Cloud detection and response, a key asset for cloud security

In a trend that is only accelerating, companies continue to move more of their workloads to the cloud. According to Gartner, by 2025, enterprises will spend more on public cloud services than traditional IT solutions. And per a report from IT Convergence, rather than supporting just a portion of workloads, 40% of firms will take a cloud-native-first strategy in 2023 as they look to increase agility and efficiency while reducing costs. To put this in perspective, Gartner reports that spending on public cloud services is forecast to grow 20.7% to total $591.8 billion in 2023, up from $490.3 billion in 2022.

This shift to the cloud has brought a wide range of new security challenges with it. The rise of ever-changing and ephemeral environments within the cloud have increased complexity and created unique and unpredictable interactions. Where once all data was protected on-premises with physical barriers and controls, now critical data is stored in the cloud where a single misconfiguration can lead to enormous consequences. Some breaches that were the result of simple security misconfigurations and resulted in cloud leaks include

• Verizon partner Nice Systems exposes 6 million customer records
• RNC vendor Data Root Analytics exposes 198 million voter records
• Government contractor Booz Allen Hamilton leaves geospatial data and credentials exposed

To combat such vulnerabilities, a new classification of cloud security offering has arisen: cloud detection and response (CDR). CDR provider Obsidian defines the offering as

A new approach to cloud security that enables security teams to defend cloud applications and infrastructure from account compromise, insider threat, and access misuse. CDR delivers consolidated visibility and data-driven analytics to detect, investigate, and mitigate threats in the cloud. CDR solutions continuously aggregate, normalize, and analyze large volumes of data about accounts, privileges, configurations, and activity from SaaS and cloud services to provide insights, situational visibility, and alerts around risks and threats.

There are many CDR and extended detection and response (XDR) providers offering similar capabilities, but what they all have in common is that cloud security automation offers improved security and risk management, increased efficiency and cost savings, enhanced visibility and control, and more scalability and flexibility, and accuracy.

The Benefits of Cloud Detection and Response

When making any changes to an existing cloud security system, the first and most important question to ask is, will this make the system more secure? With CDR, the answer is definitively yes.

• CDR enhances an organization’s ability to detect and respond to cyberthreats in real time by automating remediation tasks. Because the ability to detect and respond to threats has dramatically improved, this effectively reduces the risk of data breaches and other cyber incidents.
• Enhanced detection and auto remediation ensure vulnerabilities are identified and addressed before they can be exploited, leading to an enhanced cloud security posture.

Once the first question regarding improving the security posture has been answered affirmatively, quite often the next questions are how much does this cost and will the return on investment justify the expense? CDR offerings provide

• Streamlined security operations and incident response processes. Potential incidents detected and remediated earlier in the process reduce the need for additional security services and related expenses. Once automated remediation is in place and has been fine-tuned, personnel spend less time on issues, freeing them to do more productive tasks, a cost savings that is calculable and usually not insignificant.
• Enhanced visibility and control. With an improved ability to monitor and track activity across cloud environments, you gain an increased visibility into all your cloud assets, no matter where they are located, all from a single pane of glass. This gives an organization greater control over cloud resources and the ability to enforce security policies, again, from a single location. With this visibility comes a greater ability to demonstrate compliance with multiple frameworks and standards. Most CDR providers offer compliance reporting for frameworks and standards such as ISO 27001, NIST Cybersecurity Framework, HIPAA, HITRUST, PCI DSS, and more.
• Increased scalability and flexibility. Typically, it is quite easy to begin implementation in one account or business unit, then scale up to the entire cloud infrastructure with a few clicks. The same ease of use is available for turning on or off functionality as needed. With the trend toward multicloud environments, most CDR solutions have virtually the same detection and response competencies across all major cloud platforms—AWS, Azure, Google, and Oracle—without any compromise in capabilities.
• Improved alert management and reduced false positives. Because predetermined conditions are what trigger alerts and preprogrammed actions execute to mitigate a detected risk, organizations don’t have to rely on their staff’s ability to evaluate every single alert and potentially make an inaccurate determination or take an incorrect action. This is especially important in regard to alert fatigue—doing the same thing over and over often leads to mistakes that can result in a missed opportunity to prevent a serious incident. Additionally, all CDR platforms are powered by AI algorithms that are continuously learning from experiences across all their customers’ installations, resulting in protection from threats that an organization might not have yet encountered.

Cloud Detection and Response in Action

Now that we’ve outlined the potential benefits of CDR, let’s take a look at a few use cases from leading CDR providers and highlight some examples of what CDR can do. While these specific examples document each product’s process for handling the illustrated situation, it can be assumed that all major players in the CDR space will provide similar functionality, although one must verify each one if this is critical in a product evaluation.

First up, detection and response to the unusual creation of EC2 (AWS) instances from Orca Security.

Orca detects an anomaly in a role’s behavior – normally this role creates 1 or 2 EC2 instances per week, but today has created 12, and workload scanning also detects suspicious commands indicating that one or more of them might have a crypto miner running on it. Orca determines that it is highly likely that malicious activity is occurring and generates a high priority alert with the recommendation to investigate this more thoroughly and determine whether or not the EC2 instances should be shut down and/or the role’s credentials should be rotated.

This example from Wiz displays the ability to prioritize targets of a brute force attack.

Consider a Brute Force Attack detected by AWS’s GuardDuty, which could be very common and create hundreds of alerts. Integration of GuardDuty with Wiz Control is able to detect an externally exposed VM with a weak SSH password and lateral movement to the Admin user so that defenders can now prioritize by risk, impact, and blast radius

One final example from Vectra is a real-word incident that occurred in 2022 in which an attacker exploited stolen credentials to extract cryptographic secrets.

An attacker gained access to a set of user credentials, allowing the user to access a customer-facing application. The compromised user was able to interrogate AWS Secrets Manager and pull all of the secrets for this account. Vectra’s Detect for AWS flagged the suspicious user because Secrets interactions were detected from a new IP space, rather than from inside AWS as was typical. Analysts reacted within minutes of detection by rotating the Secrets and resetting the user credentials, shutting down the compromise before any impact to the organization.

These examples are merely a few of the countless automated detection and response activities that this new generation of cloud security tools – CDR – can provide to organizations to deliver improved security, increased efficiency, enhanced visibility, flexibility, and accuracy. And Synopsys, a leader in application and cloud security consulting, can provide the technical expertise and industry best-practices to help any organization implement a CDR solution, either on its own, or as part of a comprehensive managed cloud security service that also includes compliance tracking to specified industry standards and/or frameworks, vulnerability management, incident response, identity and configuration monitoring, and more.