We're an RSA Conference 2024 Innovation Sandbox Finalist!

READ THE BLOG

In recent years, Cloud Security Posture Management (CSPM) tools have become increasingly popular, and with good reason. The posture management capabilities a CSPM provides can help an organization better understand cloud configuration to prevent potential security incidents. The basic idea is that a CSPM will monitor how secure your cloud environment is, so breaches won't happen.

Enterprises just starting out with a CSPM or Cloud Native Application Protection Platform (CNAPP) may be looking to this tool as a silver bullet for anything cloud security related. However, despite organizations having CSPM or CNAPP technologies, attacks and cloud and SaaS security breaches still happen. It's a situation that is somewhat reminiscent of the earliest era of internet security, when everyone had antivirus technology, but systems still got malware and got breached. No preventative system, no matter how robust, can fully eliminate cloud breaches.  

CSPM Strengths and Limitations

CSPM platforms are designed to highlight problems, errors, and security risks related to an enterprise’s current cloud configurations or workloads. They sound the alarm on misconfigurations through alerts and remediate the insecure configurations that they find. These are vital capabilities for companies using the cloud. However, they’re not the only cloud security capabilities modern enterprises require. That’s because when something happens, a CSPM can't investigate the whole cloud attack lifecycle or help you determine the blast radius.

Imagine you have a house, with different doors and windows. A CSPM can tell you the material the doors and windows are made of, what condition they’re in, and point out areas that need to be repaired. It can tell you if a faulty lock has left a window open. A CSPM can’t tell you if anyone entered that window—or piece together what happened once they were inside.

In today’s escalating cloud threat landscape, it’s not enough to fix the “faulty lock.” You have to be able to fully investigate the threat and quickly get answers. Did an incident take place?  If so, how did the attacker get in? Where did they go while they were inside? And what did they take?


Bridging the Gap with Context-Informed Threat Analysis

Where CSPMs leave off (at check-the-box cloud detection and response), new solutions are needed that empower teams with deep cloud investigation capabilities. And they need to do so without requiring deep cloud IR knowledge. Mitiga's solution steps in where the capabilities of CSPM and CNAPP technologies of the world stop.

So, let’s go back to our house metaphor: When a break-in happens, CSPM and CNAPP solutions aren’t able to investigate. With Mitiga, if your “house” is broken into, we can quickly tell you that the attacker entered through a crack in the window, that they took keys from the nightstand, ate all the food in your refrigerator, took your car and drove off.

That's the sort of clarity and context organizations operating in the cloud need. It's simply not enough to only know the state of cloud posture.

Mitiga addresses the gap left by CSPM and CNAPP tools by proactively and continually gathering, retaining and analyzing all the cloud application log data required for investigation to provide critical context, including the full scope of compromise.

But what if the attacker is already inside your house, hiding in the basement or the attic, waiting for the right moment to strike? How would you know if they are there, and what they are planning to do? This is where threat hunting comes in. Threat hunting is the proactive search for signs of malicious activity within your cloud environment, before they cause damage or data loss.

By using advanced techniques such as anomaly detection, behavioral analysis, and threat intelligence, Mitiga helps identify and eliminate any threats that have evaded your security controls and gone unnoticed. By empowering teams with knowledge of the tactics, techniques and procedures used by attackers, this context-informed threat analysis enables and dramatically accelerates incident response, lowering breach impact.

Users of CSPM tools understand well the importance of finding and fixing vulnerabilities. Now it’s time for enterprises to close the gap in their cloud investigation capabilities. Mitiga can help.

LAST UPDATED:

April 17, 2024

Supercharge your SOC's cloud capabilities. Download the whitepaper.

Don't miss these stories:

Mitiga Security Advisory: Abusing the SSM Agent as a Remote Access Trojan

Mitiga's research discovered a significant new post-exploitation security concept: involving the use of Systems Manager (SSM) agent as a Remote Access Trojan (RAT) on Linux and Windows machines, controlling them using another AWS account. We shared our research with the AWS security team and included some of their feedback to this advisory.

Ransomware Strikes Azure Storage: Are You Ready?

There’s been a recent surge in cloud ransomware attacks. Examples of such attacks were observed by Sophos X-Ops, which detected the ransomware group BlackCat/ALPHV using a new Sphinx encryptor variant to encrypt Azure storage accounts by employing stolen Azure Storage account keys. The BlackCat/ALPHV ransomware group is the same entity that claimed responsibility for infiltrating MGM’s infrastructure and encrypting more than 100 ESXi hypervisors.

How AWS EKS Pod Identity Feature Enhances Credential Management

This past week at re:Invent, AWS announced a very cool new product feature: EKS Pod Identity. As an AWS user, and specifically an EKS (Elastic Kubernetes Service) user, I spend a great deal of time connecting my pods and workloads to other AWS services and clusters in other regions and accounts, so for me, this feature arrives just in time.