Now that we’ve outlined the potential benefits of CDR, let’s take a look at a few use cases from leading CDR providers and highlight some examples of what CDR can do. While these specific examples document each product’s process for handling the illustrated situation, it can be assumed that all major players in the CDR space will provide similar functionality, although one must verify each one if this is critical in a product evaluation.
First up, detection and response to the unusual creation of EC2 (AWS) instances from Orca Security.
Orca detects an anomaly in a role’s behavior – normally this role creates 1 or 2 EC2 instances per week, but today has created 12, and workload scanning also detects suspicious commands indicating that one or more of them might have a crypto miner running on it. Orca determines that it is highly likely that malicious activity is occurring and generates a high priority alert with the recommendation to investigate this more thoroughly and determine whether or not the EC2 instances should be shut down and/or the role’s credentials should be rotated.
This example from Wiz displays the ability to prioritize targets of a brute force attack.
Consider a Brute Force Attack detected by AWS’s GuardDuty, which could be very common and create hundreds of alerts. Integration of GuardDuty with Wiz Control is able to detect an externally exposed VM with a weak SSH password and lateral movement to the Admin user so that defenders can now prioritize by risk, impact, and blast radius
One final example from Vectra is a real-word incident that occurred in 2022 in which an attacker exploited stolen credentials to extract cryptographic secrets.
An attacker gained access to a set of user credentials, allowing the user to access a customer-facing application. The compromised user was able to interrogate AWS Secrets Manager and pull all of the secrets for this account. Vectra’s Detect for AWS flagged the suspicious user because Secrets interactions were detected from a new IP space, rather than from inside AWS as was typical. Analysts reacted within minutes of detection by rotating the Secrets and resetting the user credentials, shutting down the compromise before any impact to the organization.
These examples are merely a few of the countless automated detection and response activities that this new generation of cloud security tools – CDR – can provide to organizations to deliver improved security, increased efficiency, enhanced visibility, flexibility, and accuracy. And Synopsys, a leader in application and cloud security consulting, can provide the technical expertise and industry best-practices to help any organization implement a CDR solution, either on its own, or as part of a comprehensive managed cloud security service that also includes compliance tracking to specified industry standards and/or frameworks, vulnerability management, incident response, identity and configuration monitoring, and more.