5 Steps to Effective Cloud Detection and Response

This post was originally published on The New Stack.

Gartner predicted a 20.4% increase in worldwide spending on public cloud services in 2022. This was due to the advent of cloud native application architectures like containers, Kubernetes, and serverless that made it easier for organizations to deploy their applications in the cloud, which led to an increase in the adoption of public cloud infrastructure. 

Meanwhile, an IDC survey revealed that 98% of companies experienced a cloud data breach in 2021, which is quite high, up from 79% in 2020. Unfortunately, organizations cannot just use their on-premises security solutions for the cloud. 

Many cloud security tools focus on identifying and alerting on potential risks, such as control plane misconfigurations, workload and application vulnerabilities, and insecure secrets management. Given the clear increase in data breaches, companies need to embrace cloud detection and response (CDR) in modern cloud security.

What is Cloud Detection and Response (CDR)?

Cloud detection and response is a new approach to cloud security that focuses on detecting and responding to attacks in the cloud.

Cloud detection and response tools are used in both large-scale and small-scale organizations. Large organizations use security operations centers (SOCs) or incident response (IR) teams to prevent attacks. SOCs and IR teams use MITRE ATT&CK (MITRE Adversarial Tactics, Techniques, and Common Knowledge) and NIST CSF (Cyber Security Framework) as their team frameworks. Small organizations, on the other hand, usetheir IT team or outsource services such as managed detection and response (MDR).  

How Does CDR Work?

There are two types of CDR solutions: agent-based solutions and agentless solutions.

• Agent-based solutions use an agent installed on the workload. They combine information from endpoints, traffic analysis, cloud traffic and audit logs, and data available from cloud service providers.
• Agentless solutions take a snapshot scanning approach that collects data externally from the workload’s runtime block storage and retrieves cloud configuration metadata via APIs.

CDR tools bring value to customers in the following stages:

1. Detection – They provide continuous monitoring for attacks across cloud services and offer alerting capabilities.
2. Investigation – They review attack steps, techniques, timelines and analyses of available data to determine the necessary response to a threat. 
3. Response – Their capabilities focus on ensuring that cloud threats are contained before they can do damage, such as auto-remediation or automatic forwarding to ticketing systems.
4. Resilience – They help with investigations and offer potential remedies based on available data.  

How CDR Helps with Alert Prioritization

Cloud detection and response solutions apply alert prioritization to help teams solve the most critical risks first and eliminate false positives. CDR tools provide full visibility into cloud assets and workload data, which serves as context data for cloud security.

CDR tools can analyze the severity of alerts based on their impact on the business, the accessibility of cloud assets to attackers and the potential for lateral movement upon exploitation using context-aware security intelligence. As a result, security teams are guided to the most critical attack paths, the exploitation of which could be detrimental to the business.

5 Steps to Getting Started with CDR 

To effectively reap the benefits of cloud detection and response, follow the steps below.

1. Attain Complete Asset Coverage

Complete asset coverage is required for effective cloud detection and response. In this case, you must choose a reliable CDR solution with agentless capabilities that can not only automatically cover all cloud assets but also detect and monitor idle, paused and stopped workloads, orphaned systems and devices that are incapable of supporting agents.

Because it is difficult to install an agent on every asset, agent-based solutions are unsuitable for asset coverage since they cannot provide complete coverage.

2. Achieve Deep Visibility into Cloud Environments

To have a good understanding of what goes on inside the entire cloud environment, you must be aware of existing risks and threats across the following layers:

• Cloud Infrastructure Level – You need visibility into which assets are running on which networks and who has access to them.
• Operating System Level – Aside from checking for proper OS configurations, CDR tools should check for user privileges compliance and whether all required patches have been applied.
• Application Level – Organizations need visibility into all installed apps and their configurations, and they should scan for vulnerabilities and insecure patching.
• Identity Level – You need visibility into identity and access management system permissions and accounts so that you can detect anomalies in user and role behaviors.
• API Level – You must achieve visibility in order to detect potentially malicious behavior and comprehend how an attacker might exploit existing API vulnerabilities and risks in the environment.
• Data Level – Visibility into the data inventory is critical to protecting an organization’s crown jewels and servers containing sensitive data.

3. Obtain Comprehensive Cloud Telemetry

An effective CDR solution should be able to collect data. Cloud service providers (CSPs) offer their own built-in cloud threat detection capabilities, and CDR solutions access many of these services. Most CSPs use a combination of telemetry sources to identify attacks, including network flow logs that leverage analytics and supplemental sources of threat intelligence. When looking at CDR detection and response options, look for a single, centralized platform that ingests, aggregates, analyzes and presents data and telemetry with context.  

4. Implement Contextual Intelligence

An effective CDR security platform should use a central data model to collect and correlate contextual information about each asset, such as details about cloud workloads and configurations as well as potential risks in external and internal cloud communication. This context-aware data is key for ensuring that security teams swiftly identify and fix the most critical issues by focusing their efforts on the most exploitative attack paths based on their severity scoring.

5. Develop Workflow Integrations

To quickly assess and resolve issues, security teams must incorporate CDR solutions into their workflows. It’s typical to use  remediation orchestration, alerting services, SIEMs, SOARs, and ticketing systems, as well as incorporate CDR solutions into process technology integrations. These integrations will allow the SOC and IR teams to increase automation and productivity as well as improve remediation time. They should also enable security teams to organize, modify and incorporate automated alerts into ongoing operations.

Conclusion: Integrating CDR into Your Cloud Security Strategy

Cyberattackers target applications and information stored in the cloud at an increasing rate. Therefore, it is important for organizations to ensure that cloud detection and response capabilities represent an integral part of their cloud security operations. Moreover, CDR platforms must provide clear and actionable information about active threats as well as enable rapid investigation and response without creating extra noise. 

To learn more, read our comprehensive e-book, “The Essential Guide to Cloud Detection and Response.” 

Further Reading

• Simplify Multi-Cloud Security in 5 Steps
• How to Rein In Your Unmanaged Cloud in 4 Steps
• Four Examples of How Orca CDR Detects Cloud Attacks in Progress