The Urgent Need for Real-time Cloud Detection & Response

By Loris Degioanni - MARCH 14, 2024


It is impressive how explosively the cloud security market has embraced detection and response in recent months.

The industry, including both users and vendors, is rapidly acknowledging the complexity of modern cloud attacks. Facilitated by automation and APIs, attacks cannot be effectively countered with traditional solutions that lack context of cloud environments or focus solely on posture.

Sysdig has been aware of this for quite some time. Sysdig began our journey, having created Falco, the open source standard for cloud-native threat detection and response. More recently, our Threat Research Team uncovered key cloud attacks (SCARLETEEL, AMBERSQUID, SSH-Snake) and determined that it takes less than 10 minutes for bad actors to inflict damage. This work led us to develop a benchmark that security teams must achieve to keep pace with cloud attacks. We call it the 5/5/5 Benchmark for Cloud Security.

Recent events indicate that a growing number of people share our perspective:

  • Falco has achieved graduation status within the Cloud Native Computing Foundation (CNCF). This milestone underscores the cloud native community’s recognition of the critical role of detection and response.
  • During the most recent earnings call, CrowdStrike’s leadership highlighted that the speed of cloud attacks is dramatically accelerating.
  • Finally, Wiz announced the acquisition of Gem Security, an attempt to add detection and response to a posture-centric product.

The cloud demands a comprehensive strategy

The reason for this urgency is clear: traditional, posture-based approaches, while important, are inadequate for addressing modern cloud attacks. Similarly, threat detection and response solutions built for end-points and on-premise networks lack the rich cloud and DevOps context needed to thwart cloud attacks and “zero days.”

The solution is becoming evident and requires a comprehensive strategy:

  • Integrating posture management with detection and response is crucial. Only a holistic view of risk that correlates misconfigurations and supply chain vulnerabilities with actual attack behaviors can eliminate blind spots and prevent the overwhelming flood of irrelevant findings.
  • Operating on a multitude of data sources is essential. This includes configuration information from agentless scans, workload signals from agents, trails from cloud services, and logs from applications like Okta and GitHub. All this data, rich in detail, must be not only collected but also accurately correlated.
  • Being truly real time is non-negotiable. If logs must be sent to a SIEM or a legacy detection and response platform, by the time the data is ingested and indexed, it’s already too late.
  • A combination of agentless and agent-based telemetry is required to truly understand cloud attacks.

Simply put: cloud security requires runtime insights. Preventative measures will never help detect, contain and manage zero-day attacks.

Sysdig’s vision for the past several years has been a runtime-powered CNAPP. We’ve been committed to creating the best integrated platform, where the utilization of runtime insights is a fundamental design principle, not an afterthought. Our platform aims to deliver the best insights in the shortest time possible.

Our users embracing this vision aggressively: just a few weeks after releasing our Okta and GitHub integrations, dozens of customers have deployed them, leveraging them to detect and respond to advanced threats.

The Sysdig vision is to create a world where enterprises can safely innovate in the cloud. To do that, they must have a CNAPP solution that has real-time detection and response at the center. If you’re a security leader looking for a rich, powerfully-integrated solution that leverages detection and response to protect against the most sophisticated cloud threats, you have two options:

  • Wait for other vendors to define their strategies and complete their acquisitions. Then pause to give them time to successfully integrate their new product into their existing platform so it is a seamless experience.
  • Choose Sysdig now.

As we all know, your adversaries won’t wait.

Learn more about the Sysdig 5/5/5 benchmark here.

Subscribe and get the latest updates