The need for scalable cloud-native security
The cybersecurity landscape is undergoing a rapid transformation driven by the accelerated adoption of cloud computing, compelling organizations to reevaluate their security strategies. According to Forrester’s Infrastructure Cloud Survey, 2023, cloud decision-makers who are moving to a cloud computing infrastructure estimated they have already moved 39% of their application portfolio to the cloud and intend to move another 53% in the next two years [1].
This explosive growth underscores not only the increased dependency on cloud services, but also the evolving sophistication of cyber threats targeting these platforms, and the critical need for dedicated security measures tailored to cloud infrastructures — thereby making cloud security a pivotal focus for Security Operations Center (SOC) teams.
As organizations increasingly migrate to cloud environments and their reliance on cloud infrastructures deepens, they encounter new security challenges that require reevaluating their security strategies. Traditional measures like Network Detection and Response (NDR) are being reassessed in favor of more dynamic, scalable cloud-native solutions.
However, can we truly say that cloud detection and response (CDR) is fundamentally different? Or is it simply an evolution of NDR tailored for the cloud?
Cloud Detection and Response (CDR) vs Network Detection and Response (NDR)
Cloud Detection and Response (CDR) has emerged as a pivotal technology in the race against threat actors targeting cloud assets. CDR is typically centered around the same foundational principles as NDR. As such, NDR providers are well placed to provide these capabilities within dynamic cloud environments – particularly those providers that are built upon the foundation of understanding your business, its digital footprint, and leveraging that understanding to detect subtle deviations and highlighting anomalies as opposed to pre training or relying on rules and signatures.
However, there are unique challenges within cloud environments that require a wider, richer, context-aware approach.
Why SOC Teams Care
Widespread UseThe shift towards cloud services is no longer a trend but a standard practice across industries. Organizations increasingly rely on cloud infrastructures for essential operations across IaaS, PaaS, and SaaS platforms. According to Gartner, worldwide end-user spending on public cloud services is forecast to grow 20.4% to total $678.8 billion in 2024, up from $563.6 billion in 2023 [2]. This widespread adoption necessitates a security approach that can operate seamlessly across varied cloud environments, addressing both the scalability and the agility that these platforms offer.
Sophisticated AttacksCyber threats have evolved in sophistication, specifically targeting cloud platforms due to their growing prevalence. Attackers exploit the dynamic nature of cloud services, where traditional security measures often fall short. The cloud has emerged as a major target for threat actors who want to control access to, manipulate, and steal that data. This makes cloud resources a bigger target than ever for attackers. According to the IBM Cost of a Data Breach 2023 report, 82% of breaches involved data stored in the cloud [3]. Examples include data breaches initiated through misconfigured storage instances or through the exploitation of incomplete data deletion processes, highlighting the need for cloud-specific security responses.
Dynamic EnvironmentsCloud environments are inherently dynamic, characterized by the rapid provisioning and de-provisioning of resources, this fluidity presents a significant challenge for maintaining continuous security oversight, organizations need to be able to see what individual assets in the cloud look like at any given moment, who or what can access those, but also to be able to detect and respond to changes in real time. Unlike traditional infrastructure, detection and response in the cloud is challenging because of the ephemeral nature of some cloud assets and the velocity and volume of new app deployment – traditional signature-based detections will often struggle to work with such data.
What SOC Teams Need
Centralized VisibilityEffective security management requires a comprehensive, unified view spanning all operational environments including multi-cloud platforms and on-premises datacenters. Furthermore, in today's complex IT landscape, where organizations operate across both on-premises and various cloud environments, the need for centralized visibility becomes paramount. This comprehensive oversight is crucial for detecting anomalies and potential threats in real time, allowing SOC teams to manage security from a single source of truth, despite the dispersed nature of cloud assets and the heterogeneity of on-premises resources. By integrating these views, organizations can ensure a seamless security posture that encompasses all operational environments, enhancing their ability to respond swiftly to incidents and reduce security gaps.
AutomationGiven the vast scale and complexity of cloud operations, automation in detection and response processes is indispensable. Automated security solutions can instantly respond to threats, or adjust permissions across the cloud, enhancing both the efficiency and effectiveness of security measures.
Containment and RemediationThe capability for swift containment and remediation of security incidents is vital to minimize their impact on business operations. Automated response mechanisms that can isolate affected systems, revoke access, or reroute traffic until the threat is neutralized are essential components of modern CDR solutions.
Unpacking the Essentials: What Sets CDR Apart from NDR
While CDR and NDR share similar goals of threat mitigation, the context within cloud environments brings additional complexities:
Who: The identification of user roles and access patterns in cloud environments is crucial for detecting insider threats or compromised accounts. For example, an account behaving irregularly or accessing unusual data points may indicate a security breach.
What: Understanding what resources are deployed in the cloud (such as VMs, containers, and serverless functions) and the types of data they handle helps prioritize security efforts. Protecting data with varying sensitivity levels requires different security protocols.
Where: The geographic distribution of cloud datacenters affects regulatory compliance and data sovereignty. Security measures must consider these factors to ensure that data storage and processing comply with local laws and regulations.
How: Monitoring the configuration and usage of cloud services helps in identifying misconfigurations and anomalous usage patterns, which are common vectors for attacks. Tools that can automatically scan and rectify configurations in real time are particularly valuable in maintaining cloud security.
Key takeaways and benefits of CDR
As cloud adoption continues to surge, the strategic importance of CDR becomes increasingly evident. However, NDR vendors are well-positioned to provide these capabilities, especially those who deeply understand customer environments by learning the pattern of life of resources rather than relying on static rules and signatures.
Cloud environments, at their core, are still comprised of networks for communication. Interactions between cloud resources need to be monitored in real time, and access to these resources needs to be tracked and managed. As the cloud changes dynamically, the understanding and visualization of what is deployed and where needs to be updated quickly. Above all effective and proportional cloud-native response needs to be provided to mitigate threats and avoid business disruption.
Moreover, the ideal solutions will not only monitor network interactions but also bring in cloud contextual awareness. By combining these insights, SOC teams can gain a deeper understanding of permissions, assess risk vulnerabilities, and integrate all these elements into a single, cohesive platform. Importantly, SOC teams need to go beyond detection and response to actively mitigate potential misconfigurations and stay preventative. After all, proactive security is much better than reactive. By leveraging such comprehensive solutions, SOC teams can better equip themselves to tackle the modern cybersecurity landscape, ensuring robust, responsive, and adaptable defenses.
Learn more about Darktrace / CLOUD
Darktrace / CLOUD is intelligent cloud security powered by Self-Learning AI that delivers continuous, context-aware visibility and monitoring of cloud assets to unlock real-time detection and response, and proactive cloud risk management. Read more about our cloud security solution here.
References
[1] Gartner Forecasts Worldwide Public Cloud End-User Spending to Surpass $675 Billion in 2024
![External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df74_670d956f4dda5eb6ac9e650f_Screenshot%25202024-10-14%2520at%25203.04.22%25E2%2580%25AFPM.png)
![Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df7d_670d959854eb594420fdc971_Screenshot%25202024-10-14%2520at%25203.05.03%25E2%2580%25AFPM.png)
![Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df80_670d95c562c6e392c7dc3ba8_Screenshot%25202024-10-14%2520at%25203.05.49%25E2%2580%25AFPM.png)
![Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/670d96b065612663d098df7a_670d95e4b1dbad771717553c_Screenshot%25202024-10-14%2520at%25203.06.20%25E2%2580%25AFPM.png)
