While the cloud offers substantial benefits to organisations, it also presents a new threat surface for malicious attackers to probe and exploit. Traditional detection and response tools are not able to keep up with the threats of a cloud based world where many applications are being built with cloud native services, often containerised and may be ephemeral in nature.”
Anthony Leverington, the Regional Director for ANZ at Sysdig, says approaches that worked in the past must be modernised to mitigate the risks of cloud-based environments.
“Historically, the approach taken by SecOps or SOC teams has been to secure the endpoint, collect logs from multiple sources and then send these logs for analysis by a central team.”
Leverington and his team recently discovered a case where a threat actor exploited a cloud misconfiguration. The organisation had a monthly cloud spend of around $30,000 which rose ten-fold because the attacker deployed thousands of containers inside of their environment to mine cryptocurrency.
“Real-time detection capabilities would have detected the presence of this crypto-miner in milliseconds, allowing the organisation to detect and remediate before there were any significant impacts,” says Leverington.
With an expanding threat surface created by cloud services and applications and the ephemeral nature of many cloud services, organisations need to look for real-time detection and response to protect their cloud environments. And that means coming up with a modernised cloud security strategy that can protect their precious data and resources.
“The 2024 Sysdig Cloud Native Security and Usage Report found that 70% of containers have a lifespan of less than five minutes and the average time taken for a cloud attack is only 10 minutes. One attack we discovered recently, named Scarleteel, was executed in under four minutes,” Leverington says.
Creating a cloud security strategy is a three-step process, says Leverington. The first step is to adopt a comprehensive unified platform that offers multi-domain correlation, and then focus on not only your static risks, but your active risks such as real-time configuration changes. And finally, use a benchmark, like Sysdig’s 555 benchmark to measure and monitor performance.
“The 555 is five seconds to detect, five minutes to correlate and triage, and five minutes to respond to an attack. This benchmark is designed to help organisations transition their security practices to address today’s challenges,” he explains.
Effective risk and vulnerability management in the cloud demands a real-time approach. The days of being able to collate, correlate and analyse log data in hours are behind us. Detection and response must be executed in minutes or seconds or organisations will be caught out by savvy threat actors.