ɆCDR: How Cloud Has Changed the Game

Some organizations are just beginning their migration to the cloud, while others are already firmly settled there, but almost everyone is in the cloud in some capacity by now. And for good reason: the cloud creates substantial advantages in speed, scalability, and cost. 

But the sobering reality is that modern threat actors have also made gains from migrating to the cloud. By weaponizing cloud automation, these threat actors can fully execute an attack in 10 minutes or less. A prime example is the advanced operation SCARLETEEL, which can breach an organization in just 220 seconds. It’s safe to say that threat actors can now breach targets faster than some SIEM queries can return results. 

These rapid cloud attacks are also dynamic; they can leverage any number of cloud tactics and techniques to arrive at their goal. These attacks range from simple ones – like Bitcoin miners draining resources and raising costs – to advanced techniques – like data exfiltration and ransomware. The latter can result in substantial down time, plus financial and reputational losses.

The speed and complexity of these cloud attacks is a logistical nightmare for today’s CISO. EDR and XDR tooling are fundamentally unsuited for the cloud, and the security teams that still rely on them find themselves struggling with incomplete and siloed data that lacks cloud context, dramatically slowing investigations. 

“CDR is vastly more complex than traditional EDR. With CDR, the security team is working with signals from eight to 10 different sources, not to mention the need to work with three or four teams to understand those signals. I like to compare it to three-dimensional chess vs. checkers.”

Jamie Butler, Sysdig’s Head of Runtime Protection and Response Strategy
Jamie is the creator of an early Windows Host Intrusion Detection platform and the former director of the agent team for EDR and IR at Mandiant.

According to the 555 Benchmark for Cloud Detection and Response — a research-based industry standard — you have just 5 minutes to conduct cloud investigations. But the complex, multi-stakeholder, and often manual workflows teams are mired in can make 5 minutes for investigating an alert feel like five milliseconds. Multiply that by the flood of alerts security teams are often facing at once, and you get a task that seems impossible. 

To accelerate investigations and to meet the 5-minute challenge, security teams need to address these three key friction points: 

  • Investigations take too long.
  • Legacy tools aren’t telling a helpful story.
  • Cloud-native lines of business are fractured. 

Investigations take too long

Too much of the time, incomplete and siloed data grinds the investigation process to a crawl. To connect the dots for a threat investigation, analysts are often forced to manually collect and correlate evidence across multiple tools and domains. 

This disjointed and inefficient approach dramatically hinders security and platform team productivity. The subsequent ripples of delayed response times escalate organizational risk and cost, all while weakening organizational security posture. Even in scenarios where the attack is known, teams are simply unable to act in time. 

Legacy tooling tells a story – just not a helpful one

Connecting the dots for cloud detection and response use cases quickly – across multidimensional and complex cloud environments – is a tall order. Many vendors promise they can rise to this challenge — and many fail to deliver.

Often, alert feeds and identity data are a collection of raw and unfiltered or incomplete streams of data. These breadcrumbs lack critical insights into the volume or nature of alerts over time, making it difficult to understand, prioritize, and respond to threats effectively. 

Cloud-native lines of business are fractured

Traditionally, security organizations operating in on-prem environments were able to handle all aspects of threats from end to end. The complexities of the cloud mean that this responsibility is often shared between disparate teams. These teams may have different goals and priorities, but still need to collaborate to ensure the organization is secure. 

Unfortunately, legacy EDR and XDR approaches lack the cloud context needed to understand the who, what, where, and how of an attack before a breach can occur. Without this context, teams struggle to understand and communicate the key information they need to meaningfully work together. Teams managing preventative controls are unable to harden protections, leaving the same vulnerabilities in their armor open for future attacks. And response teams are unable to effectively respond, increasing the potential for missed threats in their cloud estate, and potentially leading to a material breach. 

Furthermore, without a shared platform, teams are often operating with different information and terminology. They effectively don’t speak the same language, making it difficult to share collaborative steps, prescriptive context, and response actions across teams. 

A light at the end of the tunnel: true CDR

EDR and XDR tools are highly effective for managing workstations, but they are fundamentally not suited for cloud security. To effectively combat cloud threats, security teams need a comprehensive and actionable cloud detection and response solution — one that is purpose-built for the complexities and speed of the cloud.  

A detection and response solution that’s truly built for the cloud should be able to detect known and unknown threats across an organization’s entire cloud estate, all in real or near-real time. The solution should automatically correlate posture and runtime insights for true cloud-native context, accelerating workflows and eliminating skill gaps. It should also unlock feedback loops for key stakeholders, remove friction across fractured business lines, and provide teams with a single source of truth. 

By implementing a true cloud detection and response solution that provides these capabilities, security leaders and practitioners can reap the benefits in analyst efficiency, risk reduction, and cost optimization. 

Understanding cloud threats with the speed and depth they demand may seem impossible, but it doesn’t have to be. To investigate threats at cloud speed, you need security solutions built for the cloud. Once you can meet the 555 Benchmark, you can confidently safeguard your entire cloud estate and unlock its true value.