Traditional endpoint concepts were eroding as a result of mobile device adoption, and cloud sealed the deal. Data is an organization’s most valuable asset. When an organization fully embraces the cloud, traditional endpoints become disposable. Modern applications are consumed from any device, anywhere, not just controlled workstations from the confines of a sanctioned data center. Endpoints are more likely to refer to APIs or services, not desktops, laptops, or servers. Organizations must adapt their security strategy for this reality, or they’re exposing themselves to risk of incident, breach, or reputational damage.
Cloud Attack Patterns Are Different
Attack patterns evolved with cloud adoption and mobilization. Attack patterns that compromise endpoints for persistence are more likely to trigger security monitoring mechanisms and alert security teams. Attackers need not resort to the blunt hammer approach of ransomware infection. They can rely on numerous other methods to compromise credentials, abuse services, and exfiltrate sensitive data that are just as successful and profitable. Examples of attack patterns that never touch an endpoint include:
- Abusing access credentials for privilege escalation or account takeover (ATO)
- Cryptojacking, or maliciously mining cryptocurrency at the organization’s expense
- Exploiting access to liberally permissioned cloud storage services
- Targeting machine identities rather than user identities
- Siphoning infrastructure data from cloud provider metadata APIs
Collection and analysis of cloud environment interactions provides context to security teams to enable threat detection and response (TDR) and support digital forensics and incident response (DFIR). Continuous analysis informs baselines for secure configurations and workload behaviors. Deviations from those baselines are environmental drift or potential indicators of compromise. When a series of seemingly interconnected events are part of a complex attack chain, that event must be quickly surfaced so security teams can prioritize an appropriate response. It’s a difficult problem to solve in practice because it requires data collection and correlation across heterogeneous environments and technology stacks. Attacks may also traverse on-premises and cloud environments, depending on where targeted data exists or services run.
Organizations Have Low Success With Traditional Tools
Organizations implement a number of security technologies to enable SecOps in modern architectures, but they all result in security gaps. Common approaches include:
- Endpoint detection and response (EDR): Endpoints may not exist at all and workloads only persist for short intervals. Agents, particularly those that are perceived to be heavyweight, aren’t technically feasible or create availability concerns. You can’t treat a container workload or cloud service like a laptop or Windows workstation.
- Extended detection and response (XDR): A proverbial kitchen sink approach to TDR, XDR was intended to correlate all types of event data. In reality, the XDR tooling shares traditional endpoint roots with focuses on laptops or desktops. It’s best to think of EDR as next-generation EDR (NG-EDR).
- Security information and event management (SIEM): The backbone of SecOps, SIEMs unfortunately become a dumping ground for too many logs and event streams. Organizations rely on their SIEM to alert on security events like ransomware or phishing attacks. Storage costs often present an issue, not to mention time wasted by analysts parsing data that may not even be actionable. SOC modernization efforts often emphasize reduction on the number of feeds into SIEM instances to improve signal-to-noise ratio for security events.
Cloud Detection and Response Addresses Gaps
Modern application designs, threat evolution, and weaknesses of traditional security approaches have spotlighted the need for different capabilities to support TDR and DFIR. Organizations need augmenting capabilities to succeed in their security strategy. Some in industry have started labeling this new grouping of capabilities cloud detection and response (CDR). Traits of CDR include:
- Unify visibility across traditional, cloud, and cloud-native environments by ingesting and analyzing host telemetry, workload telemetry, and cloud event sources.
- Improve mean-time-to-detect (MTTD) security events with automation based on service profiling, flexible and customizable rules, and ML-based detections.
- Improve mean-time-to-respond (MTTR) with contextualized guidance for the organization’s unique environments.
- Accelerate remediation and repair time with auto-generated “as code” formats like AWS CloudFormation, Terraform, or Kubernetes YAML.
- Bridge work streams of development, operations, and security teams via API integrations with nonsecurity and SecOps systems.
The current state of SecOps sometimes reminds me of earlier days of application security and infrastructure security, when practitioners first wrestled with digital transformation. DevOps practices put heavy emphasis on automation. We’re able to quickly tear down and redeploy secure applications, but SecOps approaches also need to evolve for this reality. CDR capabilities are a path forward for organizations that must maintain security operations in modern architectures.
About the Author
Michael Isbitski, the Director of Cybersecurity Strategy at Sysdig, has researched and advised on cybersecurity for more than five years. He’s versed in cloud security, container security, Kubernetes security, API security, security testing, mobile security, application protection, and secure continuous delivery. He has guided countless organizations globally in their security initiatives and supporting their business. Prior to his research and advisory experience, Mike learned many hard lessons on the front lines of IT with more than 20 years of practitioner and leadership experience focused on application security, vulnerability management, enterprise architecture, and systems engineering.