more noise they make, and the more likely they are to be found,” Morin said. “That means we need to move faster, too.”
Sysdig created the 5/5/5 Benchmark – five seconds to detect, five minutes to triage, and five minutes to respond – as a goal for organizations committed to evolving their cybersecurity practices to beat attackers at their own game. The strategy stresses the use of automation and the proliferating number of third-party cloud detection technologies to connect the dots from data points across multiple environments and applications into an integrated view. Technologies like Extended Berkeley Packet Filter (eBPF), a lightweight, sandboxed virtual machine within the Linux kernel, provides enhanced visibility into system calls and networking operations to enable faster detection and response.
Automation, APIs and infrastructure-as-code mechanisms can then be deployed to enable rapid response and remediation. These cloud-native functions are organizations’ most valuable assets to respond quickly and effectively.
The 5/5/5 Benchmark “is an operational benchmark that indicates cybersecurity maturity,” Morin said. “Mistakes will happen, but we can prepare for the inevitable attack and be ready to detect and respond as soon as it happens.”
Download the 5/5/5 Benchmark for Cloud Detection and Response.