Are you looking to validate if your cloud services are resilient and adequately secured? Consider the following five cloud security benchmarks to assess your organization’s cloud deployments. CISOs know that their security programs should be data-driven and that metrics are integral to communicating the status of security capabilities to organizational stakeholders, including the executive leadership team and the board of directors. Key risk indicators (KRIs) should be used as the measurable metrics to assess cybersecurity risks within your organization. KRIs align cybersecurity efforts with business objectives, and low or high KRI scores, depending on the context, indicate effective risk management.
For organizations operating in the cloud, whether they are cloud-native or just beginning, here are five benchmarks and associated KRIs that the CISO should review with their team.
Vulnerabilities at runtime
We know that not all vulnerabilities are created equal; in fact, most are just noise. CISOs need to add important context to their vulnerability management programs to ensure that security and development teams actively prioritize and remediate high-risk vulnerabilities. Three KRIs that CISOs should benchmark are:
- Percentage of vulnerabilities identified at runtime
- Percentage of vulnerabilities with known exploits
- Percentage of vulnerabilities that are being actively targeted by threat actors
These KRIs provide critical insights into high-impact risks facing applications and services deployed in your cloud. By focusing on in-use vulnerabilities, security teams can ensure that material risks are addressed proactively instead of being lost in a sea of less impactful vulnerabilities.
Time to investigate
Alert fatigue is real. Far too often, organizations don’t spend the time necessary to evaluate and remediate the causes of the tsunami of alerts their teams confront because there is simply no time to do so! Like vulnerabilities, not all alerts are created equal. There is a risk that alerts which warrant real-time responses are overlooked.
To ensure that critical alerts are triaged in real time requires a disciplined approach. Many security teams are still confronting too much noise and not enough signal. As Sysdig’s 555 Benchmark has shown, cloud security practices should be geared to detect threats in 5 seconds, correlate (or investigate) in 5 minutes, and initiate a response in 5 minutes. This is a paradigm shift for most security teams, where too many critical alerts are orphaned or not addressed at timescales that reduce the likelihood of the threat actor being able to exploit an environment. Therefore, three KRIs that CISOs should benchmark are:
- Percentage of threats detected within 5 seconds
- Percentage of alerts discovered at runtime investigated within 5 minutes
- Percentage of investigated alerts responded to within 5 minutes
The 555 Benchmark requires our cloud detection and response capabilities to be fast and efficient enough to keep pace with adversarial tactics, techniques, and procedures (TTPs). CISOs should benchmark how quickly alerts to material systems are investigated and responded to by their teams. As part of this process, ensure that investigations are contextualized to the organization’s operating environment. Systems and applications that are a source of enterprise value should be the top priority for this benchmark. The lower your detection and response times are, the better chance your organization has to avoid a breach.
Identity governance
Overprovisioning is poor practice for human users as well as service accounts (also called machine identities or nonhuman identities). Identity governance should be founded on the principle of least privilege for all accounts. It wasn’t until recently that security leaders became aware of excessive permissions. They rarely saw how overly provisioned most identities were in their operating environments, exposing their organizations to challenging risks. Nearly all security incidents involve some form of an account takeover (ATO) or identity exploitation. Like vulnerability management, where focusing on vulnerabilities exploited at runtime can improve the signal-to-noise ratio, identity-focused benchmarks should be front and center for elevated privilege accounts. Three KRIs that CISOs should benchmark are:
- Percentage of accounts without activity in the last 30 days
- Percentage of granted permissions unused by accounts over the last 30 days
- Percentage of admin-privileged or high-risk accounts without strong authentication
- The definition of risk and an appropriate level of authentication is to be determined by the organization and may vary based on business sector regulations or personal preferences
Too frequently, organizations fail to disable or delete inactive accounts. Trust me, I’ve seen it firsthand far too many times. This also holds true for service accounts. CISOs need to establish organizational identity governance benchmarks prioritizing overly provisioned accounts to reduce attacker opportunity. If accounts are not active, they should be disabled promptly (otherwise within that 30 day threshold). If permissions are not being used, they should also be revoked within a specified window. Similarly, authentication practices for cloud accounts should be well-governed, with particularly strong authentication employed for accounts with elevated privileges.
Infrastructure misconfigurations
We’re all aware of data breaches resulting from inadvertently exposing S3 buckets with sensitive data, for example. The innate complexity of cloud operations and microservices highlights the critical role of secure configurations and the need for continuous assessments. Configuration policies, golden images, and reference architectures are foundational to minimizing cloud security risks. Three KRIs that CISOs should benchmark are:
- Percentage of cloud assets that are assessed against a configuration policy, like the Center for Internet Security (CIS) benchmarks, for your specific cloud service provider (CSP)
- Percentage of configurations consistent with the policies
- Percentage of misconfigurations remediated within a specified timeframe
- Ideally, misconfiguration remediation should be automated
Misconfigurations and vulnerabilities are two sides of the same coin. CISOs should develop benchmarks to assess the state of secure and resilient configurations within their operating environments. Security teams should use policies that include CIS benchmarks across their asset classes to ensure and assure secure configurations are the rule, not the exception to their cloud deployments. And similar to the time to investigate, the timelines for addressing misconfigurations for critical systems should be governed proactively; leave little-to-no time for an attacker to take advantage of a misconfiguration.
Security coverage
Our security applications and tools are only effective when implemented correctly and deployed across the entirety of our cloud infrastructure. Purpose-built cloud-native tools are designed to operate at cloud speed, providing the telemetry to detect and respond to cloud threats in real time. CISOs and security architects should collaborate with developer teams to deploy security tools that operate at the speed of business (business operations can change quickly with modern tech and innovation) while providing verifiable and comprehensive security coverage. Three KRIs that CISOs should benchmark are:
- Percentage of cloud assets with properly configured security logging and monitoring telemetry
- Percentage of security applications and tools that are consistent with the 555 benchmark
- Number of material incidents on critical applications and systems
CISOs should continuously assess whether their security applications and tools provide adequate and timely telemetry. Absent these inputs, the ability to investigate and respond to cloud-based threats is challenging and returns your security posture to a reactive state. With appropriate security tooling operating at cloud speed, CISOs will have the assurance needed to ensure that enterprise applications and systems are resilient, governed, and secured– consistent with the organization’s priorities.
Conclusion
A data-driven approach is the best and most effective method for validating and communicating your cloud security and resiliency posture. KRIs are tangible, and by benchmarking key security areas, CISOs can ensure that their cloud environments are both secure and properly aligned with business objectives.
At the end of the day, a secure cloud comes down to visibility, speed, and resiliency. With the rapid pace of cloud innovation and threats, security teams must drive real-time response capabilities and prioritize high-impact risks. By consistently tracking and refining KRIs such as vulnerabilities at runtime, time to investigate, identity governance, infrastructure misconfigurations, and security coverage, organizations can confidently demonstrate their security effectiveness to leadership and stakeholders.