It should come as little surprise that when enterprise and IT leaders turned their attention to the cloud, so did attackers. Today’s cloud-first approach to building dynamic work environments blurs the boundaries of where the corporate network begins and ends, and what apps belong to the company. This combined with the growing adoption of multi-cloud and hybrid work environments, means these boundaries are no longer fixed.
Unfortunately, the security capabilities of enterprises have not always kept up with the threat landscape. Poor visibility, management challenges and misconfigurations combine with other security and compliance issues to make protecting cloud environments a complex endeavour.
The price of failure is high. According to IBM’s Cost of a Data Breach Report 2021, it took organisations at a “mature stage of cloud modernisation” an average of 252 days to identify and contain a cloud-based data breach. Public cloud breaches were the most-costly, at an estimated average price tag of $4.8 million USD. The costs for organisations with a high level of cloud migration were also significantly higher than for those with low levels of cloud migration.
Why Traditional Approaches Fail
As the risk has grown, so too has the need for organisations to rethink their approach to security. Silos are the death of security in the cloud. Yet, silos are common for organisations using multiple tools to manage user access to their cloud assets. If security is not implemented in a unified, integrated way, blind spots and security issues are inevitable.
Many organisations have responded by implementing cloud-native tools from cloud security platforms. However, many of these tools are focused on pre-runtime vulnerabilities and compliance and only offer a snapshot of the organisation’s security posture at a moment in time. The movement to “shift security left” and bake it deeper into the development process has allowed organisations to catch security vulnerabilities earlier, but insecure APIs, misconfigurations and other issues can slip through the cracks due to the dynamic nature of cloud environments and the desire to avoid any slowdown in application delivery.
Adversaries know this. They know today’s continuous integration, continuous delivery (CI/CD) development lifecycle has DevOps teams spinning clouds up and down in minutes paying little attention to potential misconfigurations. Adversaries know that it only takes a second for an intrusion to latch on to a vulnerability and convert into a fast-moving lateral breach.
This is why security teams need an adversary-focused approach that automates security controls regardless of the cloud provider or deployment model.
So Why Take an Adversary-focused Approach?
Finding the right defensive strategy is contingent on understanding how attackers are targeting cloud environments. To be successful you need the ability to correlate security events with indicators of attack, based on real-time threat intelligence and telemetry from across your cloud estate and on-prem environment. Only then can you put this data into action, identifying the shifts in adversarial tactics to better understand how an adversary will target an organisation and to prevent threats in real time.
Taking an adversary-focused approach arms security and incident response (IR) teams with a higher level of context about the situation they are facing. By leveraging threat intelligence and mixing it with continuous visibility, organisations can better defend their assets. Pre-runtime and compliance data alone will not provide IR teams with the type of comprehensive data they need — they require as much data as possible to support their investigations and get a complete picture of what is happening.
Elements of an Adversary-Focused Approach:
Integrated Threat Intelligence is key. A proactive security strategy for today’s cloud begins with studying the tactics, techniques and procedures (TTPs) that threat actors are executing in hybrid environments. Only then can security teams turn their attention to preventing cloud breaches.
Visibility is critical. Organisations need to know how many cloud assets exist and where they reside. When all the dark corners have been lit, threat intelligence can lay the foundation for relevant insights. If an attacker is taking advantage of a lack of outbound communication restrictions to exfiltrate data, organisations have to be able to detect that and enforce policies to block it. The principle of least privilege should be a governing idea of any security strategy, particularly one being applied to a cloud environment where the concept of the traditional perimeter is essentially non-existent. Knowing how threat actors are trying to access cloud resources better positions organisations to lock down cloud applications and resources and reduce risk.
Cloud hygiene is a simple step that can go a long way in defending against modern attackers. Businesses operating in the cloud should clarify security responsibility so both the vendor and security teams know how to apportion monitoring tasks. Access management is a key part of this as well; not everyone needs access to all cloud environments at all times. IT and security teams must also understand the need to protect applications during coding and run time but need to do so at the speed of DevOps.
Automation is another key pillar of an adversary-focused approach to today’s security solutions. Given the thousands of attack surfaces that cloud environments work with, automation is necessary to monitor and remediate solutions at scale. Security teams need to ensure that the secure thing to do is the easy thing to do by allowing DevOps to actively participate without friction and automation is a critical component to making that happen.
Make The Secure Thing To Do, The Easy Thing To Do
Thinking like an attacker and knowing their tactics, techniques and procedures (TTPs) is a fundamental part of protecting IT infrastructure. The attack surface of the cloud — with its dynamic mix of containers, virtual machines, microservices and more — is complex and growing. With attackers circling, it would be a mistake for organisations to focus on the cloud less than attackers do. Attacks are not always direct — sometimes, adversaries strike the on-premises environment first and then go after cloud resources. In a hybrid IT world, organisations need to be able to extend the security controls protecting their on-premises environment beyond to the cloud to maintain consistency and compliance.