CWS+XDR_Josue-1

Cloudy With A Chance of A Security Breach: Why CWS and XDR Solutions Should Be On Your Radar

Reading time: 13 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

Security leaders are constantly looking to further mature their security organization and continuously build up their security department and tech stack. Identifying key risk gaps and areas of exposure is key for helping organizations stay proactive so they can better prepare and protect themselves, even against new threats. 

For many enterprises, the cloud, particularly across cloud workloads, is a space of priority that requires securing.  According to a recent Forester Report, over the next twelve months, “establishing a strategy for public clouds” is one of 3 main priorities for security teams. 

Cloud workloads are the result of many enterprises’ digital transformation and their increased use of cloud-based infrastructure. The recent pandemic forced many of these companies to fast-track their digital transformation projects, especially to support remote workers. This required a major shift into the cloud in order to accommodate an off-prem workforce. Due to the pressing nature, security was not a priority, resulting in higher risk.

Hackers are increasingly targeting cloud workloads, knowing it’s an underserved area in scope of an organization's security department. Fortunately, CWS, or cloud workload security, solutions exist, and more robust XDR tools can be utilized to improve an organization’s detection and response capabilities. 

Companies need to know how these different solutions fare against these new threats. Here’s your guide on what to know about CWS and how to find the right solution for your organization.

The risk to cloud workloads and why cloud workload attacks are rising

With digital transformation well underway, the use of cloud workloads in enterprises has increased dramatically. Unfortunately, because of this expansion and the fact that many enterprises are using public and open-source cloud workloads, enterprises have exposed themselves to a new kind of risk.

In order to work quickly on the cloud, many enterprises work using containers, which are applications similar to virtual machines. They’re designed to work in an isolated manner to avoid allowing infections or malware to spread to an organization’s whole network. Containers are streamlined applications and often only contain specific components required rather than full operating systems.

However, as a whole, containers still need a host OS. The case is similar for serverless environments and other similar topics that promise speed and productivity. Even a serverless environment requires an operating system that runs under it. In the majority of cases, the OS is Linux. It’s so widely used that ninety-percent of public workloads run on Linux. It’s also the fastest growing platform on Azure largely because it facilitates open-source work quite well.

While open-source solutions allow for quicker work and more collaborative processes, it also means vulnerabilities can be discovered and created quite easily with pinpoint precision. Hackers have already developed attacks that specifically target Linux cloud workloads and containers, knowing it will apply broadly to many organizations.

The 2021 Verizon Data Breach Investigation Report (DBIR) showed that cloud-based attacks surpassed on-premise attacks for the first time since the report has been published on a yearly basis. It also points to miscellaneous errors breaches most commonly stemming from cloud-based data misconfigurations.

Without the right tools providing visibility into multiple cloud environments, particularly Linux, organizations end up inadvertently turning a blind eye to a huge risk gap. An investment in cloud-first security solutions is needed.

Enterprise leaders know cloud security is a priority

Enterprise companies are already moving towards securing the cloud and cloud workloads and leaders know it's a key security goal. As organizations mobilize to secure their cloud, those who don’t, will be at higher risk. 96% of leaders from a recent survey have also said that security is top of mind for their multi-cloud strategy, yet 76% say their multi-cloud operations are under-invested.

Automated and targeted attacks are more likely to reach organizations who haven’t invested in cloud security or taken the appropriate steps to improve their security resiliency. The attack surface created by companies’ migration to the cloud is quite large, so malicious attackers are likely to continue their assault knowing even there's enough low hanging fruit.

Fortunately, new cloud workload and advanced detection and response tools are available to shore up this gap in security.

New solutions like CWS and XDR are key for stronger cloud security

Robust investments are needed to properly secure cloud workloads and an enterprise’s cloud environment. However, choosing the right kind of solution and software can be its own endeavor. Organizations need to know what solutions their environments need, especially as they expand their cloud environment and build up a multi-cloud architecture. As more operating systems are used (such as MacOS, Windows, and Linux), it’s important to find a solution that works across multiple platforms and that it works against attacks in the wild. 

CWS solutions can provide targeted protection and are recommended for directly addressing the risks to cloud workloads and environments. To further protect against these sophisticated  cloud based attacks, we also recommend leveraging XDR solutions. XDR tools can build on more traditional EDR tools, offering expanded telemetry analysis that includes cloud-based sources and additional threat and source intelligence.

XDR tools should correlate data from multiple sources where you can deploy an agent and where you can’t deploy an agent. For example, an AWS sensor should have detection abilities where agents can’t be installed like S3 buckets or the AWS console itself. This allows a solution to detect when an attacker performs multiple reconnaissance actions against an S3 bucket. With a more complete set of sources to correlate data from, the XDR solution not only detects these actions but is able to add context to improve response capabilities. The type of XDR solution you bring into your environment should have this type of comprehensive source analysis and be able to be deployed on the various clouds your organization is using,

These solutions ultimately improve overall security visibility and intelligence, particularly across your cloud environment, improving detection and response capabilities for attacks that target more than just cloud workstations.

Why MITRE evaluations should be considered

For organizations in the market for security solutions that are explicitly attack and defense oriented, third-party evaluations can help make the vendor selection system much simpler.  

The MITRE ATT&CK® Evaluation series, a form of in-the-wild vendor comparison reviews, are incredibly useful in knowing how these security solutions work against new threats. These evaluations make for an excellent starting point as it looks at different solutions across dozens of vendors and compares how their security solutions fare against real world and known attacks. The evaluation prioritizes real-world circumstances, testing solutions in common environments and set-ups.

The most recent evaluation looked at the performance of various security solutions to see how they fared against the Wizard Spider and Sand Worm series of attacks, which is known to target cloud environments including Linux. The evaluation considered how solutions detected attacks across a layered simulation and testing solutions' ability to detect attacks even when they’re leveraging sophisticated techniques to obscure their attacks. 

Leveraging these reports and evaluations are crucial for establishing a baseline of vendor consideration. By knowing how these vendors face off against various attacks (and compared to each other), you can narrow down your solution options. 

Bitdefender is proud that the GravityZone XDR solution not only provides 360 coverage and protection across multiple operating systems but also detected 97% of all major attack steps against Windows machines and 100% of adversary techniques used against Linux systems. The platform also provided analytic insights for over 97% of all sub-steps tested, and the highest level possible of analytics coverage for 95% of all substeps tested.

To learn more about Bitdefender’s GravityZone XDR and its performance, click here.

Learn more about how to manage Linux container security challenges here.