Why You Need an Adversary-focused Approach to Stop Cloud Breaches

It should come as little surprise that when enterprise and IT leaders turned their attention to the cloud, so did attackers.

Unfortunately, the security capabilities of enterprises have not always kept up with the threat landscape. Poor visibility, management challenges and misconfigurations combine with other security and compliance issues to make protecting cloud environments a complex endeavor.

The price of failure is high. According to IBM’s Cost of a Data Breach Report 2021, it took organizations at a “mature stage of cloud modernization” an average of 252 days to identify and contain a cloud-based data breach. Public cloud breaches were the most costly, at an estimated average price tag of $4.8 million USD. The costs for organizations with a high level of cloud migration were also significantly higher than for those with low levels of cloud migration.

Silos, Silos and More Silos

As the risk has grown, so too has the need for organizations to rethink their approach to security. Silos are the death of security in the cloud. Yet, silos are common for organizations using multiple tools to manage user access to their cloud assets. If security is not implemented in a unified, integrated way, blind spots and security issues are inevitable. 

Many organizations have responded by implementing cloud-native tools from cloud security platforms. However, many of these tools are focused on pre-runtime vulnerabilities and compliance and only offer a snapshot of the organization’s security posture at a moment in time. The movement to “shift security left” and bake it deeper into the development process has allowed organizations to catch security vulnerabilities earlier, but insecure APIs, misconfigurations and other issues can slip through the cracks due to the dynamic nature of cloud environments and the desire to avoid any slowdown in application delivery. 

In the recent CrowdStrike Services Cyber Front Lines Report, our researchers found that adversaries were targeting neglected cloud infrastructure that was scheduled for retirement but still contained sensitive data. These attacks serve as a reminder that threat actors will take advantage of any security hole caused by missteps or inattention.

Why Take an Adversary-focused Approach

Finding the right defensive strategy is contingent on understanding how attackers are targeting cloud environments. At CrowdStrike, we call this taking an adversary-focused approach. Our strategy is powered by the CrowdStrike Security Cloud, one of the largest, threat-centric data fabrics in the world. 

The Security Cloud correlates trillions of security events per day with indicators of attack, CrowdStrike’s industry leading threat intelligence and enterprise telemetry from across customer endpoints, workloads, identities, DevOps, IT assets and configurations. Using our world-class AI and ML models, the Security Cloud turns this data into action, identifying the shifts in adversarial tactics to better understand how an adversary will target an organization and to prevent threats in real time. The CrowdStrike Falcon® platform transforms this intelligence into hyper-accurate detections, automated protection and remediation, elite threat hunting, and prioritized observability of vulnerabilities so that security teams can respond effectively.

Taking an adversary-focused approach arms security and incident response (IR) teams with a higher level of context about the situation they are facing. By leveraging threat intelligence and mixing it with continuous visibility, organizations can better defend their assets. Pre-runtime and compliance data alone will not provide IR teams with the type of comprehensive data they need — they require as much data as possible to support their investigations and get a complete picture of what is happening.  

Visibility is critical. If an attacker is taking advantage of a lack of outbound communication restrictions to exfiltrate data, organizations have to be able to detect that and enforce policies to block it. The principle of least privilege should be a governing idea of any security strategy, particularly one being applied to a cloud environment where the concept of the traditional perimeter is essentially nonexistent. Knowing how threat actors are trying to access cloud resources better positions organizations to lock down cloud applications and resources and reduce risk. Locking the doors to your home to keep out intruders is fine, but what do you do when the burglar comes in through the window? 

Seeing the Bigger Picture

Thinking like an attacker and knowing their tactics, techniques and procedures (TTPs) is a fundamental part of protecting IT infrastructure. The attack surface of the cloud — with its dynamic mix of containers, virtual machines, microservices and more — is complex and growing. With attackers circling, it would be a mistake for organizations to focus on the cloud less than attackers do. Attacks are not always direct — sometimes, adversaries strike the on-premises environment first and then go after cloud resources. In a hybrid IT world, organizations need to be able to extend the security controls protecting their on-premises environment beyond to the cloud to maintain consistency and compliance. 

True security requires the ability to collect, correlate and properly leverage information about users, endpoints and assets regardless of where they reside. Cloud secure workload protection platforms and agentless cloud security posture management solutions only provide part of the picture. For hybrid environments, security must be thought of in a holistic and integrated fashion that is informed by real-time threat intelligence and visibility. CrowdStrike advocates for organizations to think like an attacker, examining their activity, tactics and techniques to better understand how they’ll target your organization so you can detect and remediate malicious activity.

Additional Resources

Related Content