Cloud-scale Threats Need Cloud Detection and Response

author_profile
Tim Miller
Thursday, Apr 25th, 2024

A recent survey from Gartner forecasts that worldwide end-user spending on public cloud services will total $679 billion in 2024, and that number is expected to jump to $1 trillion in 2027. Businesses left and right are moving to the cloud. But as they make their move, the old ways of protecting data—like building a virtual wall around your data (“perimeter security”)—are proving inadequate. 

Instead, enterprises are turning to cloud detection and response (CDR), a strategy focused on bringing real-time visibility, understanding, and management of cyber threats. CDR is meant to complement proactive prevention techniques by staying one step ahead, leveraging sophisticated analytics to detect potential threats before they manifest as breaches. Whether attackers are trying to access sensitive data or burrow into other parts of your network, CDR aims to quickly identify and mitigate threats by continuously monitoring your cloud environment. 

In this post, we’ll explore the what and the why of CDR. We’ll look at its importance within the context of cloud computing, and we’ll highlight the benefits that CDR brings to organizations new to navigating the modern cloud. 

What changes with the cloud? 

An enterprise’s transition to the cloud fundamentally alters its cybersecurity landscape, and this presents new challenges for threat detection and response. 

  • Bigger scale, wider attack surface: Cloud environments continuously evolve with new services, configurations, and connections—all of which complicate the potential vectors of attack. 
  • Multiple clouds: Each cloud provider has its own security tools and protocols, which makes it a challenge to maintain a consistent security posture that spans all environments in a multi-cloud setup. 
  • Getting your hands on telemetry: Cloud providers dictate how and what data you can collect, complicating your efforts to integrate, correlate, and analyze data from diverse sources. 

Common threats in the cloud 

When your digital assets are in the cloud, they become prime targets for a wide range of cyber threats. While the spectrum of potential risks is broad, focusing on the most common and impactful threats can help organizations prioritize their defense strategies. In this section, we highlight key threats that businesses face in cloud environments. 

Container escape 

A container escape occurs when an attacker exploits vulnerabilities in a containerized environment to gain unauthorized access to the host system or other containers. A successful exploit can compromise the entire system, allowing attackers to steal data, deploy malware, or execute further attacks. 

In one notable example (CVE-2019-5736), attackers could overwrite a binary on the host machine from within the container, thereby obtaining root access to the host machine. 

Cryptojacking

Cryptojacking attacks involve hijacking cloud resources to gain control of cloud-based computing power in order to mine cryptocurrency. This consumes valuable resources and can continue for an extended time without the organization's knowledge. 

Ransomware 

Ransomware attacks in the cloud encrypt your valuable data and demand payment for its release. In 2022, ransomware attacks made up 68.42% of all cyberattacks detected. The sum total of ransomware payments made in 2023 was $1.1 billion, with an average payment of $1.54 million. Notable ransomware attacks from the past include Ryuk, Maze, and DoppelPaymer. 

Some strains of ransomware specifically target cloud storage services, exploiting misconfigured permissions to encrypt files stored online. 

Data exfiltration or destruction 

Data exfiltration is the unauthorized access and outbound transfer of sensitive data from your cloud. Attackers often use sophisticated methods to bypass security measures. Rather than executing a wholesale exfiltration of a massive volume of data, an attacker might slowly siphon off data over several months to avoid detection. 

Data destruction threats in the cloud aim to deliberately delete or corrupt data. Naturally, this can be catastrophic for businesses that rely on cloud storage. These attacks may be motivated by malice, extortion, or as a cover-up for other malicious activities. 

In some cases, these data attacks are coupled with a ransomware attack, as in the case of DoppelPaymer attacks in 2020. In these attacks, data is first exfiltrated, and then systems are locked down with ransomware. Attackers threaten to leak the exfiltrated data as a means of extortion to get victims to pay the ransom. Several attacks targeted emergency services and medical centers. As the U.S. Department of Health and Human Services analyzed data breaches reported by healthcare organizations, it found a total of 28.5 million records exposed in 2022

Both data exfiltration and data destruction attacks begin with a data breach. Their main difference is in the threatened end result. When it comes to data breaches in general, IBM’s Cost of a Data Breach Report 2023 points out that the average cost of a data breach in 2023 was $4.45 million. Also noteworthy is that 82% of breaches involved data stored in the cloud. 

We’ve covered only a sampling of the many threats that are common in the cloud. This underscores the importance of robust security measures and proactive monitoring in cloud environments. 

Let’s shift our focus to the benefits that an effective cloud threat detection and response system can bring to today’s organizations. 

The advantages of adopting CDR 

As your organization navigates the complexities of cloud security, adopting CDR will bring significant advantages. A CDR solution will enhance your organization’s security posture by leveraging the latest in security technology and analytics to provide better threat detection and response. Let’s highlight some key advantages: 

  • Improved efficiency and effectiveness: A CDR solution brings continuous monitoring and anomaly detection to help your security teams handle threats more swiftly and accurately. Real-time alerts and aggregated forensics enable SOC analysts to make quicker, more informed response decisions. 
  • Better visibility of threats: As CDR monitors and analyzes telemetry from your cloud resources, it gains correlated, contextualized visibility of the entire threat landscape. By being able to see more—in both breadth and depth—a CDR solution will be able to detect more threats with greater speed. In addition, this visibility helps cloud architects assess and mitigate risks across complex cloud environments, ensuring robust architecture resilience. 
  • Centralized telemetry: By aggregating security data from across your cloud environments—including large and complex distributed environments—a CDR solution can provide a centralized view of security events, making it easier to analyze and act upon. 
  • Advanced analysis of security data: Utilizing sophisticated analytics, CDR systems can sift through vast amounts of data to identify patterns indicative of a security threat, significantly improving the accuracy of threat detection. 

Looking ahead 

The shift to cloud computing has broadened the cybersecurity landscape, introducing new challenges that necessitate the adoption of CDR systems. These solutions can detect and mitigate the complex threats faced in cloud environments—from ransomware to data exfiltration and beyond. By adopting CDR, organizations strengthen their security posture through better visibility into threats and improved efficiency in their response. These advantages are not just theoretical but have practical implications across roles—from SOC analysts to cloud architects. 

While CDR is the answer for organizations seeking to secure their clouds, it is not without its challenges. In the next post in this series, we’ll examine some of the scenarios where CDR alone may not be enough, and we’ll look at how additional technologies like the cloud-native application protection platform (CNAPP) can step in to provide a well-rounded, holistic security solution. 

Popup Image