The use of SaaS and public cloud services has seen massive growth in the past decade. Organizations have moved, or are moving, their business systems including email, collaboration, HR, sales, marketing and operations to the cloud. In a 2019 ESG research survey, two-thirds (67%) of participants reported that more than 20% of their applications are now SaaS-based, while over 58% of organizations reported using IaaS in 2019.
Cybersecurity is learning to adapt to a radically different threat landscape in the cloud. Your security team has less control over the networks and infrastructure on which critical business systems run, and attackers are increasingly using credential stuffing, social engineering and spear phishing against users and services to gain legitimate access to resources in the cloud.
Regardless of whether your organization is using SaaS, PaaS or IaaS, you are still responsible for protecting the information in the cloud.
So, how can you do this? You could try employing a prevention strategy by using a solution like Cloud Access Security Brokers (CASBs). CASBs are architecturally like firewalls for the cloud. They act as mediators between an organization’s infrastructure and its cloud services, examining all traffic going to and from the cloud; CASBs focus on preventing data loss and exfiltration, and malware exposure by blocking access when it occurs.
But preventive controls are not enough to secure cloud environments. Even with the best preventive security solutions in place, attackers can still penetrate defenses and gain access to cloud assets. In the cloud, security teams need to quickly detect, investigate,and respond to threats and breaches. This means having visibility and enriched user context to observe and respond to suspicious activity at all times. This is missing in the world of SaaS and cloud services today. As an incident response team lead recently asked, “How do you run detection and response in systems you don’t own?”
How do you run detection and response in systems you don’t own? This is a challenge.
IR Lead at a Tech Company
We Have Seen This Before with Endpoint Detection and Response
A few years ago, an increasingly mobile workforce stretched the secure network perimeter beyond the datacenter and office to thousands of mobile devices and laptops on WiFi networks at coffee shops, airports, and hotels. Security teams could not see what users were accessing and running on their personal devices – the same devices that they also used to access business email and services. Even in organizations that had antivirus and other preventative tech in place, attackers were using innovative techniques to compromise user endpoints without triggering warnings. The solution to this growing problem was Endpoint Detection and Response (EDR). EDRs gave security teams core capabilities that they lacked before: telemetry, contextual visibility, and automated detection. These capabilities empowered security teams to investigate and respond to incidents quickly, giving them a leg up in the fight against the new wave of threats.
Visibility Challenges in the Cloud
The visibility problem in cloud environments is different and more complex than with endpoint devices. SaaS applications like Salesforce and G Suite maintain authorization management inside their platforms, so entitlements are buried across different applications. If a security admin wants to see what a user has access to in Salesforce or what he is doing in G Suite, the admin has to pull the permissions and activity logs and understand the authorization model and activity log format for each service before determining if anything suspicious is happening.
The fragmented view of access and activity makes investigating incidents and proactive threat hunting a non-starter. Another common problem is the sheer volume of uncontextualized data streaming from these applications. With terabytes of data to sift through, threats are inevitably drowned in a sea of irrelevance.
Introducing Cloud Detection and Response (CDR)
Cloud Detection and Response (CDR) solutions give security professionals the comprehensive visibility they need to detect, investigate, and mitigate threats in the cloud by continuously collecting, normalizing and analyzing large volumes of state and activity data from SaaS and cloud services.
Just as EDR and network monitoring / network traffic analysis solutions address the need for ongoing visibility in the network and endpoints, CDR solutions provide single-pane visibility into what’s happening in cloud environments with full relevant context around access and privileges.
| Prevention | Detection & Response | |
| Network | Firewall | Network traffic analysis |
| Endpoints | Antivirus | EDR |
| Cloud | CASB | Cloud Detection & Response |
To do this, CDRs start with a consolidated, normalized view of your environment that is continuously updated. This view is then enriched with information from threat intel feeds and IP lookups that tell you about known bad actors, malware, and risky users. CDRs then layer on information about the users themselves such as their roles and expected behavior. The combination of visibility and enriched user context enables teams to detect and hunt for threats and conduct incident response.
Core CDR Capabilities
In order for a CDR solution to be useful for securing cloud environments, they need to offer these core capabilities:
- Consolidated Visibility: CDRs provide continuous and consolidated visibility into user access and activity across your different cloud services. In the world of multiple SaaS applications and cloud services, this entails aggregating state and activity data, normalizing the data, and enriching the data with threat intelligence and context (locations, devices, browsers, etc.) Visibility empowers security teams to detect risks and threats of all stages, and to investigate and respond to incidents quickly.
- Automated Detections Built on Rules and Analytics: CDRs analyze vast amounts of data across different cloud services to identify patterns that signal risk and threats. The problem with modern cloud environments is that threats are drowned in a sea of irrelevance. By alerting on policy violations and risky behavior informed by machine learning analytics and rules, CDRs help SOCs distill the signal from the noise so they can prioritize their efforts.
- Detection Extended to Risk Monitoring: Best-in-class CDRs go beyond detection capabilities to anticipate concerns such as unused and stale privileges and poorly configured services. This empowers security administrators to continuously enforce a robust security posture, and preemptively mitigate attack vectors.
Security professionals, threat hunters, and security operations center (SOC) teams can use the consolidated activity stream to uncover access patterns that reveal new threats or indicate compromise. CDRs also have machine learning-powered analytics to automate detection of anomalous or dangerous activity and to uncover misconfigurations and identity risk. Going beyond prevention, these CDR capabilities help security teams of all sizes identify threats and investigate incidents preemptively.
Conclusion
Continuous and comprehensive visibility (more accurately called observability) lie at the heart of good security. Organizations need single-pane visibility into what’s happening in their environments. The more this data gets enriched with intelligence around known threats and risks, the more valuable it will be for detecting, investigating and responding to threats.
Cloud Detection and Response (CDR) is the missing element of the cloud security stack. CDR solutions give security teams 360-degree visibility in the form of access and privilege inventories, consolidated activity data, and actionable alerts.
We will talk about ways in which organizations use CDR to secure their cloud environments in a series of follow-up posts. In the meantime, check out what we’re building, and drop us a note if you’d like a demo of what Obsidian is building.