4 min read

Why You Need An Adversary-First Approach to Threats in the Cloud

Security teams need an adversary-focused approach that automates security controls and compliance and provides visibility into the cloud environment.

Today’s security tools need to factor in today’s work environments.

Work — the network, applications, and types of data used — used to have clearly defined boundaries. It was obvious where the corporate network began and ended, and which applications belonged to the company. It was clear what was considered work, and what was not. The growing adoption of multi-cloud environments, coupled with increased acceptance of hybrid work arrangements, means these boundaries are no longer fixed or constant.

Adversaries know this. They know today’s continuous integration, continuous delivery (CI/CD) software operations have developers spinning clouds up and down in minutes without paying much heed to potential misconfigurations. Sometimes public cloud instances are made available for quick work, without multi-factor authentication or other security measures. But all it takes is a second for an intrusion to latch on to a vulnerability and convert into a fast-moving lateral breach.

This is why security teams need an adversary-focused approach that automates security controls regardless of the cloud provider or deployment model.

Why Traditional Security Tools Fail
Traditional security tools have not kept up with new ways of work, the exponential increase in vulnerable endpoints and workloads, and lack of understanding around cloud-based threats.

The elastic multi-cloud environments of today’s organizations can deliver leading-edge products that enable business operations to focus on agility. Unfortunately, this focus complicates the work of security teams. The speed with which DevOps builds and deploys applications, and an ever-growing number of attack vectors, are among the challenges security pros currently face.

Securing on-premises systems was an easier proposition because there was a distinct trail of breadcrumbs to follow for requisitioning of servers, and endpoints were visible and easy to monitor. Unfortunately, the tools used to protect on-premises systems cannot be scaled to monitor thousands of attack surfaces in multi-cloud environments in real time. As a result, patchwork security solutions have proliferated, creating silos on-prem or in the cloud. Such a lack of centralization makes it difficult to see the bigger security and potential threat picture.

This lack of visibility could allow potential threats to fly under the radar and create opportunities for attackers. Common entry points for modern attackers include exposed Docker/Kubernetes environments, phishing, web application and network service attacks, and keys committed to GitHub, GitLab, and BitBucket. Misconfigured cloud workspaces and shadow IT, both of which can go undetected for a long time, can also provide entry into organizations.

In order to defend their environments against today’s evolving threats, businesses must think like the attackers targeting them. An adversary-focused approach can help safeguard their cloud environments before an attacker finds their way in.

Components of an Adversary-Focused Approach
A proactive security strategy for today’s cloud begins with studying the tactics, techniques and procedures (TTPs) that threat actors are executing in hybrid environments. With a stronger understanding of TTPs, organizations can turn their focus to visibility, cloud hygiene, and automation.

Visibility is critical. Organizations need to know how many cloud assets exist and where they reside. When all the dark corners have been lit, threat intelligence can lay the foundation for relevant insights. Security teams can scan new environments and deliver assessments of vulnerabilities based on ever-changing context. In the event of an attack, visibility can help security teams conduct forensics quickly and effectively, applying countermeasures to stanch the bleeding.

Basic cloud hygiene is a simple step that can go a long way in defending against modern attackers. Businesses operating in the cloud should clarify security responsibility so both the vendor and security teams know how to apportion monitoring tasks. Access management is a key part of this as well; not everyone needs access to all cloud environments at all times. IT and security teams must also understand the need to protect applications during coding and run time.

Automation is another key pillar of an adversary-focused approach to today’s security solutions. Given the thousands of attack surfaces that cloud environments work with, automation is necessary to monitor and remediate solutions at scale.

As companies find themselves accelerating their move to the cloud, many have quickly realized the use of traditional security tools simply doesn’t work. Between a lack of integration of security tools, and confusion about shared responsibility, security teams are often playing from behind when it comes to defending their cloud environments. Meeting the needs of DevOps, as well as the multiple clouds that companies now need to protect, requires an adversary-focused approach that automates security tasks and stays ahead of dynamic threat situations.