Let’s say you work for a reputable company that takes data security seriously. Perhaps you even have security tools in place, and a staffed security operation center (SOC) handling Tier 1 and Tier 2 incidents. Although you may think you are prepared for solving challenges that arise from the cloud, are you really? Some of the largest companies, financial institutions and hospitals have made national news due to massive breaches, outages and data exposures related to cloud infrastructure. According to IBM and the Ponemon Institute, from 2020 to 2021, the average cost of a data breach increased from $3.86 million to $4.24 million, which is the highest average cost increase seen in the past 17 years. Now, keep reading.
What security teams have come to know is that the longer a security breach remains undetected, the more sensitive data can be retrieved by cybercriminals. So, it should come as no surprise that time was found to be the most significant contributor to the cost of security incidents. It’s shocking that even in this day and age with investments made security tools, the average time to identify a breach in 2021 was 212 days, with an additional 75 days to contain! That's an average of 287 total days, so how do you shorten the window of time? That’s where cloud threat hunting comes into play.
Cloud threat hunting is a proactive approach for finding and remediating undetected attacks in the cloud. It involves advanced security intelligence and enables security teams to detect and remediate potential threats in multi-cloud environments and workloads. The process involves searching for indicators of compromise (IoC), investigating, classifying, and remediating threats in public, private, and hybrid clouds.
Challenges and Benefits of Cloud Threat Hunting
Let’s walk through a brief example. Let’s assume you have your basic security protections in place acting as a first line defense for your cloud estate. Still, your security teams face major challenges, such as:
- Lack of unified visibility across multi-cloud environments
- Limited or no context of traffic logs
- Alert fatigue due to thousands of alerts, including false positives
- Lack of bandwidth and skills to address hidden threats in the cloud
- Increase in attacks focused specifically on cloud services
So why does cloud threat hunting matter? Simply put, you are able to detect and remediate hidden threats before a breach can occur. With cloud threat hunting, you’re able to proactively identify adversary activity, understand their TTPs, anticipate the attack and take the necessary actions. Benefits of cloud threat hunting include:
- Faster and more efficient incident response: Cloud threat hunting enables you to stay one step ahead of cyber threats. Rather than waiting to respond to an incident, threat hunting offers a more proactive approach to uncovering and minimizing the impact of hidden threats. Additionally, real-time threat detection generates relevant alerts, enabling security teams to respond appropriately. Cloud threat hunting also helps in remediating anomalies, minimizing alert fatigue, and reducing false-positives.
- Measurable improvement of your security posture: You can only improve what you can measure. Measurable security metrics permit your organization to make more informed and better security decisions. For example, you can start by tracking metrics like mean time to detect (MTTD) and mean time to respond (MTTR), which are vital indications of your organization’s cybersecurity program effectiveness.
- Reduced risk and exposure to threats: As cloud adoption grows so does the attack surface, and cloud threat hunting is extremely useful in reducing your attack surface and attack vectors. Timely detection of threats within your endpoints, networks, and cloud environments enables your organization to address them immediately, significantly reducing risk exposure. More importantly, cloud threat hunting informs the mitigation solutions you should implement in order to reduce exposure to external threats across the cloud estate.
So Why Do You Need Cloud Threat Hunting?
Cloud threat hunting is necessary because technology alone is not enough to address the security challenges in the cloud. Today’s sophisticated threats require a combination of technology with human expertise to engage and perform threat hunting.
Suppose your business relies on “set it and forget it” security tools that promise to eliminate the need for humans, or traditional solutions to detect and respond to cloud incidents. It implies that you must first wait for your security team to detect signs of an attack before reacting. Such an approach cannot protect against advanced, data-focused, targeted attacks that are designed to evade detection. That said, by adopting a cloud threat hunting approach combined with the right security tools, you’re better able to arm security teams with the following benefits:
- Faster and more efficient incident response
- Measurable improvement of your security posture
- Reduced attack surface and exposure to external cloud threats
- Protects your credibility and sensitive data
- Reduced costs related to breaches and data leakage
After gaining access to a network, an adversary or attacker may attempt to perform reconnaissance on cloud services running on a host or enabled in the environment. This can take several different forms due to the range of services across various cloud providers. The CrowdStrike 2021 Threat Hunting Report shows a considerable increase in discovery actions focused specifically on cloud services, and hunting for this type of behavior can be a valuable hunting lead for networks integrated with cloud services.
The CrowdStrike Approach
Are you familiar with the Shared Responsibility Model? It states that your cloud provider is responsible for the security of the cloud, whereas it is your responsibility to secure things in the cloud.
As both a cloud customer and a security company, CrowdStrike has a deep understanding of the complexities and risks of protecting corporate data and the cloud infrastructure that holds it. Embracing the cloud is critical to digital transformation initiatives, but for them to be successful, security must transform alongside the business. Quite simply, it is time for enterprises to rethink security to keep pace with an evolving landscape of risks.
CrowdStrike cloud security goes beyond ad hoc approaches by unifying cloud security posture management (CSPM) together with breach protection for cloud workloads and containers, AND our human threat detection engine that operates as an extension of your team, hunting relentlessly to identify and stop the most sophisticated hidden threats in a single platform for any cloud.
To learn more about CrowdStrike cloud security and threat hunting solutions, visit https://www.crowdstrike.com/cloud-security/ and let’s discuss how we can take your cloud security to the next level. We are cloud security, we are CrowdStrike.
Guilherme (Gui) Alvarenga, Sr. Product Marketing Manager, Cloud Security at CrowdStrike