8 cloud detection and response use cases
Unsure whether cloud detection and response is useful for your organization? These eight use cases could make CDR indispensable.
Traditional detection and response models from the on-premises world need to evolve and change to protect cloud environments. Adapting endpoint detection and response, network detection and response, and extended detection and response to the cloud, however, has proven difficult. This is where cloud detection and response (CDR) comes in.
CDR products and services provide tooling and workflow capabilities that assist organizations in monitoring and remediating cloud security issues. CDR tools feature the following threat detection and response capabilities:
- Automated threat detection.
- Real-time threat monitoring.
- Increased cloud visibility.
- Integrated threat intelligence.
As an emerging technology, it's helpful for security teams to consider use cases that may highlight where CDR offers the most value and can fill gaps in a cloud-centric detection and response model.
The following are use cases CDR can help achieve, accelerating efforts to secure cloud environments, as well as traditional ones. Read on to learn about four use cases highlighted in a presentation at a Cloud Security Alliance (CSA) conference, as well as additional use cases to consider.
This article is part of
What is threat detection and response (TDR)? Complete guide
1. Unusual creation of numerous EC2 instances
CDR tools can detect and respond to attacks where a questionable number of Amazon Elastic Compute Cloud (EC2) instances are created. The CSA presentation detailed a cloud workload attack where a cloud identity role created larger numbers of EC2 instances than normal. Additional indicators of compromise detected within the EC2 workload showed a cryptomining bot had been installed.
2. API call activity that indicates enumeration process
A growing CDR use case involves API calls and interactions with APIs, which constitute most cloud service and object interactions. In the presenter's example, the CDR tool detected unusual agents interacting with a cloud API. The specific types of requests made matched known reconnaissance and cloud enumeration attacks, and the specific identity and access management (IAM) role assigned to the API calls was found to be too permissive.
3. Unusual network traffic
In this use case, the CDR tool detected an event where a known malicious or suspicious IP address successfully initiated a connection to the cloud infrastructure. Left unchecked, the system attempted to enumerate Lambda's source code, which contains a variety of AWS secrets.
4. Unusual access to storage nodes
Cloud misconfigurations can lead to exposure, attacks and breaches. Nowhere has this been more true than with Amazon Simple Storage Service (S3) buckets in AWS. The last use case in the CSA presentation detailed unusual role behavior interacting with an S3 bucket that contained personally identifiable information. Because the API call to the S3 object was unusual, the CDR tool evaluated the configuration of the bucket and found it was open to the public without authentication and the data stored in it was accessible to the attacker.
5. Third-party cloud activity monitoring
Monitoring requests coming in from unknown or known malicious sources, as well as heightened detection and automated response from known third parties, such as business partners and consultants, could easily be a top CDR use case.
6. Detection of unauthorized changes
Unauthorized changes to cloud configurations could lead to exposure or compromise. This CDR use case applies broadly to a variety of resource and service types.
7. Identification of excessive privileges
One of the biggest challenges in building and maintaining a secure cloud environment is managing cloud identities and permissions policies. Many cloud IAM roles are granted more privileges than needed, which could lead to abuse and malicious actions. CDR can help identify overprivileged accounts.
8. Automated response and remediation
While the concept of cloud guardrails is well known and understood, many teams find building end-to-end guardrail automation challenging. CDR platforms could streamline and simplify common detection and response playbooks that take advantage of the cloud fabric for automation.
Great starting CDR use cases for many teams include automated alerting, quarantining, configuration changes and rollbacks, and investigations and evidence collection.
Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.