Practical Guide to Cloud Threat Detection, Investigation, and ResponsePractical Guide to Cloud Threat Detection, Investigation, and Response2Introduction What is Cloud Detection and Response? Why do I need a Cloud Detection and Response Solution? How is Cloud Different: The Attacker Perspective How is Cloud Different: The Defender Perspective Evidence from the Front Lines Why Traditional SecOps Tools & Current Cloud Security Solutions Fall Short for Cloud Use Cases How Cloud Detection and Response benefits the business How Cloud Detection and Response fits into the operations workflow Core Capabilities of Cloud Detection & Response Tools About Gem SecurityTable of Contents 3 4 5 5 6 6 8 10 11 12 13Practical Guide to Cloud Threat Detection, Investigation, and Response3Introduction The cloud presents a blessing and a curse for modern security teams: though abundant telemetry allows for unparalleled visibility and control, the ability to turn that potential into a robust, operationalized security program has so far been elusive for most companies today. The paradox of cloud security is that the very same factors that provide so much promise in theory, like telemetry availability and development speed, also make security operations a real challenge in practice. Complicating the issue is that neither existing cloud security products (like CSPM) nor traditional security operations tools (like SIEM) are capable of handling complex cloud signals and delivering the real-time visibility, complete detection and immediate response functionality that security teams need today. •Real-time, centralized visibility is challenging to obtain due to cloud scale and speed •Detection engineering in the cloud is extremely labor intensive due lack of domain-specific knowledge and resources •MTTR is often too high as organizations sift through massive amounts of telemetry to investigate threatsBiggest Challenges for Detection & Response in CloudBiggest Opportunities for Detection & Response in Cloud •Telemetry is extremely rich and easily available through APIs, eliminating the need for agents and distributed collection •Automation enables organizations to increase the speed at which they detect threats, and use the power of the cloud against attackers •Availability of APIs promises programmatic security, where threats can be automatically and efficiently contained Read on to learn: This report by Gem outlines the challenges and opportunities arising in detecting and responding to threats in the cloud. •Why an assume breach approach is critical in building resilience in cloud security and why an assume breach mindset requires new techniques and tooling •What we’ve learned from talking to over 200 CISOs about why security teams today struggle to respond to active cloud threats in real time •Why traditional security operations tools and existing cloud security products, including SIEM, CNAPP, and CSP-native tools, are ill-suited for real-time cloud threat detection and response •What are the key capabilities of CDR tools, and the benefits to the business from adopting a purpose-built cloud threat detection, investigation, and response solution "In general, when there’s a customer of ours that has a breach in the cloud, it’s at the control plane. Somebody got access to credentials and they’re able to expand the cloud environment and just wreak havoc. To respond, it all comes down to having visibility, collecting information, and analyzing it. And it’s just done differently in the cloud." Kevin Mandia | CEO Practical Guide to Cloud Threat Detection, Investigation, and Response4What is Cloud Detection and Response? Given the unique challenges in Cloud Threat Detection, Investigation, and Response, an emerging category of security tools is developing that is designed to help security operations teams detect and stop attackers in the cloud. This new set of solutions brings t