Key takeaways
Cloud migrations often create blind spots, making real-time visibility essential for cyber defense
Network-layer telemetry can overcome cloud log inconsistencies
Following steps for monitoring and operationalizing visibility can improve defense
This article was inspired by a Corelight DefeNDRs podcast. Listen here.
The illusion of cloud simplicity
“Don’t worry about security, the cloud has you covered!”
Cloud migration was often promised with security that would “take care of itself.”
In practice, dynamic infrastructure, overlapping APIs, container sprawl, and multi‑cloud architectures have created new blind spots and attack surfaces for security teams to protect.
As common attacks now also evade EDR tools, defenders are revisiting a familiar lesson: cloud defense, like network defense, requires traffic visibility.
The analyst advantage and the data normalization challenge
Standardizing cloud-native logs can be complicated because each provider uses different fields and structures.
“Our cloud research team understands how the sheer volume of API calls and the constant addition of new services across cloud providers make log standardization and analysis a real challenge,” says Vince Stoffer, field CTO at Corelight.
This fragmentation underscores the importance of network telemetry—the common denominator that remains consistent across providers and environments.
Fortunately, most cybersecurity analysts are already familiar with looking at network data, so when cloud telemetry is expressed similarly, they can quickly spot odd or suspicious patterns. Add cloud inventory context (i.e., accounts, projects, VPC/VNet, and cluster/pod labels), and together, this creates a common, provider-agnostic signal for detection and investigation.
This is where network detection and response (NDR) shines. It delivers consistent, real-time visibility across multi- and hybrid- clouds and normalizes telemetry between environments.
Trusted to defend the world’s most sensitive networks, Corelight’s Network Detection & Response (NDR) platform combines deep visibility with advanced behavioral and anomaly detections to help your SOC protect your cloud environments.
Start protecting your cloud today
Detecting adversary patterns in dynamic cloud environments
As cloud deployments grow more dynamic and complex, security fundamentals don’t change. Even short-lived workloads still talk in steady patterns and use predictable ports. Dependable signals defenders can watch out for include:
Adversaries communicating externally to exfiltrate data or maintain C2 over unusual ports or network protocols
Deviations in production containers and managed services, which are typically immutable and consistent after deployment
Adversaries with admin access disabling host-based sensors and container runtime monitoring sensors
Unusual signs of enumeration or discovery activity between systems or services that may indicate adversaries mapping resources
By using traffic mirroring and virtual taps, network-level telemetry collection is largely tamper-resistant and offers visibility independent of host integrity. Combining network data with endpoint data, and container runtime data for process‑level context can fill the gaps in cloud-native security and improve detection accuracy in dynamic cloud environments. So, what types of threats are visible in monitored cloud network traffic?
Supply‑chain compromises: Malicious container images and packages that drop cryptominers beaconing to pools
Infostealer‑led intrusions: Stolen credentials or session tokens enabling console/API access
Interactive admin tooling in containers: SSH, RDP, or VNC in immutable production environments is often suspicious, especially between containers
Misuse of managed services and data egress: Connections to new regions, unfamiliar APIs, or sudden spikes against outbound volume can signal attack
Coinminers communicating with mining pools: Coinminers abuse compromised cloud resources to mine cryptocurrency
If you accept that network monitoring is key to cloud security, the next question is “What should you monitor?”
East-west and north-south traffic: intra-cloud communications (service-to-service, node-to-node) and internet ingress/egress
Container traffic (Kubernetes) identifying deviations after application deployment
TLS metadata (SNI, certificate subjects) to reveal managed service endpoints and support service‑aware baselines
DNS Data to identify communications with malicious domains and network tunneling
Flow logs for breadth and traffic mirroring/pcap for depth
The next step is to build an effective workflow:
Start by turning on flow logs and traffic mirroring, and note their latency and fidelity so you know what each source can and can’t tell you.
Pull cloud network telemetry into a single platform, standardize it, and enrich it with cloud inventory and tags so context travels with the data.
Establish and tune baselines by role, service, port, and known external peers. Begin with your most critical services, then iterate to cut noise without losing true drift signals. Alert on new destinations, ports, or protocols
Monitor egress tightly. Cover your choke points by instrumenting VPC/VNet egress. Add node-level viewpoints in your container platforms to look for newly observed domains or IPs and atypical destinations, periodic beaconing and low‑and‑slow transfers, and time‑of‑day or volume spikes
Profile managed‑service access via TLS metadata; alert on first‑seen APIs, endpoints, or regions per workload.
Hunt for miner footprints: connections to known pools and characteristic protocols
Flag interactive protocols in containers (SSH/RDP/VNC) and lateral movement patterns within clusters
Correlate endpoint compromises: if a user device is breached, pivot to cloud egress for matching infrastructure and behaviors
And keep yourself honest with continuous validation—emulate adversaries to confirm you can detect infostealers, cryptomining, C2, and suspicious admin behavior.
Multi-cloud security is more than achievable when you apply timeless network principles to modern architectures.
As attackers lean on AI and slip past trusted controls, network visibility isn’t optional— it’s the foundation for understanding your environment and catching threats before anomalies become incidents, on the ground or in the cloud.
This article was inspired by a conversation between Richard Bejtlich, Corelight’s strategist and author in residence, and David Burkett, Corelight’s cloud security researcher, on Corelight’s DefeNDR podcast series. Subscribe or listen to the episode here.
To learn how Corelight’s Open NDR Platform unifies cloud and network evidence for fast, effective detection and response, explore more at Corelight.com/elitedefense
Sponsored and written by Corelight.