Traditional endpoint concepts were eroding as a result of mobile device adoption, and cloud sealed the deal. Data is an organization's most valuable asset. When an organization fully embraces the cloud, traditional endpoints become disposable. Modern applications are consumed from any device, anywhere, not just controlled workstations from the confines of a sanctioned data center. Endpoints are more likely to refer to APIs or services, not desktops, laptops, or servers. Organizations must adapt their security strategy for this reality, or they're exposing themselves to risk of incident, breach, or reputational damage.

Cloud Attack Patterns Are Different

Attack patterns evolved with cloud adoption and mobilization. Attack patterns that compromise endpoints for persistence are more likely to trigger security monitoring mechanisms and alert security teams. Attackers need not resort to the blunt hammer approach of ransomware infection. They can rely on numerous other methods to compromise credentials, abuse services, and exfiltrate sensitive data that are just as successful and profitable. Examples of attack patterns that never touch an endpoint include:

Collection and analysis of cloud environment interactions provides context to security teams to enable threat detection and response (TDR) and support digital forensics and incident response (DFIR). Continuous analysis informs baselines for secure configurations and workload behaviors. Deviations from those baselines are environmental drift or potential indicators of compromise. When a series of seemingly interconnected events are part of a complex attack chain, that event must be quickly surfaced so security teams can prioritize an appropriate response. It's a difficult problem to solve in practice because it requires data collection and correlation across heterogeneous environments and technology stacks. Attacks may also traverse on-premises and cloud environments, depending on where targeted data exists or services run.

Organizations Have Low Success With Traditional Tools

Organizations implement a number of security technologies to enable SecOps in modern architectures, but they all result in security gaps. Common approaches include:

Cloud Detection and Response Addresses Gaps

Modern application designs, threat evolution, and weaknesses of traditional security approaches have spotlighted the need for different capabilities to support TDR and DFIR. Organizations need augmenting capabilities to succeed in their security strategy. Some in industry have started labeling this new grouping of capabilities cloud detection and response (CDR). Traits of CDR include:

The current state of SecOps sometimes reminds me of earlier days of application security and infrastructure security, when practitioners first wrestled with digital transformation. DevOps practices put heavy emphasis on automation. We're able to quickly tear down and redeploy secure applications, but SecOps approaches also need to evolve for this reality. CDR capabilities are a path forward for organizations that must maintain security operations in modern architectures.

About the Author

Michael Isbitski, the Director of Cybersecurity Strategy at Sysdig, has researched and advised on cybersecurity for more than five years. He's versed in cloud security, container security, Kubernetes security, API security, security testing, mobile security, application protection, and secure continuous delivery. He has guided countless organizations globally in their security initiatives and supporting their business. Prior to his research and advisory experience, Mike learned many hard lessons on the front lines of IT with more than 20 years of practitioner and leadership experience focused on application security, vulnerability management, enterprise architecture, and systems engineering.