Sysdig Identifies a Cloud-Native Security Crossroads: Best Practices vs. Convenience and Speed

Dig into the Sysdig 2024 Cloud-Native Security and Usage Report trends
By Crystal Morin - JANUARY 31, 2024


Sysdig’s seventh annual Cloud-Native Security and Usage Report identifies how customers are developing, using, and securing cloud-native applications and environments. We analyze data from millions of containers and thousands of accounts and publish the most pertinent information for you. Security practitioners and leaders look forward to this report to identify trends and make adjustments to their cloud security strategy. This year’s trends will help you understand the current strengths of cloud users, greatest opportunities for security posture improvement, rate of AI adoption, and much more. Download the full report to learn more.

Do you follow security best practices, or chase speed and convenience? Keep reading to see where your cloud priorities fall.

Identity neglect: A call to action

“Though I am unsurprised by the apprehension around the security of new technologies like AI, I am disheartened by the massive number of excessive permissions being administered, especially for machine identities. It feels a bit like obsessing over a plane crash while regularly running stop signs with no seatbelt on”

 Anna Belak, Director, Office of Cybersecurity Strategy at Sysdig

Identity management has become the most overlooked cloud attack risk. Only 2% of granted permissions are being used, a reduction year-over-year. Nonhuman applications, tools, and services are being granted thousands of permissions upon initial implementation that are never disabled or deprovisioned. These excessive permissions create an undue risk that is simply unnecessary. A majority of well-known security incidents with material impacts have been linked to poor management of identities and privileges, and yet only 20% of cloud-native application protection platform (CNAPP) users are prioritizing cloud infrastructure entitlements management (CIEM) functions weekly.  

Sysdig Identifies a Cloud-Native Security Crossroads: Best Practices vs. Convenience and Speed

Keep shifting left, we aren’t there yet

After a year of prioritizing the remediation of critical or high vulnerabilities in use at runtime, the existence of these vulnerabilities has been reduced by nearly 50%. However, the goal of the shift-left approach is to scan for, identify, and remediate vulnerabilities in the pre-delivery pipeline before runtime — this is not happening. We found a higher policy failure rate in runtime scans than continuous integration and continuous delivery (CI/CD) build pipeline scans. If organizations were following the concept of shift-left with fidelity, we would expect the inverse of the results since policy failures are meant to be caught prior to delivery and before they become exploitable conditions for attackers.

Threat detection advancing toward maturity

The vast majority of Sysdig customers are leveraging threat detection and response (TDR) insights weekly. With this, we see indications of comprehension and maturity with the development and testing of custom behavioral threat detections. This year’s report shows that only 35% of attacks were identified using indicators of compromise (IoCs), while the remaining 65% of attacks were identified with behavior-based detections. The most commonly triggered detections this year fell under the initial access and execution MITRE ATT&CK tactics, which often present themselves earlier in an attack lifecycle than those we saw last year, defense evasion and privilege escalation.

Ephemerality won’t save you from an attack

We’ve seen container lifespan shrink over the last several years, to the extent that 70% of containers live less than five minutes. There is some comfort knowing that a vulnerable container is short-lived, however, Sysdig’s Threat Research Team (TRT) stated in the 2023 Global Cloud Threat Report that a cloud attack only takes 10 minutes. With the use of automation, an attacker can enter through a vulnerable container and move laterally before the end of its lifespan. Running vulnerable workloads, no matter how short-lived, leaves you at risk for an attack.

AI adoption paradox

While most of our findings this year indicate that organizations choose convenience and speed over more secure practices, we could not attribute this to enterprise AI use. 31% of companies have implemented AI frameworks and packages, but only 15% of these are generative AI. Put simply, most of the AI packages we see right now are used for data correlation and analysis.

Sysdig Identifies a Cloud-Native Security Crossroads: Best Practices vs. Convenience and Speed


From the real-world customer data we gathered and analyzed, we see an evolving cloud security landscape ripe with successes and struggles. Skirting some security best practices might allow organizations to work with fewer barriers, but it also puts them at far greater risk for attacks. For instance, a lack of identity management has gone too far and resulted in many high-profile material attacks. Runtime security and TDR prioritization, however, are reducing vulnerabilities and advancing detection efforts. Short-lived workloads are no match for attackers using automation and, finally, enterprises aren’t quite ready to implement AI in cloud environments.
Want to learn more? Download the full Sysdig 2024 Cloud-Native Security and Usage Report now for additional data and analysis. You can also find our past reports here.

Want to learn more? Download the full Sysdig 2024 Cloud-Native Security and Usage Report now for additional data and analysis. You can also find our past reports here.

Heading to KubeCon Europe?

Swing by booth J23 to elevate your knowledge on cloud and container security and discover how to stop attacks in real time. Don’t miss out on live demos, book signings, and exciting prizes.

Subscribe and get the latest updates