A Detection and Response Benchmark Designed for the Cloud

Does your security operation center's performance meet the 5/5/5 benchmark for cloud threat detection and incident response?

November 20, 2023

5 Min Read

By Ryan Davis, Senior Director of Product Marketing, Sysdig

The speed and sophistication of cloud attacks have rapidly narrowed the time security teams have to detect and respond before suffering a breach. According to the "Mandiant M-Trends 2023" report, the dwell time for an on-prem environment is 16 days. By contrast, it only takes 10 minutes to execute an attack in the cloud after discovering an exploitable target. Add the pressure of having four business days to disclose a material cyber incident to the SEC, and it becomes clear that everything moves faster in the cloud. Security teams need help.

Legacy detection and response frameworks cannot adequately protect organizations. Most existing benchmarks are designed for endpoint-centric environments and are simply too slow for security teams protecting modern cloud environments.

The industry needs a modern detection and response benchmark, one designed for the cloud. Outpacing attackers in the cloud requires security teams to meet the 5/5/5 Benchmark, which specifies five seconds to detect, five minutes to triage, and five minutes to respond to threats.

When the cost of a cloud breach is $4.45 million, according to IBM's "Cost of a Data Breach Report 2023"), security teams need to be able to detect and respond to attacks at cloud speed. If they don't, the blast radius will quickly expand and the financial impact will quickly compound. Meeting the 5/5/5 Benchmark will help organizations operate confidently and securely in the cloud.

The 5/5/5 Cloud Detection and Response Benchmark

Operating in the cloud securely requires a new mindset. Cloud-native development and release processes pose unique challenges for threat detection and response. DevOps workflows — including code committed, built, and delivered for applications — involve new teams and roles as key players in the security program. Rather than the exploitation of traditional remote code execution vulnerabilities, cloud attacks focus more heavily on software supply chain compromise and identity abuse, both human and machine. Ephemeral workloads require augmented approaches to incident response and forensics.

While identity and access management, vulnerability management, and other preventive controls are necessary in cloud environments, you cannot stay safe without a threat detection and response program to address zero-day exploits, insider threats, and other malicious behavior. It's impossible to prevent everything.

The 5/5/5 benchmark challenges organizations to acknowledge the realities of modern attacks and to push their cloud security programs forward. The benchmark is described in the context of challenges and opportunities that cloud environments present to defenders. Achieving 5/5/5 requires the ability to detect and respond to cloud attacks faster than the attackers can complete them.

5 Seconds to Detect Threats

Challenge: The initial stages of cloud attacks are heavily automated due to the uniformity of a cloud provider's APIs and architectures. Detection at this speed requires telemetry from computer instances, orchestrators, and other workloads, which is often unavailable or incomplete. Effective detection requires granular visibility across many environments, including multicloud deployments, connected SaaS applications, and other data sources.

Opportunity: The uniformity of the cloud provider infrastructure and known schemas of API endpoints also make it easier to get data from the cloud. The proliferation of third-party cloud-detection technologies like eBPF has made it possible to gain deep and timely visibility into IaaS instances, containers, clusters, and serverless functions.

5 Minutes to Correlate and Triage

Challenge: Even within the context of a single cloud service provider, correlation across components and services is

challenging. The overwhelming amount of data available in the cloud often lacks security context, leaving users with the responsibility for analysis. In isolation, it is impossible to fully understand the security implications of any given signal. The cloud control plane, orchestration systems, and deployed workloads are tightly intertwined, making it easy for attackers to pivot between them.

Opportunity: Combining data points from within and across your environments provides actionable insights to your threat detection team. Identity is a key control in the cloud that enables the attribution of activity across environment boundaries. The difference between "alert on a signal" and "detection of a real attack" lies in the ability to quickly connect the dots, requiring as little manual effort by security operations teams as possible.

5 Minutes to Initiate Response

Challenge: Cloud applications are often designed using serverless functions and containers, which live less than 5 minutes on average. Traditional security tools expect long-lived and readily available systems for forensic investigation. The complexity of modern environments makes it difficult to identify the full scope of affected systems and data and to determine appropriate response actions across cloud service providers, SaaS providers, and partners and suppliers.

Opportunity: Cloud architecture allows us to embrace automation. API- and infrastructure-as-code-based mechanisms for the definition and deployment of assets enable rapid response and remediation actions. It is possible to quickly destroy and replace compromised assets with clean versions, minimizing business disruption. Organizations typically require additional security tools to automate response and perform forensic investigations

Next Steps

To dive deeper into the world of cloud attacks, we invite you to play the role of attacker and defender and try out our Kraken Discovery Lab. The Kraken Lab highlights SCARLETEEL, a renowned cyber-attack operation aimed at cloud environments. Participants will uncover the intricacies of credential harvesting and privilege escalation, all within a comprehensive cloud framework. Join the next Kraken Discovery Lab.

About the Author

Ryan Davis

Ryan Davis is Sysdig's Senior Director of Product Marketing. Ryan is focused on driving go-to-market strategy for core cloud security initiatives and use cases.

Read more about:

Sponsor Resource Center
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights