Fundamentally, if somebody wants to get in, they're getting in. Alright, good. Accept that. Gen. Michael Hayden, Former Director, NSA (2012)
The Assume Breach approach is not a new idea. As long as there have been networks, attackers have been able to breach them. Although the quote from Michael Hayden above sounds like it could’ve been issued yesterday, it’s actually from 2012 - the security community has faced this reality for a very long time.
If this is such an old concept, why are we still talking about it? In April of this year, CISA issued its latest Zero Trust Maturity Model, which provides a framework for government entities and businesses to secure their environments.
Zero Trust assumes that a breach has already occurred or will occur. CISA Zero Trust Maturity Model (2023)
Sounds familiar. CISA goes so far as to recommend that “all organizations should review and consider adoption of the approaches outlined in this document.” So Assume Breach has been around for quite some time, and shows no signs of going away. But how can we bring the assume breach approach into the cloud?
Let’s zoom out a bit. The NIST framework outlines the main functions necessary for any cybersecurity program: to identify vulnerabilities, protect their environments, detect threats, respond to attacks, and recover from damage.
In the cloud, most security vendors focus on the first two functions: identify and protect. These vendors comprise what Gartner has termed the CNAPP category of tooling. Core capabilities of CNAPP include functions like (among others):
Cloud Security Posture Management (CSPM), which helps organizations identify and eliminate misconfigurations in their security settings
Cloud Infrastructure Entitlement Management (CIEM), which analyzes cloud permissions and helps organizations implement principles of least-privilege
Infrastructure as Code (IaC) scanning, which allows organizations to eliminate vulnerabilities in automated deployment pipelines
CNAPPs help organizations put in place security guardrails into the development process, so that applications and environments can be designed securely to better protect against threats. But for security teams, the unfortunate reality is that no matter how strong their guardrails for development are, attackers will always find cracks.
This is where the back half of the NIST framework comes in: detection and response are vital to ensuring that when threats inevitably arise, they can be addressed in real-time and attacks can be stopped before they impact the business.
Detection and response (D&R) is the realm of the security operations (SecOps or SOC) team. In the traditional world, SOC teams use tools like Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) to monitor real-time activity, triage alerts, and isolate threats before impact is achieved.
In the cloud, Cloud Detection and Response (CDR) provides this functionality. Core capabilities of CDR include:
Telemetry monitoring and visibility analysis, which ensures that the organization has visibility over its entire environment and closes blind spots.
Cloud monitoring is complicated and expensive: CDR ensures that organizations achieve maximum telemetry coverage with optimal ROI
Cloud-native threat detection, which analyzes cloud telemetry in real time and raises alerts when suspicious activity is observed.
Cloud attacks are different: CDR enables organizations to detect threats across cloud identity, data, network, and compute at the control plane layer, which is unmonitored by other tools
Automated triage and investigation, which fuses context from all cloud data sources into human-readable timelines that enable analysts to understand threats in seconds
The cloud requires context: CDR enables organizations to automatically correlate activity across different log sources and cloud service providers to significantly reduce MTTR
Cloud-native containment, which enables organizations to respond to threats immediately from within the platform
The cloud needs “quarantine”: organizations need a “band-aid” to stop an attack before impact is achieved
Identifying and protecting against threats are undeniably important functions, but detection and response are necessary to implement an assume-breach approach. CDR gives organizations the tools they need to bring the assume-breach approach into the cloud.