Cloud security as has reached a tipping point by virtue of the fact that both SaaS and internally developed cloud-native applications now perform business-critical functions. In turn, cloud security can no longer be a siloed discipline in which separate teams employ separate controls to secure separate environments. Fortunately, cloud security is starting to be mainstreamed – security teams are getting more involved in scrums and sprints, and many CIO’s are creating and funding cross-functional cloud centers of excellence (CCoE). The maturation of cloud security programs, however, needs to include bringing cloud observability into the security operations center. It’s time to put the C in XDR.
ESG views XDR as an enhanced approach to endpoint detection and response (EDR) in which the “X” serves as a wildcard operator to connote extending threat detection and response measures across endpoints, networks, SaaS applications, and cloud infrastructure. I’ve been riffing with my colleagues Jon Oltsik and Dave Gruber, ESG’s co-lead analysts on XDR, on what it means to bring cloud telemetry into the threat detection and response mix.
Cloud sensors will provide telemetry from the following sources:
- The Server Workloads and APIs of Cloud-native Apps. Because cloud-resident workloads are a heterogenous mix, the instrumentation of VMs, containers, and, increasingly, serverless functions and APIs is required. Telemetry a la what would be provided by an EDR sensor includes process information, file system changes, and netflow data including east-west inter-workload traffic and communication with remote IPs. And as Linux continues to grow as the predominant OS of cloud-native apps, Linux-native support for a range of distros is required.
But straight-up EDR sensors won’t cover all the requirements for capturing event telemetry off of cloud-resident workloads. For starters, since workloads in an auto-scaling group should exhibit the same runtime behavior, cloud EDR sensors will also detect and alert on anomalous application activity including that of APIs and serverless functions. Such workloads, especially containers, are often ephemeral, making capturing and retaining full stack activity essential for both reactive and proactive detection, response, and threat hunting use cases. And, finally, a critical aspect of cloud workload detection and response is extending observability to the automation platforms that manage their lifecycle, which in a container-centric context means, of course, Kubernetes.
- Network Traffic Flows. In addition to netflow specific to a workload server instance, SOC teams will need to decide on the appropriate scope of cloud-specific network telemetry (to, from, and in the cloud) based on how their use of cloud services impacts their threat model. This could include analyzing flow data for all the traffic in one or more virtual private clouds (VPCs), and traffic in a specific private or public subnet. In today’s hybrid, multi-cloud data center, netflow monitoring will include east-west traffic between application tiers across north-south boundaries. A good starting point to gain visibility into such traffic patterns is a logical topological rendering that depicts the relationship between application tiers to both guide segmentation policies and for context-based monitoring.
- Cloud Identities. There are multiple dimensions to how human and non-human identities access cloud services, representing an essential aspect of extending XDR to cloud properties. Identity telemetry includes access to cloud consoles, service accounts, ACLs on object stores, over-privileged SaaS accounts, and more. And because cloud adoption is often decentralized, cybersecurity teams, and certainly the SOC, all too often lack of visibility into who has access to what. While telemetry based on cloud service access activity is important for all types of cloud services, it is especially critical for SaaS applications as the primary event type, especially when correlated to data classifications. And special attention should be paid to privileged cloud credentials since stolen privileged cloud credentials are a central element of the attack chain.
- Cloud-resident Logs. Major cloud service providers offer services that audit activity, a native capability any organization whose cloud usage is business-critical should employ. The constant state of change in the cloud, however, populates these logs with a volume of events that makes stitching events into actionable alerts challenging at best. As such, cloud detection and response solutions must help improve the signal to noise ratio by applying algorithms to these audit trails to surface high fidelity alerts. And because most businesses consume services from multiple cloud service provides, multi-cloud support is important.
XDR is an expansive topic that makes such blogs borderline white papers. The set of vendors offering solutions to bring cloud telemetry into the XDR purview is equally large. Extending XDR measures to the growing cloud footprint is being tackled by a range of cloud workload protection, cloud security posture management, and micro-segmentation vendors, as well as a newer crop of startups focused on how cloud privileges and data are the nexus of the identity perimeter. Stay tuned for more from ESG on the evolution of XDR initiatives.