There are several reasons why cloud security is so challenging, and the leading issue is roles and responsibilities. In the cloud there are three main groups that interact when securing the cloud: Cloud Security Team, Security Operations Center, and DevOps. These teams do not report to one another or manage one another so clear communication to enable collaboration is key. Additionally, command decision making and direction from responsible executives, like the CIO and/or CISO is essential as well.
Cloud Security Team
The Cloud Security Team has a cloud-only perspective of the configuration of the cloud and lacks the context of the asset exposed by the configuration. For example, a CNAPP finding might indicate a critical issue with a single asset exposed by toxic combination, so to the cloud security team it appears extremely vulnerable. The cloud security team may prioritize this as a top issue that DevOps team must address immediately.
The DevOps team has cloud context. DevOps sees the toxic combinations are there, but in an empty sandbox environment. This leads to a lot of back and forth between the two teams, wasting time and resources while security issues impacting crown jewel assets are ignored.
Security Operations Center
The Security Operations Center (SOC) is another group within the overall cloud security group that is responsible for addressing real-time threats and the daily alerts that come in. The SOC is typically overwhelmed with alerts across the entire business. For the cloud, it is very difficult to determine the relationship between the thousands of daily alerts, so security teams must manually determine whether the threat is real or not, and this takes tremendous amounts of time and effort. At the end of all of this, most of the time, there are no significant findings, and the SOC team has just wasted their time – this leads to real burnout.
Development Operations (Dev)
The DevOps team just wants to do their work. When I was at re: Invent, a developer came to our booth and mentioned that he was unhappy (not his exact words) with a popular CNAPP product.
“We get all these ‘alerts’ which are clearly labeled ‘sandbox’, why doesn’t the cloud security team understand these are not important! I have real deadlines that drive company revenue.”
This again leads to a lot of back and forth with all three teams wasting time explaining to one another why something is or is not important.
Lack of Context and Understanding
There are three teams that all have a role and there is no single view to show the teams how they need to work together to provide the context and understanding so each group understands how their work and role impacts the other.
Skyhawk’s Continuous Autonomous Purple Team shows, definitively, how the work each team is doing impacts the other and the CDR gives the team the evidence they need to understand what is an actual alert and requires attention, and makes recommendations on what action to take.
Skyhawk Security contextualizes the information within the platform so each security team has the information they need to achieve their goal, reduce business risk and prevent cloud breaches.
- Cloud Security Team: Understands which posture issues and other findings lead to crown jewel assets.
- Toxic combinations that put a test environment at risk are not as important as a single issue that exposes your company’s financials. The purple team shows this.
- Enables simple collaboration with the DevOps team and they can prioritize what in the cloud configuration should be updated.
- SOC: Working with the Cloud Security Team, the SOC leverages the attack sequence the CDR provides, and now the team has all the evidence they need to understand what requires attention and what does not.
- Purple team helps them collaborate with the other teams to secure the cloud attack surface.
- The rehearsed attacks show the SOC what the typical attack paths are, and they can set up automated responses to stop these threats before they evolve to a breach.
- Real-time threat detection identifies incidents before they become breaches
- DevOps: The SOC and Cloud Security Teams can show them which cloud configurations put the organization at risk and show them how to fix it.
- If something cannot be fixed, they can collaborate with the SOC to create automated response and remediation when a non-patchable vulnerability is compromised.
- The Cloud Security Team will understand which work the DevOps team will prioritize and which does not need to happen.
Skyhawk Synthesis Security Platform
- Enable collaboration and context so all cloud security teams are able to support the common goal to reduce business risk
- Realize a preemptive approach to cloud security with the Purple Team
- Eliminate alert fatigue with verified alerts that show all the evidence of what is happening and how it is truly a threat to the business
- AI-based red team leverages a simulation digital twin to identify vulnerabilities and exposures that exist across the cloud attack surface with no impact to production
- Reduce MTTR with verified and automated response for instant resolution of threats, so they do not evolve
Want to learn more? Try Skyhawk for free!