5 Reasons Why CSPM Tools are not Enough

Cloud Security

This post was written by Jennifer Gill, VP Product Marketing at Skyhawk.

Cloud Security Posture Management (CSPM) tools are an important part of any security strategy. However, they fall woefully short in terms of being the end game to secure your public cloud. Why? They only look at the static configuration of your environment, and only for the assets you know you have. Developers and IT teams are spinning up resources all the time – is the security operations center (SOC) aware of those? Have any assets been exploited? How were they exploited? These important questions cannot be answered by CSPM tools alone.

Here are the top 5 reasons why CPSM tools are not enough:

  1. Not all misconfigurations can be fixed.

Most CSPM tools are pretty good at detecting issues – so you find the misconfiguration which is great – but, can you fix it? According to a Gartner® report, “Through 2026, non-patchable attack surfaces will grow from less than 10% to more than half of the enterprise’s total exposure, reducing the impact of automated remediation practices.” .[1] If you can fix it – it is going to take a while. There are reports that this can be anywhere from 60 to 256 days[2][3]. You need a threat monitoring platform to protect your cloud and enable you to live with these known vulnerabilities.

  1. 15% of breaches are due to misconfigurations[4], what about the other 85%?

Monitoring the configuration will help you find open ports, non-compliance with specific initiatives, and other misconfigurations which account for 15% of breaches – but what about the other 85%?  Advanced threat detection tools look beyond the static environment and look at the activities and behaviors in the environment. All breaches are going to have an element of bad behavior even where a misconfiguration is used! The open port will be used by a bad actor to gain access to your company’s financial data. The open port is interesting, the fact that it was used is evidence of the breach.

  1. Even if you are 100% compliant, you are not 100% secure.

Prevention is needed but will not guarantee you are not breached. Prevention and compliance are not enough. Developers, administrators, and others are constantly in the cloud and doing work. This means that your cloud configuration is always changing, so you are always chasing compliance. You will never close the gap. This is why you need to focus on the runtime along with eliminating misconfigurations – prevention and detection. You need to implement and follow best practices, but even with 100% compliance you can still be breached – and CSPM tools will not alert you on this.

  1. An attack is not a single event. They are a series of events that make up stories that evolve over time.

Once you analyze an attack, it is not a single event. An attack is not just a single anomaly – like someone started their day at 6 AM versus their usual 9 AM, or network activity suddenly spiked. Breaches are a sequence of events of suspicious and malicious behavior that are executed over time to cause damage to your company. Monitoring of the runtime by a threat detection solution makes it easy for the SOC to see these malicious behaviors and to understand how the attack unfolded. A CSPM tool will not show you each and every step in the attack. The security team needs to understand how the attacker got into the environment and moved throughout the organization.

  1. It isn’t dynamic or static – it’s dynamic AND static, over time.

Looking at the configuration is helpful and looking at the activities in the environment is also helpful – but looking at both the configuration and activities over time is how you are actually able to detect an incident or realert. Many solutions do a point in time analysis of the configuration and behavior – so if you don’t see an interesting issue in the configuration or behavior at that time, some security tools will simply dismiss that data and move on and that data will not be available for analysis again. Today’s advanced threat detection tool leverages artificial intelligence and machine learning to build models of what is normal for your environment. This personalized context will look for changes from the normal behavior, over time, to identify the risky behaviors that need to be investigated.

[1] Gartner, Predicts 2023: Enterprises Must Expand from Threat to Exposure Management, Jeremy D’Hoinne, Pete Shoard, et al.., 1 December 2022 . GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved

[2] https://www.securitymagazine.com/articles/95929-average-time-to-fix-severe-vulnerabilities-is-256-days

[3] https://www.prnewswire.com/news-releases/organizations-take-an-average-of-60-days-to-patch-critical-risk-vulnerabilities-301496256.html#:~:text=Organizations%20Take%20an%20Average%20of%2060%20Days%20to%20Patch%20Critical%20Risk%20Vulnerabilities

[4] Verizon, Data Breach Investigation Report, 2022.

 

Blog

Stop by Skyhawk Security’s booth at re: Invent!

AWS re:Invent is less than a month away – stop by booth #2152 to learn about Skyhawk Security and our award-winning AI-based Autonomous Purple Team. With Skyhawk’s Continuous Proactive Protection, our customers have realized: Significant Time Gains: Our customer has

AICloud BreachCloud SecurityThreat Detection
multi cloud
Blog

Cybersecurity Awareness Month: What about the cloud?

October is Cybersecurity Awareness Month, and on this last day, let’s talk about cloud security. What started as a United States government initiative some 23 years ago, continues to this day under the leadership of CISA. The agency, which routinely

AICloud BreachCloud SecurityThreat Detection
Blog

What can we learn from recent cloud security breaches?

Over the past year there have been several prominent cyber incidents involving the cloud. These incidents have illustrated the dependency of organizations on the cloud, the vulnerability of the cloud and the motivation of attackers to utilize this to their

AICloud BreachCloud SecurityThreat Detection
Blog

Cloud Hacking, From Russia with Love

Russian hackers are shifting their interest to the cloud, and have successfully breached cloud infrastructure. This is what a joint advisory issued by the U.K.’s National Cyber Security Centre (NCSC), the NSA, CISA, the FBI, and cybersecurity agencies from Australia,

AICloud BreachCloud SecurityThreat Detection
Blog

What does the new NIST password guidelines mean for cloud security?

The common joke around security folks is that everyone knows what a password is, but not many remember their own passwords. But even so- passwords are an essential security mechanism and now, NIST is updating its recommendations regarding passwords policy,

AICloud BreachCloud SecurityThreat Detection
Blog

Real Customer Scenarios: See how Skyhawk Security Stopped the Breach

When evaluating a cloud security solution, it is imperative to know how well it will detect threats in time to prevent a breach. Here are three examples out of many in which our customers were able to detect an incident

AICloud BreachCloud SecurityThreat Detection

Thanks For Reaching Out!

One of our expert will get back to you
promptly at asafshachar@gmail.com

Continue
See the Purple Team
See the breach before it happens
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.