Three hard truths hindering cloud-native detection and response
According to Gartner, the market for cloud computing services is expected to reach $675 billion in 2024. Companies are shifting from testing the waters of cloud computing to making substantive investments in cloud-native IT, and attackers are shifting with them. As security teams level up to support the transition, we’re seeing three specific issues that impede cloud detection and response.
1) Cloud-native IT blurs the lines between layers of the cloud stack – it’s a true paradigm shift
Cloud applications, workloads and infrastructure have become increasingly connected and communicate with each other via trusted connections across assets, developers and identities. Within these trusted connections reside permissions to databases, S3 buckets, and many other resources, all of which are granted open or loose permissions so they can interact, unimpeded, with essential cloud services.
The implicit trust that cloud workloads have between pod-to-pod and node-to-node communication may be essential to smooth operations, but it comes at a cost. Not only does it leave the organization open to compromise, but if an attacker gets access to anything, they usually get access to everything. Locking down these permissions is a non-starter. Even though security teams are implementing the least privilege principle to ensure that every asset only has the connections they need, there will always be connections left open. That means there will always be something connected to the internet, or something connected to something connected to the internet – exposures subject to compromise.
Furthermore, since virtually all public cloud users are on AWS, GCP, Azure, and Oracle, it becomes easy for an attacker to know how an environment will be built. Defenders, on the other hand, face long learning curves as they adapt to protecting exponentially larger and more complex environments. Security teams need to adjust their mindset beyond shift-left and get adept at shifting up and down the stack. And it’s on the vendor community to help them.
2) Security teams are still adjusting to the realities of complex cloud environments
One of the most challenging elements of cloud security is that cloud environments generate so much noise and are so complex that it’s easy for questionable actions to occur unnoticed. All too often, attacks often go undetected because their actions look like legitimate behavior. And in this sea of noise and complexity, there are myriad risk vectors that make things easier for attackers. The key is knowing which ones matter the most.
This year, non-human identities (NHIs) – machine identities such as access tokens, service accounts and third-party integrations – have emerged as a key attack surface. NHIs possess high access privileges and usually have long-lived or non-expiring tokens or keys. And because they typically can’t be protected by multi-factor authentication (MFA), they are inherently exposed, making them very low hanging fruit for attackers. The amount of NHIs that reside in cloud environments, coupled with the fact that cloud providers employ different NHI authentication mechanisms and lifecycle management practices has caused the risk they pose to skyrocket. To protect the massive investment being made in cloud native IT, containing NHI risk MUST be a priority.
3) Cloud security tooling is too siloed
This is, at heart, a technology maturity issue. Most SOC teams either lack the proper tooling or have so many cloud security point tools that the management burden is untenable. Cloud attacks happen way too fast for SOC teams to flip from one dashboard to another to determine if an application anomaly has implications at the infrastructure level.
Given the interconnectedness of cloud environments and the accelerated pace at which cloud attacks unfold, if SOC teams can’t see everything in one place, they’ll never be able to connect the dots in time to respond. More importantly, because everything in the cloud happens at warp speed, we humans need to act faster, which can be nerve wracking and increase the chance of accidentally breaking something. While the latter is a legitimate concern, if we want to stay ahead of our adversaries, we need to get comfortable with the accelerated pace of the cloud.
While there are no quick fixes to these problems, the situation is far from hopeless. Cloud security teams are getting smarter and more experienced, and cloud security toolsets are maturing in lockstep with cloud adoption. And I, like many in the security community, am optimistic that AI can help deal with some of these challenges.
But, as always, time will tell.