Threat Detection on a Cloud-Native Attack Surface

Originally published by Sysdig.

Written by Anna Belak.

Public cloud infrastructure is, by now, the default approach to both spinning up a new venture from scratch and rapidly scaling your business. From a security perspective, this is a brand new (well, by now more than a decade old) attack surface. “Attack surface” is a commonly used term that denotes the aggregate of your exploitable IT estate, or all of the different pathways a hacker might be able to use to gain access to your systems, steal your data, or otherwise harm your business.

The cloud attack surface is different. I will delve into the nuances of understanding and securing cloud-native environments at the speed of innovation with our guest, Forrester’s brilliant Allie Mellen, in an upcoming webinar on January 31.

As always, there are pros and cons to doing things the “cloud way” instead of the old way. For example, you get some amount of default visibility from the cloud provider’s built-in controls, like on-by-default logging. You also get an easier way to inventory your assets since everything is API-defined and API-accessible; there are no more secret servers in forgotten closets.

On the other hand, one of the greatest joys of the cloud is the boundless freedom to create new resources, new applications, and new security gaps at the stunning pace of 21st-century innovation. The great creators of this era are software developers, and arguably, a huge driver for the evolution of cloud, DevOps, and many other modern IT patterns is to enable developers to create more software, faster. To say that we’ve been quite successful in pushing this frontier would be an understatement.

Developers are expanding the cloud attack surface faster than ever.

The expansion of the cloud attack surface is a direct result of the faster, more innovative development that the cloud enables — it’s a risk that most organizations have been willing to take due to the positive impact on their bottom line. We’ve claimed that we will mitigate this risk with strategies like shift-left and zero-trust, but most real-world data indicates that’s not really working, at least nowhere near well enough for any security leader to feel good about it.

Well, if prevention is failing (as it does from time to time), we have no choice but to hope that threat detection and incident response make up for it. In this Forrester blog, Allie Mellen describes the “detection surface,” which, according to Forrester, is “the IT asset type upon which detection of attacker activity occurs.” She specifically differentiates detection surfaces associated with different asset scopes and security tools. Allie gives examples of potential vendor survey responses to the question, “What detection surfaces do you have coverage for?” Vendor responses when discussing cloud detection might be, “containers, IaaS instances, SaaS applications [etc.]” while the detection surface for endpoints for vendors in contention for EDR adoption might be “Windows, Mac, iOS, Android [etc.].”

As developers increase the cloud attack surface, they also expand the cloud detection surface.

Everything that’s deployed into the public cloud is in some way accounted for. Likewise, almost everything has some kind of telemetry associated with it. Cloud logs will report on new assets created by various teams and will log activities associated with them without anyone explicitly defining data sources or configuring anything. The question is, does your SOC have any idea what to do with that data? If it’s flowing into your SIEM, is there content to actually detect modern threats on this detection surface?

Most security operations teams are just beginning to develop expertise in the cloud and are in the very early stages of building threat detection programs for these modern environments. Does your organization have coverage for the cloud detection surface? Do you have a strategy for maturing your SOC to provide coverage for the cloud-native software development activity that’s generating your revenue? If you have more questions and feelings than answers, join us for a January 31st webinar featuring guest speaker Allie Mellen where we chat about cloud detection and response and the future of the SOC.