By: Scott Fanning, senior director of product management for the Cloud Security Product Group, CrowdStrike
Cloud environments have become essential to today’s organizations, with cloud native applications reducing time to market and bringing limitless scalability. However, organizations are not the only groups that have realized the value of the cloud. Adversaries have also realized the importance of the cloud, and they’re focusing their efforts on infiltrating cloud environments.
To defend against this, organizations need to understand what adversaries want. It’s also critical that developers understand the need for security, as they are focused on app delivery, and adding this to their already crowded plate will require buy in. Only then can organizations devise a comprehensive cloud security approach rooted in visibility, threat intelligence and threat detection.
As adversaries evolve and increase their attempts to target cloud infrastructure, DevSecOps teams must gain an understanding and visibility into what’s running in the cloud. From there, an organization can put into place a cloud native application protection platform (CNAPP), which brings an automated, real-time approach to monitoring and threat detection for scalable cloud environments.
First, we need to understand what’s in the adversary’s mind.
Thinking Like an Adversary
The importance of thinking like an adversary cannot be overstated. Without understanding the adversary’s goals and objectives, your efforts to safeguard and defend your cloud infrastructure from adversaries will be misdirected and ineffective.
To learn to think like an adversary, you must first know who they are and what they are after.
Adversaries are not simply individual hackers or small groups. Increasingly, adversaries are affiliated with or sponsored by governments with an interest in either disrupting an organization or acquiring confidential information, which can be used later. They are increasingly attacking targets that give direct access to high-value data.
Because of this, cloud environments are a prime target. DevSecOps teams that understand the critical nature of the workloads they are developing (business and security perspectives) will have the mindset needed to be introspective while executing the development pipelines.
The Increasing Threat to Cloud Environments
With the increased focus on fast time to market, cloud native applications are growing in popularity. However, the proliferation of applications in a cloud environment makes them susceptible to misconfigurations and other oversights.
Adversaries are exploiting these oversights. Several common attack vectors are being used. One type of attack is cloud vulnerability exploitation – the scanning of servers for known vulnerabilities. Vulnerabilities that were patched in the latest version of a software become targets when software updates are not installed and maintained. Adversaries are increasingly weaponizing published vulnerabilities, requiring organizations to respond quickly.
Credential theft is another common avenue for adversaries. These credentials can be obtained through the use of fake authentication pages or other scams. Then the credentials are used in attacks, as the use of legitimate credentials can circumvent many threat-detection schemes.
Cloud service providers are also under attack. If an adversary could gain access to either the cloud service provider itself or the assets of a managed service provider, then it’s possible they could access the assets of that provider’s clients. This attack on a cloud service provider’s infrastructure can occur regardless of an organization’s security measures. Cloud service providers do take their part of the shared responsibility model seriously, but like any determined adversary, vigilance is always required.
Finally, the increased usage of containers for application hosting significantly increases the security risk. Misconfigured or vulnerable container images mean that any containers based on those images will also contain those issues. This leads to the potential for a single error to propagate across hundreds or thousands of applications. Cloud sprawl and programmable infrastructure exacerbate the risks here.
Safeguarding Cloud Environments
In a shared responsibility model, anything outside of the provided infrastructure of the cloud provider rests on the shoulders of the organization. To safeguard cloud environments, there are three key actions that your DevSecOps team can and should take.
Asset Discovery and Visibility
The first step is to implement an asset discovery and visibility policy. To protect cloud environments, organizations must know what is in them. You can’t protect what you can’t see, and with the cloud, that can be hundreds of thousands of instances.
The traditional security approach doesn’t work in the cloud, and manual tracking can leave blind spots. Programmable infrastructure, such as code repositories, configuration and other vulnerabilities, can be propagated across thousands of instances at once. Additionally, any manual solution to tracking will slow down an organization’s time to market, removing one of the main benefits of cloud infrastructure.
In addition, it is crucial to protect every asset. Any vulnerable asset can lead to a breach, and adversaries typically use vulnerable systems to move laterally to other systems within the network. A single vulnerable system can compromise the entire network.
Audit and Remediate Configuration Issues
Once your DevSecOps team knows what cloud assets are in play, they must be monitored for configuration issues. The most common cause of cloud intrusions is human error, such as misconfigurations. Configuration in cloud environments is not something that can be set once and then left alone. Software and platforms update constantly, new security vulnerabilities are discovered and applications evolve. Because of this, configuration and compliance must be monitored in real time and continuously validated. Additionally, with the proliferation of exploits and vulnerabilities, remediation must be applied quickly and consistently.
Naturally, the first step is to establish policies and patterns, which make it easy to set up infrastructure securely. From there, a CNAPP that includes cloud security posture management (CSPM) can provide continuous monitoring, scanning your infrastructure in real time to prevent misconfigurations and maintain compliance in cloud environments. In addition, DevSecOps teams should leverage cloud infrastructure entitlement management (CIEM) to manage permissions and access configurations across all of your assets in the cloud.
Real-Time Threat Detection
While configuration prevents issues, ultimately threat detection is still essential. When responding to attacks, time is of the essence. According to CrowdStrike threat data, the average breakout time (the time, on average, it takes an adversary to move laterally from initial compromise to other hosts within the victim environment) for adversaries has fallen to one hour and 24 minutes in in 2022. This gives organizations a short window of time to respond. And if an organization is to respond to a threat, then the threat must first be detected.
Automated, real-time threat detection can filter out noise, fight alert fatigue and reduce threat investigation times. Your DevSecOps team can look to a CNAPP with cloud workload protection (CWP) for continuous monitoring and threat detection for cloud workloads and containers. With threat detection, you can leverage known threat databases and machine learning to reduce false positives, send actionable alerts and reduce the time to remediation.
Ultimately, a CNAPP that simplifies monitoring, detecting and acting on potential cloud security threats and vulnerabilities – within a centralized dashboard – will ensure that organizations can stay a step ahead of adversaries. To participate in shared responsibility, you need to have shared insight. CNAPP can drive that shared view and provide that shared outcome of stopping breaches.