Cloud computing is big. We refer to the major cloud service providers (CSPs) as hyperscalers for a reason. But sections, subsections and service streams within the cloud can also be brittle, which is why we trace attack chain paths through increasingly sophisticated technology services today. With platform engineering teams taking on more responsibility for cloud estates, how can infrastructure and DevOps teams gain a higher-level view of security topographies today?
As we know, when an attacker gets access to a cloud environment, they typically use a software vulnerability or a stolen credential to get access. Once they are inside, they will try to get outside of that first environment and into other (typically more valuable) cloud systems by looking for other cloud user identities or for other misconfigurations.
The act of searching (aka performing investigations) for those issues will create data that can alert the IT team to the attacker’s presence if they know what to look for. But because most enterprise systems have been built by separate teams (often across different) hyperscalers, they throw off different log data or other information. Collating it all requires knowledge of how the different parts of the cloud all connect, so we can investigate what is wrong and how to fix it. To compound these complexities, investigations take a lot of time. Cloud security company Sysdig thinks we need to embrace cloud-native investigation tools designed to cut incident analysis time to just five minutes.
Automating Collection & Correlation
Now extending its real-time cloud security toolset to deliver at this cadence, Sysdig says that this acceleration is possible by automating the collection and correlation of events, posture and vulnerabilities to identities for even the most complex cloud attacks. The company claims legacy endpoint detection and response (EDR)/extended detection and response (XDR) solutions alongside security information and event management (SIEM) platforms lack crucial cloud context, slowing down investigations and limiting their scope.
“Traditionally, security organizations operating in on-premises environments were able to handle all aspects of threats from end-to-end. The complexities of the cloud mean that this responsibility is often shared between disparate teams,” said Shantanu Gattani, VP of product management, Sysdig.
Keys to The Castle
In real-world operations, SIEM queries may not even yield results before an attacker has the keys to the castle. To effectively detect, investigate and respond in the cloud, teams must be able to monitor and analyze cloud and log events in real-time – capabilities only afforded to them by a truly cloud-native solution. Historically, security teams have been tasked with correlating, contextualizing and evaluating threats across fragmented data feeds from disparate and complex domains. With DevOps teams needing that insight into their cloud applications, Sysdig thinks automation is the right response.
“EDR/XDR approaches lack the cloud context needed to understand the who, what, where and how of an attack before a breach can occur. Without this context, teams struggle to understand and communicate the key information they need to work together meaningfully. Also, without a shared platform, teams often operate with different information and terminology — they don’t speak the same language, making it difficult to share collaborative steps, prescriptive context and response actions across teams,” explained Gattani.
He suggests that by centralizing all data, security and platform teams can break silos and share findings to expedite investigations.
“Rapid investigation findings enable response teams to initiate a response within five minutes, adhering to the standard outlined by the 555 benchmark. The enhanced incident debrief findings that these investigations provide (such as what misconfigurations, permissions and vulnerabilities were abused to perpetuate the attack) can then be shared to tune and harden preventive controls. This focus on perpetual improvement to preventative controls helps ensure incidents are non-recurring, reducing organizational cloud risk,” added Gattani.
Sysdig Cloud Attack Graph
By visualizing a given incident in the Sysdig Cloud Attack Graph, security analysts gain a dynamic view of the relationships between resources for a better understanding of the kill chain and potential lateral movement across a cloud environment. Overlays of detections, vulnerabilities and misconfigurations help responders discern where a threat may have originated and how a threat actor was able to perpetuate an attack.
By automatically correlating cloud and workload events to identities, Sysdig asserts that it has unlocked a more powerful way to enhance real-time monitoring for complete incident context. Automatic correlation between cloud events and location-aware identities highlights unusual logins, impossible travel scenarios and malicious internet protocol (IP) addresses. Users gain a clearer understanding of what threat actors are doing in their infrastructure, as well as how they have and can leverage associated policies, permissions and roles to advance an attack.
By centralizing, enriching and correlating identities to events, the suggestion is that security and platform teams can break silos and readily share findings to expedite investigations, improve preventive controls and give prescriptive guidance for response actions.
Recent Articles By Author
GIPHY App Key not set. Please check settings