Insights: Facing the cyber-unknown in the hybrid cloud labyrinth

The UAE cloud computing market is estimated to grow at a CAGR of 38.2 per cent over the next seven years, mainly because of the rise of the hybrid office. This strongly suggests that much of that growth will occur in the building of hybrid cloud environments. Growth stories are always good news, but many come with caveats. And the dark side of the hybrid cloud craze is cyberattacks.

It is a tale of more. A spiral of more. More attack surface. More sophisticated methods. More cybersecurity tools. More burnout, more turnover, more talent gaps.

More of everything except what the cybersecurity function really needs: more signal efficacy. We call it Attack Signal Intelligence — the culmination of decades of R&D, of analysing attacker behaviours and improving artificial intelligence (AI) and machine learning models to detect said behaviours. It will be critical in the modern enterprise, which has become irreversibly hybrid in its technology mix.

According to IBM Security researchers, 45 per cent of breaches in 2021 happened in the cloud.

Vectra has found that 72 per cent of security leaders fear an attacker has already infiltrated their environment, but they lack the means to verify if or where this has happened. Chief information security officers (CISOs) and their security operation centre (SOC) teams work in a world of unknowns such as this.

As more incidents occur in the cloud, a prevention-first mindset can quickly become a “blindness tolerated” mindset — one that will have attackers hopping with glee. Visibility must be the priority. Our blind defenders cannot do their job unless we heal their eyes. We do this though the implementation of three pillars designed to address three unknowns.

Known unknowns in hybrid cloud

We start with unknown exposure. Governance, risk, and compliance (GRC) leaders may collaborate with cloud security posture management (CSPM) teams on vulnerability detection (misconfigurations, neglected updates, and the like); and they may even think that is enough to prevent attackers from infiltrating the cloud. However, according to a 2021 survey by CheckPoint Software, 75 per cent of successful cyberattacks in the previous year exploited vulnerabilities that were more than two years old, so the current approach may need some tuning.

Once we are done with where an attacker might breach the perimeter, we move on to whether or not they have already breached the perimeter, and if so, where. Unknown compromise is the living nightmare of every CISO, especially given the limitations of today’s point solutions to cover networks, endpoints and everything in between.

Throw in cloud elements like IaaS, PaaS, SaaS, and you start to realise just how complex hybrid cloud cybersecurity is. And yet we still often find siloed tools sending a tapestry of telemetry to SOC personnel. Attackers are quite content to hide in the white noise, masked by a snowstorm of false positives and helped along by the fact that their adversaries are suffering from alert fatigue.

The white noise problem also feeds into our third unknown. We may have found the hole in the wall; now we must search for the infiltrator and their payload. Unknown threats — where do we start looking? How do we discover how they are progressing? Defenders and incident response teams can be slowed by point solutions, dashing from pane to pane trying to piece it all together. This can lead to late discovery. And I’ll let your imagination fill in the rest.

Challenges

It is time for a change. Hybrid cloud resilience is critical, but we often lack the skills and/or talent to provide it. If we are to find our way to signal clarity and shatter the cycle of more, we must address three challenges. First, our people need our support. They are burnt out or on the road to burnout. They are generally too young to have the requisite experience and they may even not have the right skills to tackle the escalation in threat incursions and their sophistication, or to grasp the intricacies of cloud security.

The second challenge lies in our processes. When IBM Security tells us it takes organisations an average of 10 months to identify and contain a breach, we know we have to implement automation, stat. Less manual tasks and better workflow orchestration will follow. And third, we must address our technology shortfalls, where blind SOCs scramble ineffectually to get a handle on their environments and the threats they face. Let’s call it the three Vs: visibility, visibility, visibility.

If it seems to you as if everything is coming in threes (three pillars, three unknowns, three challenges), then here is another for you — three deliverables that will ensure true Attack Signal Intelligence in a hybrid cloud.

The first is attack coverage. SOC teams must consolidate their threat visibility and detection capabilities across their entire hybrid and multi-cloud attack surfaces — IaaS, PaaS, SaaS, identity, and networks.

The second is signal clarity, which calls for SOC teams to know the intrusion point of an attack and where the attacker is moving, so they can prioritise time and resources.  It is this signal clarity that will allows investigators and hunters to get back to doing what they do best — investigating and hunting threats.

Finally, intelligent control means having the right context at your fingertips to speed up investigations, automate workflows, and target the response action to disrupt or contain an attack. Invest in the right tools, processes, and playbooks to boost SOC efficiency and effectiveness.

Turn at the wheel

The spiral of more must end, or our hybrid cloud future will be one of stalemate at best. Extrapolating current attack trends leads us to a scenario where commerce halts because we spend all our time paying ransoms and cleaning house. There is another way. We can clean up our methods and give Attack Signal Intelligence its overdue turn at the wheel.

Taj El-khayat is the area VP – South EMEA at Vectra AI

Read: AppDynamics shares the key to cloud-native success