Sysdig’s seventh annual Cloud-Native Security and Usage Report identifies how customers are developing, using, and securing cloud-native applications and environments. We analyze data from millions of containers and thousands of accounts and publish the most pertinent information for you. Security practitioners and leaders look forward to this report to identify trends and make adjustments to their cloud security strategy. This year’s trends will help you understand the current strengths of cloud users, greatest opportunities for security posture improvement, rate of AI adoption, and much more. Download the full report to learn more.
Do you follow security best practices, or chase speed and convenience? Keep reading to see where your cloud priorities fall.
Identity neglect: A call to action
“Though I am unsurprised by the apprehension around the security of new technologies like AI, I am disheartened by the massive number of excessive permissions being administered, especially for machine identities. It feels a bit like obsessing over a plane crash while regularly running stop signs with no seatbelt on”
Anna Belak, Director, Office of Cybersecurity Strategy at Sysdig
Identity management has become the most overlooked cloud attack risk. Only 2% of granted permissions are being used, a reduction year-over-year. Nonhuman applications, tools, and services are being granted thousands of permissions upon initial implementation that are never disabled or deprovisioned. These excessive permissions create an undue risk that is simply unnecessary. A majority of well-known security incidents with material impacts have been linked to poor management of identities and privileges, and yet only 20% of cloud-native application protection platform (CNAPP) users are prioritizing cloud infrastructure entitlements management (CIEM) functions weekly.
Keep shifting left, we aren’t there yet
After a year of prioritizing the remediation of critical or high vulnerabilities in use at runtime, the existence of these vulnerabilities has been reduced by nearly 50%. However, the goal of the shift-left approach is to scan for, identify, and remediate vulnerabilities in the pre-delivery pipeline before runtime — this is not happening. We found a higher policy failure rate in runtime scans than continuous integration and continuous delivery (CI/CD) build pipeline scans. If organizations were following the concept of shift-left with fidelity, we would expect the inverse of the results since policy failures are meant to be caught prior to delivery and before they become exploitable conditions for attackers.
Threat detection advancing toward maturity
The vast majority of Sysdig customers are leveraging threat detection and response (TDR) insights weekly. With this, we see indications of comprehension and maturity with the development and testing of custom behavioral threat detections. This year’s report shows that only 35% of attacks were identified using indicators of compromise (IoCs), while the remaining 65% of attacks were identified with behavior-based detections. The most commonly triggered detections this year fell under the initial access and execution MITRE ATT&CK tactics, which often present themselves earlier in an attack lifecycle than those we saw last year, defense evasion and privilege escalation.
Ephemerality won’t save you from an attack
We’ve seen container lifespan shrink over the last several years, to the extent that 70% of containers live less than five minutes. There is some comfort knowing that a vulnerable container is short-lived, however, Sysdig’s Threat Research Team (TRT) stated in the 2023 Global Cloud Threat Report that a cloud attack only takes 10 minutes. With the use of automation, an attacker can enter through a vulnerable container and move laterally before the end of its lifespan. Running vulnerable workloads, no matter how short-lived, leaves you at risk for an attack.
AI adoption paradox
While most of our findings this year indicate that organizations choose convenience and speed over more secure practices, we could not attribute this to enterprise AI use. 31% of companies have implemented AI frameworks and packages, but only 15% of these are generative AI. Put simply, most of the AI packages we see right now are used for data correlation and analysis.
Conclusion
From the real-world customer data we gathered and analyzed, we see an evolving cloud security landscape ripe with successes and struggles. Skirting some security best practices might allow organizations to work with fewer barriers, but it also puts them at far greater risk for attacks. For instance, a lack of identity management has gone too far and resulted in many high-profile material attacks. Runtime security and TDR prioritization, however, are reducing vulnerabilities and advancing detection efforts. Short-lived workloads are no match for attackers using automation and, finally, enterprises aren’t quite ready to implement AI in cloud environments.
Want to learn more? Download the full Sysdig 2024 Cloud-Native Security and Usage Report now for additional data and analysis. You can also find our past reports here.