Attackers are targeting cloud environments, as evidenced by a 75% increase in cloud intrusions in 2023. Organizations are under pressure to ensure they have measures in place to effectively detect, investigate, and respond to cloud-focused attacks.
Cloud discovery and response (CDR) presents a unique challenge for SOC teams due to limited visibility into the cloud control plane, resource configuration, and application deployment. Gaining this visibility and critical context typically requires centralized knowledge and collaboration with engineering and DevSecOps teams.
To address these challenges, CrowdStrike Falcon® Cloud Security includes CDR capabilities that leverage pre-execution insights and runtime threat monitoring. These help teams protect against active cloud attacks and respond in ways that improve their overall cloud security posture.
Deep visibility into your cloud assets
Cloud infrastructure and resources are owned and operated by a cloud, platform, or DevOps team. Therefore, much of the knowledge about the relationships between cloud resources, application services, and data flows resides here. As the cloud becomes a popular target for attackers, a SOC team’s lack of knowledge and visibility into the cloud environment becomes a critical blind spot, giving attackers the advantage of obscurity.
Figure 1. Cloud workload protection built into Falcon Cloud Security provides real-time threat visibility through CrowdStrike Threat Graph®, the industry’s most comprehensive set of endpoint and workload telemetry, threat intelligence, and AI-powered analytics. Identify and block.
SOC teams need continuous access to security posture and metadata details related to cloud-native assets across cloud service providers (CSPs) to track the evolving cloud attack surface and activity. For example, cloud security posture tools provide insight into high-risk cloud resources, such as storage buckets with public permissions. This helps security teams understand potential entry points for attackers, especially against sensitive or critical resources.
Figure 2. Falcon Cloud Security provides continuous insight into the overall cloud security posture that SOC teams can leverage to gain visibility into the cloud attack surface.
Accelerate investigations with cloud context
The time it takes to respond to an attack is only getting shorter. CrowdStrike 2024 Global Threat Report reveals that the average eCrime breakout time (the time it takes for an adversary to gain access and move laterally within a victim’s network) is just 62 minutes. It has become.
Cloud environments are vast. Compared to endpoint logs, the scale and variety of logs that need to be captured and sifted across the layers of the cloud stack is much greater, slowing investigation time. Furthermore, in these dynamic cloud environments, it is difficult to distinguish between legitimate and malicious activity. Actions such as provisioning new resources or changing IAM roles may look suspicious to the SOC team, but they could be legitimate engineering or DevOps activities.
Timely detection of advanced attacks on cloud environments requires correlating runtime workload anomalies with pre-execution cloud state insights for more contextual investigation. Cloud environments are interconnected, so your workloads interact with various cloud resources such as databases and IAM roles. Workload-specific tools do not recognize related relationships. This generates alerts that lack context about how the compromised resource impacts the broader environment.
Cloud context is essential. Today’s attackers target not only isolated systems but also connected domains across endpoints, identities, and cloud environments. These cross-domain attacks exploit fragmented security measures, exploiting compromised credentials, enabled tools, and gaps between siled systems to penetrate, escalate, and execute quickly and accurately. Masu.
CrowdStrike often sees attackers moving between the endpoint and the identity plane, or from the cloud to the endpoint. One of the most skilled and prolific adversaries capable of carrying out cross-domain attacks is the SCATTERED SPIDER (see the CrowdStrike 2024 Threat Hunting Report for a detailed case study).
To quickly identify such attacks, leverage SCATTERED SPIDER’s Tactics, Techniques, and Procedures (TTP) knowledge, combine this knowledge with telemetry from the control plane, and use this information from within the virtual machine. Depends on detection and association. CrowdStrike Falcon® Adversary OverWatch™ plays a critical role in stopping cross-domain attacks through 24/7 proactive threat hunting that leverages AI, human expertise, and CrowdStrike’s industry-leading adversary intelligence. and provides unparalleled protection against emerging and evasive threats.
Figure 3. SCATTERED SPIDER cross-domain attack (Source: CrowdStrike 2024 Threat Hunting Report)
Improve your security posture with coordinated response actions
SOC, engineering, and DevSecOps teams must work together to effectively remediate cloud threats without disrupting operations. Response actions must be scalable to the vast nature of cloud environments, using automated workflows to isolate compromised resources, revoke privileges, and apply patches across large deployments. You can perform actions such as: Patching and infrastructure changes in cloud environments occur during the build phase, so post-containment response actions should feed back into shift-left practices and inform new security checks and guardrails that can improve security posture across the cloud. There is.
Figure 4. No-code playbooks are delivered through CrowdStrike Falcon® Fusion SOAR to enable automated remediation actions with or without approval.
CrowdStrike Cloud Detection and Response
Many organizations are strategically shifting their security approach to integrate CDR in conjunction with expert incident response and breach recovery services to address the unique challenges posed by cloud environments.
As part of Falcon Cloud Security’s comprehensive cloud-native application protection platform (CNAPP), CrowdStrike integrates cloud security posture insights, real-time workload events, and award-winning threat and adversary intelligence to help customers We offer the only CDR solution to help you detect and respond to Respond to active cloud-based attacks. Teams can also rely on CrowdStrike’s professional services, including Falcon Adversary OverWatch 24/7 threat hunting and incident response, to stop cloud breaches.
To learn more about cloud detection and response with CrowdStrike, please visit our website.
additional resources
Source link
