Enterprises of all types and sizes are shifting to the cloud. Cloud related services, IaaS, PaaS, and SaaS are presenting new digital IT business opportunities with both short term and long term benefits. In fact, according to a recent Gartner blog (endnote #1), overall IT spending on cloud system infrastructure services is expected to grow from $63 billion in 2020 to $81 billion by 2022.
But all these benefits are being accompanied by an expanding cyberattack surface that presents new threat coverage gaps in this vast cloud infrastructure. Cybercriminals are exploiting these weak spots with activities that include data-theft, cryptomining, and ransomware–to name just a few. A report done by UC Berkeley Center for Long-Term Cybersecurity (endnote #2) states that 81% of organizations experienced adversary techniques found in the MITRE ATT&CK® Matrix for Enterprise covering cloud-based techniques.
Countless articles, websites and blogs discuss this burgeoning challenge. Millions of dollars are invested in unique cloud security detection technologies to cover this attack surface and even more is spent by both the cloud service providers and enterprises to harden and mitigate these risks. Nevertheless, almost all cloud security failures can be attributed to customer misconfigurations. According to a recent report from IBM’s Institute for Business Value (endnote #3), threat actors took advantage of misconfigured cloud servers to siphon over 1 billion records from compromised cloud environments in 2019. And, according to an analysis by Aqua Security, 50% of new misconfigured Docker APIs are attacked by botnets within 56 minutes of being set up.
The newest challenges for cloud security engineering
Enterprise security engineers are charged with using their technical and security knowledge to research and defend against cyber threat use cases across platforms and technologies. They are responsible for maintaining tools including SIEM and SOAR platforms, recommending new tools, and updating systems. However, beyond the major issue of cloud service misconfigurations, engineering cloud-security is facing fresh and unique challenges that must be overcome to correctly manage the related risks:
- Fully understanding the cloud shared responsibility model. According to recent cloud security posture research done by Palo-Alto Networks (endnote #4), 73% of companies struggle to clearly delineate between their cloud service provider’s security responsibilities and their own. As a result, there remains substantial ambiguity when it comes to the tasks and priorities of enterprise engineers.
- Knowledge gap and continuous learning curve. According to IDC, more than a third of companies purchased 30+ types of cloud services from 16 different vendors in 2019 alone. Considering this number of services and their overlying security technologies, it is an overwhelming task for an individual to gain expertise in each and every technology and service.
- Handling the massive scale of events. Considering the multitude of services, tools, and technologies in the cloud, engineers must take into account the logs and events from hundreds of sources across the cloud. It is critical to parse and monitor each source individually and correlate them together into a single picture. This task is far more challenging than what was needed for traditional log management and SIEM platforms.
Using the MITRE ATT&CK cloud matrix guardrails
To provide smart guardrails for security engineers grappling with cloud security, MITRE devised the ATT&CK cloud matrix framework to be similarly used as MITRE’s matrix for traditional enterprise networks. The framework offers guidance on potential attack and threat-actor methods and techniques specific to Microsoft 365, Azure, AWS, Google Cloud Platform (GCP), and other cloud providers.
The ATT&CK framework does a good job of increasing confidence in cloud security and adoption. Of survey respondents to UC Berkeley’s research, 86% found that it comprehensively represents the adversary tactics and techniques they face. In this same report, 87% agree that adopting this framework will improve cloud security in their organizations and 79% said it would also make them more comfortable with cloud adoption. However, security engineers are still facing challenges when they consider actually using this framework for the cloud. The lack of automation significantly inhibits the performance of ongoing analysis and correlations from the vast number of cloud sources.
Why cloud security-engineering automation can help
Many of UC Berkeley’s research interviewees highlighted the critical need for security engineering automation that would enable better adoption of the MITRE ATT&CK cloud matrix framework. Based on the research, less than half the respondents have implemented automation for any policy changes. Another 43% cited the difficulty in mapping event data to tactics and techniques, and 36% say they receive too many false positives.
With businesses rapidly shifting to the cloud, security engineers need to act fast. It is essential that they build a proper security architecture to accommodate the cloud attack surface. The MITRE ATT&CK cloud matrix is a superb framework and guardrail to adopt for this purpose. That said, like any other practice within the SOC and especially with the scale and multitude of cloud services, the automation of security engineering is a vital step for threat coverage optimization.
Introducing CardinalOps security-engineering automation
The CardinalOps Threat Coverage Optimization (TCO) Platform delivers AI-based analytics and automation to this critical security engineering function, thereby ensuring comprehensive threat coverage by SIEM and SOC tools. The TCO Platform quantifies and enumerates the gap that exists between theoretical optimum threat coverage, represented by the MITRE ATT&CK framework, and actual threat coverage, measured by SIEM and SOC tool configurations.
The TCO Platform was built to minimize security threats to businesses shifting to the cloud. Its goal is to prevent service disruptions, liabilities, and damages while at the same time eliminating the need to overspend on new tools and third-party maintenance services. This is done by automatically mapping your actual cloud threat coverage based on the MITRE ATT&CK cloud matrix framework and offering rule recommendations based on common industry best practices. The platform also offers priority-based remediation for missing and broken rules, missing log sources, and broken log mappings alongside a safe deployment process based on continuous rule-change impact analysis before, during, and after deployment.
The CardinalOps TCO Platform allows you to correctly manage your cloud-facing SOC, overcome the overwhelming complexity related to your business’ shift to the cloud, and provides your security-engineers with the vital automation tools they need to get their job done.
4. The State of cloud Native Security Report 2020 – by Palo-Alto Networks