Why DevSecOps is critical to defending against cloud-based attacks

However, moving quickly through the development cycle means that security can be left as an afterthought. Despite cloud security being a top priority for chief information security officers (CISOs), some digital transformation projects such as migrating workflows, applications and processes to the cloud still don’t consider security at an early enough stage in the project. This can lead to vulnerabilities or misconfigurations that are able to be exploited.

This is concerning, with the CrowdStrike 2022 Falcon OverWatch Threat Hunting Report revealing that targeted intrusions from state-sponsored adversaries in the APJ region rose to 35 per cent in 2022 — up from 27 per cent in 2021. These adversaries are highly sophisticated and proactively look for these types of vulnerabilities to exploit.

Due to the agile nature of cloud technologies — and the increased opportunistic nature of adversaries — security must be integrated at every stage of the DevOps lifecycle. This is known as DevSecOps, and this mindset is an absolute necessity for any organisation that is leveraging the cloud, and requires new security guidelines, policies, practices, and tools.

The cloud is vulnerable

Data breaches are among the most urgent concerns of any organisation today. A 2022 report revealed that the average cost of a data breach rose to US$4.35 million ($6.46 million) in 2022 and showed that 45 per cent of breaches were cloud-based.

What might not be so obvious is that the techniques adversaries use to infiltrate the cloud differ from on-premises environments. Malware attacks are less prevalent; instead, attackers exploit misconfigurations and other vulnerabilities. So much so that malware-free activity accounted for 71 per cent of all detections indexed by the CrowdStrike Threat Graph in 2022. These threats have grown significantly in the APJ region in particular, with CrowdStrike OverWatch observing a 60 per cent increase in interactive, hands-on intrusions year-on-year — far higher than the global average of 50 per cent.

Another major concern is that organisations are usually using multi-cloud, which can cause a visibility issue. It can result in cloud workloads and traffic that are not properly monitored, leaving security gaps to be exploited by attackers. DevOps teams also tend to provide employees with far more privileges and permissions than needed to perform their job, which increases identity-based threats. What’s concerning about this is that, according to the CrowdStrike 2022 Global Threat Report, nearly 80 per cent of cyber attacks in the last year leveraged identity-based attacks to compromise legitimate credentials.

Threat actors will also deploy a variety of attack methods to compromise an organisation’s cloud environment. Lateral movement is a common technique that involves threat actors going from the point of entry to the rest of the network (for example, infiltrating an end user or system hosted on-premises and then shifting their access to the cloud). CrowdStrike OverWatch observed that adversaries move quickly. In just 84 minutes they can move laterally from a compromised instance to another instance within the victim environment — and 30 per cent have been observed to move laterally in under 30 minutes.

VIEW ALL

Alternatively, another way for attackers to profit from cloud vulnerabilities is by installing cryptominers onto a company’s system. Cryptocurrency mining is an activity that requires large amounts of computing power. Threat actors will use compromised cloud accounts to carry out this process and extract as much profit as possible, while simultaneously using up the company’s resources.

Shifting security left

Protecting the cloud means securing an increasingly large attack surface that ranges from cloud workloads to virtual servers and other technologies that underpin the cloud environment. Attackers are always looking for soft spots they can exploit, particularly vulnerable cloud applications. With organisations moving to the cloud now more than ever to meet the needs of a remote workforce, opportunities to exploit cloud apps have increased.

Traditionally, code is subjected to security as the last phase before release. When vulnerabilities are exposed, either the release is delayed or the development team has to scramble to correct each security issue while the security team has to scramble to check the revisions. For DevOps teams, shifting security left ensures vulnerable code is identified as it is developed rather than in the testing phase, which reduces costs and results in secure cloud apps.

The concept of shift left security is an essential part of the software development lifecycle and getting it right must be a top priority. By embedding security into the earliest phases of the development process, organisations can achieve DevSecOps and significantly reduce the security concerns around cloud-native software and application development.

Threat intelligence enables better DevSecOps

Organisations that use DevSecOps tools and practices can build a powerful and secure cloud foundation. Unifying the visibility of multi-cloud environments and continuous intelligent monitoring of all cloud resources are essential in cloud security. That unified visibility must be able to detect misconfigurations, vulnerabilities and security threats while providing actionable insights and automated remediation for developers and DevOps teams.

Additionally, it’s essential to have the right security policies in place that enforce cloud security standards to meet (or exceed) industry and government regulations across the entire infrastructure. This includes everything from multi-factor authentication to general security best practices for all employees and robust incident response that ensures the company is prepared for an attack.

But for DevSecOps to be truly effective, organisations must place threat intelligence at the heart of their cloud security strategy. Adversaries are constantly finding new ways to target the cloud and are always identifying novel weaknesses to exploit. So, without proactively hunting for the latest criminal behaviours and tactics, security teams are ill-equipped to keep pace with the changing threat landscape.

Effective threat intelligence enables security teams to anticipate threats and prioritise defence, mitigation and remediation effectively to pre-empt them. Delivering all this functionality from the cloud and for the cloud through DevSecOps provides organisations with the prevention, detection, visibility, and response capabilities they need to stay ahead of evolving threats.

Fabio Fratucello is the chief technology officer, APJ at CrowdStrike.