Vectra AI and multicloud threat mitigation

In the game of hunting out threats in the multicloud attack service, you have to ask the right questions.
5 October 2022

Multicloud threat mitigation is a detection game for both humans and high-tech in harmony.

More and more businesses are moving to a multicloud environment to take advantage of the significant benefits such environments can bring in terms of using the best packages and products for each critical function of the business. But with a multicloud environment comes multiple data security threats – a fact too many businesses as yet don’t appreciate. We sat down with Mark Wojtasiak, VP Product Strategy at Vectra AI, to talk through the dangers, the solutions, and the need for a leveling up of general business understanding. In this first part of our discussions, we focused on the key questions raised by the new attack surfaces of the multicloud environment.

THQ:

Do we think enough companies fully appreciate the way in which multicloud or hybrid cloud ecosystems can change the cyber threat landscape that they face?

MW:

No. No, I don’t think they do. I think that there are two fundamental questions that need to be answered – and they’re not the ones we’ve traditionally asked. Usually, we’ve asked do we have visibility? And do we have control?


I don’t think companies in general fully appreciate what using a hybrid cloud or multicloud setup means from an attack surface perspective, or a cyberthreat perspective, because the questions that security teams need to ask themselves change in those environments.

With the shift of attack surface to hybrid and multicloud, the questions are now: 1 – where are we exposed right now? And 2 – where are we compromised right now? I don’t think a lot of companies can effectively answer those questions.

The new realities of exposure and compromise

THQ:

So that’s the important shift in the attack surface? From visibility and control to exposure and compromise?

MW:

Yes. There’s a lot of momentum behind cloud posture management and in SAAS posture management and things like that. And that’s all about understanding your exposure. Where does the cloud exposure exist? Where can we close those vulnerabilities? And that’s a continuous effort, because the answer can change by the hour, if not by the minute. You’re never one and done with this. Just because you understand where your vulnerabilities and exposure are. That’s one thing, but attackers are super clever. They’re always going to find ways in, so you’ve got to follow up that question of exposure with the second question – where are we compromised right now. So if you understand exposure, and you understand compromise, those two things feed each other.

So the more you’re shoring up, the more you know about your exposure, and the more you know about your compromise. You’re constantly improving your posture. So continually asking yourself those questions and answering those questions is going to definitely help.

And with the expansion of the attack surface, what we’re seeing is that one of the biggest areas of concern is identity – attacks on identity systems and leveraging identity systems to not only compromise credentials and get access, but then also get access to privileged accounts. And once you have access to privileged accounts, admin level, then you’ve got the keys to the kingdom and you’re progressing largely undetected.

We can talk about the promise of all of those technology categories, but at the end of the day, it comes back to where are we compromised? We fundamentally need to answer that question. And I don’t think we can answer it quickly enough. And we’ve got to figure out ways to do it better.

THQ:

What’s the one-line difference between exposure and compromise?

MW:

Exposure is “where is there a door open?” Compromise is “Where has there been a door open, through which the attacker has already come in?”

Getting ahead of the threat

THQ:

So how do you get in front of that? If someone’s already come in, how do you get ahead of them?

MW:

Attackers have tendencies. You can map to their attack and defend, but they all have tendencies and, if you understand their tendencies and their behaviors, and you have detection models that can see those things happening, you can get out in front of them. That’s what we do in Vectra detection models – I can see those things happening, you can actually see an attack as it’s unfolding, versus seeing it after the damage has already been started, whether it’s a ransomware attack, or whether it’s data x fill, or whatever it might be. So, you can get ahead by understanding how an attacker behaves across that cyber kill chain, how they’ve gotten in, how they are doing their reconnaissance, how they’re doing their discovery work. Piece all those things together and you can say “Yes, this is an attack in progress.”

If they have gained access to privileged credentials, you can put controls in place. You can have a human take action, or you can automate them. But earlier, visibility, earlier detection and understanding how an attacker behaves, can show you what the attacker sees. And I don’t think a lot of companies do that yet.

The need for change

We can educate companies that are in this environment that they need to see what the attacker sees. But we have to stop doing things the way we used to do them, because the multicloud and hybrid cloud environments are a whole new ballpark of threat. If we always assume compromise, which is only wise in this environment, we have to look at how we deal with that – and we have to do it in new ways.

We use AI to see what an attacker sees. In fact, we use AI to life all the mundane tasks off the shoulders of human analysts. That way, you stop the analysts having to triage all the tiny events that right now they’re having to deal with, so they can focus on the high-level, confirmed threats and do the thing that humans are best at – lateral thinking. We use AI to automate the mundane, and free the analysts to be as clever as we know they are, in order to deal with the threats of the clever human attackers.

 

In Part 2 of this article, we’ll explore exactly how AI and human analysts can work in harmony to defeat the real-time attack threats of the massively more complex multicloud environment.