With the continued move to the cloud, cloud detection and response helps security teams defend their cloud applications and infrastructure.
In a trend that is only accelerating, companies continue to move more of their workloads to the cloud. According to Gartner, by 2025, enterprises will spend more on public cloud services than traditional IT solutions. And per a report from IT Convergence, rather than supporting just a portion of workloads, 40% of firms will take a cloud-native-first strategy in 2023 as they look to increase agility and efficiency while reducing costs. To put this in perspective, Gartner reports that spending on public cloud services is forecast to grow 20.7% to total $591.8 billion in 2023, up from $490.3 billion in 2022.
This shift to the cloud has brought a wide range of new security challenges with it. The rise of ever-changing and ephemeral environments within the cloud have increased complexity and created unique and unpredictable interactions. Where once all data was protected on-premises with physical barriers and controls, now critical data is stored in the cloud where a single misconfiguration can lead to enormous consequences. Some breaches that were the result of simple security misconfigurations and resulted in cloud leaks include
To combat such vulnerabilities, a new classification of cloud security offering has arisen: cloud detection and response (CDR). CDR provider Obsidian defines the offering as
A new approach to cloud security that enables security teams to defend cloud applications and infrastructure from account compromise, insider threat, and access misuse. CDR delivers consolidated visibility and data-driven analytics to detect, investigate, and mitigate threats in the cloud. CDR solutions continuously aggregate, normalize, and analyze large volumes of data about accounts, privileges, configurations, and activity from SaaS and cloud services to provide insights, situational visibility, and alerts around risks and threats.
There are many CDR and extended detection and response (XDR) providers offering similar capabilities, but what they all have in common is that cloud security automation offers improved security and risk management, increased efficiency and cost savings, enhanced visibility and control, and more scalability and flexibility, and accuracy.
When making any changes to an existing cloud security system, the first and most important question to ask is, will this make the system more secure? With CDR, the answer is definitively yes.
Once the first question regarding improving the security posture has been answered affirmatively, quite often the next questions are how much does this cost and will the return on investment justify the expense? CDR offerings provide
Now that we’ve outlined the potential benefits of CDR, let’s take a look at a few use cases from leading CDR providers and highlight some examples of what CDR can do. While these specific examples document each product’s process for handling the illustrated situation, it can be assumed that all major players in the CDR space will provide similar functionality, although one must verify each one if this is critical in a product evaluation.
First up, detection and response to the unusual creation of EC2 (AWS) instances from Orca Security.
Orca detects an anomaly in a role’s behavior – normally this role creates 1 or 2 EC2 instances per week, but today has created 12, and workload scanning also detects suspicious commands indicating that one or more of them might have a crypto miner running on it. Orca determines that it is highly likely that malicious activity is occurring and generates a high priority alert with the recommendation to investigate this more thoroughly and determine whether or not the EC2 instances should be shut down and/or the role’s credentials should be rotated.
This example from Wiz displays the ability to prioritize targets of a brute force attack.
Consider a Brute Force Attack detected by AWS’s GuardDuty, which could be very common and create hundreds of alerts. Integration of GuardDuty with Wiz Control is able to detect an externally exposed VM with a weak SSH password and lateral movement to the Admin user so that defenders can now prioritize by risk, impact, and blast radius
One final example from Vectra is a real-word incident that occurred in 2022 in which an attacker exploited stolen credentials to extract cryptographic secrets.
An attacker gained access to a set of user credentials, allowing the user to access a customer-facing application. The compromised user was able to interrogate AWS Secrets Manager and pull all of the secrets for this account. Vectra’s Detect for AWS flagged the suspicious user because Secrets interactions were detected from a new IP space, rather than from inside AWS as was typical. Analysts reacted within minutes of detection by rotating the Secrets and resetting the user credentials, shutting down the compromise before any impact to the organization.
These examples are merely a few of the countless automated detection and response activities that this new generation of cloud security tools – CDR – can provide to organizations to deliver improved security, increased efficiency, enhanced visibility, flexibility, and accuracy. And Synopsys, a leader in application and cloud security consulting, can provide the technical expertise and industry best-practices to help any organization implement a CDR solution, either on its own, or as part of a comprehensive managed cloud security service that also includes compliance tracking to specified industry standards and/or frameworks, vulnerability management, incident response, identity and configuration monitoring, and more.
While automation is a sign of a mature cloud security posture, success won’t happen immediately upon implementing a CDR solution – it takes time, patience, learning and a step-by-step approach to achieve full coverage. There are also potential challenges to implementing CDR, including Integration with existing security systems and processes, dependence on the security and reliability of cloud service providers, and the potential for false positives and other detection errors. However, in the opinion of many security professionals, the benefits far outweigh these challenges. Therefore, after evaluating pros and cons, and potential return versus actual investment, cloud security automation should be a top priority for every organization that has a presence in the cloud.
John Waller is a Cloud Architect and Security Professional experienced with securing cloud environments and web applications by implementing the NIST Cybersecurity Framework, Critical Security Controls, OWASP Top 10 and other industry-leading standards and tools. Additionally, he has 20+ years of experience designing, developing, deploying, and managing web applications, cloud-based solutions and dynamic websites for companies ranging from Fortune 50 corporations to local businesses. Prior to joining Synopsys, he focused primarily on application security, cloud architecture and security, and regulatory/security framework compliance for eight years as Director of Information Security and Cloud Services for an established software company. In addition to his duties at Synopsys, he also is an Information Security educator, leading the University of Connecticut’s Cybersecurity Bootcamp and regularly speaks to business, civic and student groups about the importance and best practices of cybersecurity.