Enhancing visibility for better security in multi-cloud and hybrid environments

In this Help Net Security interview, Brooke Motta, CEO of RAD Security, talks about how cloud-specific threats have evolved and what companies should be watching out for. She discusses the growing complexity of cloud environments and the importance of real-time detection to protect against increasingly sophisticated attacks.

Motta also shares practical advice for SMBs and organizations navigating compliance and cloud security challenges.

How have cloud-specific threats evolved over the past few years, and what new trends should companies be aware of?

Cloud-specific threats have evolved significantly as cloud adoption reaches an all-time high and continues to grow. Cyber attackers now have a larger, more complex attack surface, with increasingly sophisticated tactics. According to the 2024 Thales Cloud Security Study, attacks targeting cloud management infrastructure saw a 72% rise in 2024.

The attack surface now spans a combination of cloud environments using various technologies for applications, alongside legacy data centers that host cloud-native applications, containers, and Kubernetes. That’s a lot to be aware of and keep secure, as more organizations are pushing ownership of environments more and more to developers and security teams are seen as advisors vs. blockers.

On top of a complex environment, security teams should also be aware of how simple misconfigurations in any of those pieces can leave them vulnerable to attacks and are easily missed by legacy security tooling. When it comes to cloud security, new zero days like the XZ Backdoor continue to appear, putting detection and response front and center.

Cloud detection and response (CDR), is an emerging category that focuses on real-time monitoring, detecting, and responding to threats within cloud environments as they happen. There are a few big trends that all products in this emerging category must have:

• Real-time posture management
• Can be applied against software supply chain attacks
• Effective with Kubernetes and containers
• Combination of workload, cloud infrastructure and cloud identity context
• Behavioral baselines versus legacy static detections

Cloud security often presents unique challenges for SMBs due to limited resources. What basic yet effective cloud security measures can smaller companies implement?

Cloud security can be especially challenging for smaller companies with limited resources. However, by focusing on a few key strategies, SMBs can greatly enhance their cloud security posture without overwhelming their budgets.

First and foremost, it’s crucial to review and fix pressing misconfigurations. Misconfigurations are one of the most common vulnerabilities in cloud environments and can often be corrected quickly with a careful audit. Regular reviews will help ensure security settings are up-to-date and align with best practices.

Additionally, real-time monitoring of cloud workloads is essential. By monitoring for unusual or suspicious activity in real-time, businesses can detect and address potential threats before they become full-scale security incidents. Fast response times are crucial for limiting the impact of any security issue.

Next, we encourage SMBs to prioritize identity management. This is especially important in environments like Kubernetes, containerized applications, and other cloud-native infrastructure, where managing identities and access controls can be more complex. Ensuring that only authorized users have access to sensitive data and resources helps minimize risks.

Finally, investing in the right security tools is a foundational step for effective cloud security. The right tools don’t necessarily have to be the most expensive—they just need to be well-suited to your company’s specific environment and risk profile. Solutions tailored to cloud security needs can significantly boost security without straining resources.

Given the increasing regulatory landscape (GDPR, HIPAA, PCI, etc.), how can organizations ensure their cloud threat detection strategies meet compliance standards?

To meet the growing demands of compliance standards like GDPR, HIPAA, and PCI, organizations need to build cloud threat detection strategies that prioritize key security and privacy controls.

First, access controls are essential. By following zero trust principles, such as role-based access, multi-factor authentication, and identity management, organizations can ensure only authorized users can access sensitive data, keeping in line with regulatory expectations.

Logging and audit trails are also critical. Detailed logs of cloud activities help with transparency and support auditing requirements, which are a core part of most regulations, like GDPR and HIPAA.

Organizations should also implement continuous monitoring to detect threats in real-time. This proactive approach not only helps mitigate risks quickly but also aligns with compliance needs for maintaining secure systems.

Data loss prevention (DLP) helps ensure sensitive data isn’t leaked, and having a solid incident response plan allows organizations to respond quickly to breaches, as required by regulations like GDPR.

Last, encryption is a must. Ensuring data is encrypted both in transit and at rest is crucial for protecting sensitive information. Regulations often require it, especially in healthcare and finance sectors.

By integrating these controls into their cloud strategy, organizations can stay ahead of compliance requirements and strengthen their overall security posture.

One key cloud challenge mentioned frequently is the lack of visibility. What practices or technologies can organizations use to achieve comprehensive visibility across their cloud infrastructure?

The number one challenge for infrastructure and cloud security teams is visibility into their overall risk–especially in complex environments like cloud, hybrid cloud, containers, and Kubernetes.

Kubernetes is now the tool of choice for orchestrating and running microservices in containers, but it has also been one of the last areas to catch speed from a security perspective, leaving many security teams feeling caught on their heels. This is true even if they have deployed admission control or have other container security measures in place. Teams need a security tool in place that can show them who is accessing their workloads and what is happening in them at any given moment, as these environments have an ephemeral nature to them. A lot of legacy tooling just has not kept up with this demand.

The best visibility is achieved with tooling that allows for real-time visibility and real-time detection, not point-in-time snapshotting, which does not keep up with the ever-changing nature of modern cloud environments.

To achieve better visibility in the cloud, automate security monitoring and alerting to reduce manual effort and ensure comprehensive coverage. Centralize security data using dashboards or log aggregation tools to consolidate insights from across your cloud platforms. Be clear on your responsibilities in the cloud security model and ensure your provider offers visibility into their security posture. Finally, implement zero trust by enforcing strict access controls and monitoring for unusual access patterns to protect cloud resources.

What are some recommended best practices for integrating cloud detection tools with incident response workflows?

To best respond to incidents in the cloud, you need a tool that will detect attacks as they happen; this will help reduce MTTR (mean time to respond), which is a significant metric in incident response. Your tooling also needs to be able to detect both known and novel attacks.

Last year, exploitation of known vulnerabilities caused 28% of cloud breaches, and exploitation of previously unknown vulnerabilities aka zero days accounted for 24% of breaches. If teams are still relying on purely signature-based detection, they will only be catching known attacks right away, leaving them vulnerable. A behavioral detection model can identify both known and unknown attacks in real time.

Security teams should also define automated responses that they would allow tooling to take, and human-in-the-middle responses based on an investigation. Solutions should allow teams to quarantine a workload and create copies for later forensic analysis. Alerts on suspicious activity should be easily integrated into their existing workflows, through webhooks, APIs, or other native tooling integrations.