Complimentary Cloud Identity Threat Briefings

GET THE THREAT BRIEFING
Illustration Cloud

Cloud Detection and Response Survey Report 2023

In the first few years of Permiso’s journey as a cloud security startup, before raising venture capital and coming out of stealth mode in early 2022, the team spoke to 150-200 security and engineering leaders and practitioners to understand how they tackled security in the cloud. This helped gain insight into where Cloud Security Posture Management (CSPM) and Security Information and Event Management (SIEM) tools were helping organizations address security challenges, and where there were still blind spots across their stack of other monitoring and detection software.

As Permiso developed a cloud security detection and response product and captured our first several customers, we learned even more about some of the most pressing cloud security issues looked like for those companies. We also learned how those challenges sometimes differed to the anecdotal responses that were compiled during the the 150-200 interviews. Of the the incidents Permiso responded to in 2022, nearly all of them were the result of a compromised API key. While compromised API secrets have become more problematic over the years, this wasn’t a prominent concern or priority for many of the company interviews conducted in between those two years prior. Of the incidents Permiso responded to in 2022, the vast majority had a CSPM and/or SIEM in place that didn’t prevent the breach from happening nor were they able to detect the threat actor one they gained access to their environment.

in April of this year we surveyed more than 500 cloud engineering and security professionals to understand more about the scale and security practices of the respondents’ cloud environments. We wanted to understand the number of secrets they managed, how users (both human and machine) access their environment, whether they allow console access via local IAM users, how broadly MFA is enforced, and a host of other components of their practices in the cloud. The goal was to understand, at a larger scale, some of the more critical elements of their enterprise security policies and broader security programs in the cloud. We wanted to benchmark these results against other industry surveys that extrapolated similar data in an effort to validate our own survey data. After coupling our survey results with that of other industry data from similar assessments, we then wanted to compare that ‘anecdotal’ data to what actually happens in cloud environments. We analyzed the research of security giants like Palo Alto Networks and Google/Mandiant who are observing the activity of tens of thousands of customers and millions of accounts and identities in the cloud at any given time. Rather than asking someone to describe their security practices, response time to a breach, or whether they’ve been compromised based on their own memory or knowledge, we wanted to look what the actual data from their cloud production environments is showing.

Ostrich

By analyzing data across multiple sources, including our own survey, we uncovered a significant cognitive dissonance in the industry around the inherent feeling that enterprises are adequately protected in the cloud and the reality, or actual current state of cloud security in their environment. Even though many respondents reported having experienced a breach in their cloud environment, continue to use insecure cloud management practices, and are concerned their teams don’t have the tools or expertise needed to detect and respond to a breach - an astonishing 80% believe their existing people, processes, and technology would prevent them from suffering a breach in the the first place.

One of the most compelling examples of this Dunning–Kruger effect in cloud security is dwell time. Permiso’s survey asked respondents to identify what best describes their ability to detect and replay the attack sequence if a threat actor were to gain access to your cloud environment. Almost 70% of the respondents claimed they would be able to detect and respond to an event within 12-24 hours. However, according to Google’s Cybersecurity Action Team, global median dwell time, which is calculated as the median number of days an attacker is present in a target’s environment before being detected, was 16 days in 2022. This means that the average actual response time to threats in their cloud environment is 16 to 32 times what they estimated it to be when asked in the survey.

Some other key findings from our report include:

  • 95% of respondents expressed concern that their current tools and teams may not be able to detect and respond to a security event in their cloud environment

    • More than 55% of the respondents describe their level of concern as ‘extremely concerned’ or ‘very concerned’

  • Half of the respondents experienced a breach as a result of unauthorized access into their cloud environment

  • 46% of those surveyed have local iam users with console access into their environment

  • 37% of respondents leverage long-lived access keys

  • More than 80% of respondents feel that their existing tooling and configuration would sufficiently cover their organization from a well-orchestrated attack

To get the full report on our analysis and the data we benchmarked against, please download the full report at hero.permiso.io/cloud-detect-and-response-survey

Illustration Cloud

Related Articles

Azure Logs: Breaking Through the Cloud Cover

Permiso consistently observes that engineers and analysts often struggle with interpreting Azure Monitor Activity Logs, facing confusion and achieving only a partial understanding even after gaining experience. To address this, Permiso aims to level

Privileged Identity Management (PIM): For Many, a False Sense of Security

Privileged Identity Management (PIM): PIM is described as a service within Microsoft Entra ID, designed to manage, control, and monitor access to crucial organizational resources, encompassing Microsoft Entra ID, Azure, and other Microsoft Online

LUCR-3: Scattered Spider Getting SaaS-y in the Cloud

Summary LUCR-3 overlaps with groups such as Scattered Spider, Oktapus, UNC3944, and STORM-0875 and is a financially motivated attacker that leverages the Identity Provider (IDP) as initial access into an environment with the goal of stealing

View more posts