Active Cloud Risk: Why Static Checks Are Not Enough

By Ryan Davis - APRIL 16, 2024


active cloud risk

How would you feel about your home security system if it only checked to see if your doors and windows were locked periodically? This security system would provide great visualizations of your house and how a criminal could get from one room to another, ultimately reaching one of your prized possessions, like a safe. However, it doesn’t have cameras on your doorbell or windows to alert you in real time when someone suspicious was approaching, or worse, trying to break into your house. Would you be satisfied with it?

This is the same reason why you should not be content with static checks on your cloud security posture when there are active risks in your cloud environment. 

Static vs. active risk

Static risk

To understand active cloud risk, you need to understand static risk first. Static risks are a direct result of static checks, which are a point in time snapshot of your cloud environment usually taken every few hours and is used to assess your security posture. Traditional Cloud Security Posture Management (CSPM) tools use statics checks and can surface static risks, such as:

  • Critical vulnerabilities 
  • Misconfigurations 
  • Policy/control failure 
  • Network exposure 
  • Data exposure 

Static risk assessment is still important. For example, misconfigured cloud storage buckets are commonly associated with data breaches, but relying only on static risk and believing your cloud is secure fools you into a false sense of comfort. These risks remain static in traditional CSPM, don’t change very often, and most are never exploited. The problem with static risk is you miss real-time activities and changes like the proverbial thief trying to break into your door. And frankly, in most cloud environments there are typically hundreds, if not thousands, of static risks that repeatedly pop up scan after scan, generating a lot of noise and alerts that make them hard to prioritize.

Active cloud risk

This is why you need visibility into active risk and you need to prioritize it. Active cloud risk includes real time activities and dynamic changes in your environment, such as:

  • Risky identity behavior (e.g., user actively logging in with no-MFA)
  • Real-time configuration changes (e.g., connect to known malicious network)
  • In-use permissions (e.g., high-privilege access activated with no prior use)
  • In-use packages with critical vulnerabilities (e.g., actively running software package with high CVSS vulnerabilities)
  • Workload threats (e.g., public encryption key uploaded)

Active cloud risks are potentially serious events that are happening in real-time in your environment.  These are the risks you want to focus on and prioritize NOW. In doing so, you can reduce noise and alert fatigue by prioritizing the most critical risks and by providing a timely response when it matters the most.

Combat active cloud risk with runtime insights

A better solution is to uncover and combat active cloud risk using runtime insights. Such a solution should go beyond static checks and be able to detect active cloud risk – such as real-time configuration changes, suspicious user activity, in-use permissions, in-use packages with vulnerabilities, and workload threats – to deliver real-time insights into the most urgent imminent threats in your cloud environment. But just surfacing active risks on their own is not enough.

More importantly, runtime insights should be used to enrich static risk findings and overlay active risk information to help you prioritize, investigate, and remediate complex issues and interconnected risks. The riskiest combinations of static and active risks are stack-ranked and prioritized to the top. From there, you can drill down and visualize the interconnected risks (both static and active) using attack path analysis to speed your investigation. And within the same workflow, provide guided remediation to help you fix the issue fast. 

Is active cloud risk just EDR?

If you have gotten to this point, you might be asking yourself, “Is active cloud risk detection just another version of Endpoint Detection and Response (EDR)?” The short answer is both yes and no.

Let’s start with why not. Traditional EDR solutions have relied on agents to detect intrusions and threats on your endpoints. In the cloud, not only do you have endpoints, but also hundreds of different services that make it impossible to completely instrument with agents, leaving you with huge blind spots. 

On other hand, yes, runtime insights help with cloud based detection and response. That is why at Sysdig, we believe in a platform approach to cloud security with a comprehensive CNAPP solution. You can start with posture and prevention with our CSPM capabilities and leverage runtime insights for active risk prioritization and mitigation. But you can further expand our platform capabilities to deliver detection and response. An integrated platform approach not only consolidates tools, but streamlines workflows from prevention and detection to investigation and response, helping you save time when every second counts. 

Agentless vs. agent approaches 

Now you might be thinking about getting down into the nitty gritty and ask, “What’s the underlying technology approach to address active cloud risk?” Traditional EDR solutions all use agents to detect intrusions and threats limited to endpoints, while traditional CSPM solutions have been steadfast in promoting agentless scanning to reduce friction and to simplify setup and maintenance.

At Sysdig, we give you the option to use either or both to deliver breadth and depth for visibility and protection. For posture and prevention use cases, we have the ability to scan your environment agentless using APIs for misconfigurations, vulnerabilities, and other risks. But we don’t stop there. Our unique detection engine based on open source Falco has the ability to stream cloud and SaaS log data adding agentless detection to our arsenal. That’s right, you get runtime insights and active risk detection all without needing to deploy agents. This gives a great breadth of coverage and full visibility across your cloud estate.

When you want to add additional workload visibility and real-time detection and prioritization of workload risks, this is when you can choose to deploy our agent to complement our agentless scanning and detections. This gives you depth of analysis and deep visibility into key workloads. Of course, if you are looking for a complete CNAPP solution or Cloud Detection and Response (CDR), this is also where you’ll use our agent to get most advanced workload detections. 

It’s time to change your cloud security approach 

So, are you still satisfied with static checks to your critical cloud environments?

Hopefully by now we’ve convinced you that static checks used by traditional CSPM tools are not enough, and frankly are woefully undermanned in today’s ever-evolving and rapidly-moving threat landscape. The better approach is to find a unified platform that not only scans for risk, but helps you prioritize, investigate, and remediate real-time active cloud risk.

Here at Sysdig, our unified platform delivers breadth of visibility and depth of defense using runtime insights to highlight and combat active cloud risk, all while giving you the option to do this with or without an agent.  The choice is yours – make the right one.

Subscribe and get the latest updates