Taj El-khayat, Area VP, South EMEA, Vectra AI reveals GCC’s $7.45M ransomware impact overshadows global averages, fueling demand for AI-powered Cloud Detection and Response (CDR). Cloud breaches escalate by 45%, prompting a shift towards Attack Signal Intelligence for comprehensive defense.
According to IBM’s most recent “Cost of a Breach” report, GCC enterprises face an average $7.45 (USD) million headache when hit by ransomware and other malicious payloads. This is around 70% higher than the global average of $4.35 (USD) million — yet another indication that the region is a priority target for threat actors. What also emerged from the data was that 45% of data breaches around the world in 2022 occurred in the cloud. This is unsurprising. Everyone everywhere migrated to the cloud to survive lockdowns. But it is also alarming. Cyber gangs have found a new favorite playground.
SOC teams are up against it. Just as they started to make headway on a security suite that could optimize their time metrics — detection, investigation, and response — their infrastructure was whisked away to a new home. They lost visibility; they lost control. And as work pressures mounted from threat campaigns taking advantage of all the confusion, they lost colleagues to frustration and burnout.
What is the answer? It is not endpoint detection and response (EDR), and it is not network detection and response (NDR). Neither go far enough. We need integrated AI-driven cloud detection and response (CDR) to deliver a high-fidelity attack signal — or as we call it — Attack Signal Intelligence. EDR and NDR simply cannot cope with the new setup. They cannot fish for cloud vulnerabilities at third parties such as identity-management companies. What chance does an enterprise stand against the threat landscape when running tools that only probe its own assets while multiple third parties cling to its superstructure and share its data?
The obligatory cautionary tale
There are multiple real-world examples of this. One of the latest is LastPass, which offers a “zero-knowledge” encryption model for data vaults. According to multiple industry and media reports, adversaries got control of a LastPass corporate laptop by exploiting a software vulnerability for which a patch was readily available. This led to the compromise of 30 million customers’ sensitive data. Those customers could have had internal security that was entirely up to code, but a third party that was integral to their infrastructure had suboptimal hygiene and a risk resulted.
Once something like this occurs, the trust, as they say, is gone. Not just for LastPass. And not just for the many others that have been probed, prodded, and phished by threat actors to steal golden-goose credentials. The entire multi-cloud, hybrid model is called into question. According to IBM’s research, if stolen credentials are used in a breach, the mean time to identify shoots up to 243 days and the mean time to contain hits 84 days. No other initial vector reaches these heights.
CDR tools are designed to identify these kinds of tactics. They are able to pinpoint malicious behaviors dotted along the kill chain and trace them back to a compromised account. CDR then compiles a log of all actions taken by the account from the time of compromise, giving security professionals time to shut down the attack before impact can occur.
No way back
Microsoft, Google, and AWS all have big plans for their clouds in the region. They are here to stay as are GCC enterprises — in the infrastructures of these hyperscale providers. Why would they not? The business benefits speak for themselves — greater scalability and agility, more use-case options and lower costs. But if the cloud is to be our future, we must ensure that the future does not include persistent, out-of-control risk.
The ballooning attack surface is therefore something we must face head on. Given the complexity of modern IT suites, it is inadvisable to run a tool for every little thing. It is this point-solutions approach more than anything that is confusing security teams and making them less effective. Too many vendors with too many solutions and a lack of understanding (on the customer side) of what each does — and more importantly, does not do — means rectifying the status quo is also complicated.
If we want to get rid of our blind spots and deliver Attack Signal Intelligence that moves at the speed and scale of hybrid cloud attacks, we must step away from such an emphasis on preventative tools (which admittedly shine a much-needed light on cloud resources and misconfigurations) and move towards a solution that can detect novel attack vectors. We have already seen the proliferation of stolen credentials compared to other attack methods (more than a third of all attacks, according to IBM) and we have the figures on dwell time too. Cloud misconfigurations, by comparison, are involved in around 15% of breaches. Therefore, prevention alone leads to more vulnerability.
Sleep soundly
CDR oversees all actions in a cloud environment and can spot suspicious behavior in real time. Artificial Intelligence (AI) plays a central role in its design, allowing the technology to go beyond event-based or baseline anomalies to focus on tactics, techniques, and procedures (TTPs). This delivers the sort of Attack Signal Intelligence that empowers security teams to unearth the most sophisticated attacks and prioritize their investigations.
With less time wasted on false positives, response times increase, and dwell times are significantly reduced. Is an authorized user behaving strangely? Is an external entity operating with compromised credentials? Attack Signal Intelligence, delivered through CDR, can separate the suspicious from the legitimate. AI-driven attribution allows observed behaviors to be linked to identities, even if the suspicious action was undertaken using temporarily granted permissions. This means investigations will always be more effective.
We live in the cloud. It is not only our new home. It is, for all intents and purposes, our forever home. The location is sublime. And while there may be problems with the plumbing, these problems are fixable. CDR, and by association, Attack Signal Intelligence, must necessarily become our home’s protector. And like any good protector, brawn alone is not enough. A watchful eye and a context-sensitive brain are deployed on our behalf, allowing us to sleep soundly through the night.