Cloud-native environments and applications deliver unprecedented agility and scalability in a business climate that demands speed. However, they also introduce extraordinary security challenges that require more rapid event detection and response than the traditional on-premises world. Data often travels through multiple services and storage solutions, leaving security analysts to sift through an extensive data trail of logs from multiple cloud services.\n\nAutomation is one of the key benefits of cloud environments, but cybercriminals can use the same tools to accelerate the velocity of their attacks. Dwell time \u2013 or the period between initial access and an attack \u2013 is measured in days in on-premises infrastructure but mere minutes in the cloud. Effective detection and response require granular visibility across multiple environments, connected SaaS applications, and third-party data sources. \n\nThe bespoke nature of traditional data centers makes them more difficult to compromise, notes Crystal Morin, a cybersecurity strategist at Sysdig. \u201cKnowledge of on-premises environments must be developed on a case-by-case basis,\u201d she said. \u201cCloud environments, though, are more consistent, even across providers. That makes the cloud easier to understand and secure, but it also means attackers know what to look for and how to get what they want.\u201d \n\nAttackers can also exploit the automation, scripting, and APIs inherent in cloud-native architectures to discover information about the cloud environment more rapidly than is possible in unfamiliar on-premises infrastructure. \u201cWhat works in one cloud is likely to work in another with only slight modifications,\u201d Morin said. \n\nThat makes it possible for attackers to move much faster. A recent Sysdig Threat Research Team report found that attackers with stolen credentials can inflict damage in as little as 10 minutes. Traditional detection and response mechanisms can\u2019t match that speed. \u201cIf we are manually responding to automated adversarial behaviors, we've already lost,\u201d Morin said.\n\n\u201cAn effective cloud security defense requires deep observability and proactive speed. Log analysis is an essential defense strategy. Cloud providers collect massive amounts of data about activity in their systems in their network, database and transaction logs. That\u2019s a source of valuable intelligence, but harmonizing log data across multiple providers and tools is a challenge.\u201d Real-time monitoring, deep observability, and automation are needed to detect threat actors as they enter an environment so they can be isolated and shut down.\n\nOne factor favoring defenders is that cloud cyberattacks follow a predictable path. Threat actors use API calls to scan a victim\u2019s infrastructure to identify opportunities for lateral movement and misconfigurations, which are the leading vulnerabilities in cloud attacks. This activity shows up in security logs. Real-time log monitoring can trigger alerts that an attack is underway. Log analytics can detect behavioral anomalies consistent with an attack, such as multiple authentication attempts or repeated API scans. \u201cThe more they move, the more noise they make, and the more likely they are to be found,\u201d Morin said. \u201cThat means we need to move faster, too.\u201d\n\nSysdig created the 5\/5\/5 Benchmark \u2013 five seconds to detect, five minutes to triage, and five minutes to respond \u2013 as a goal for organizations committed to evolving their cybersecurity practices to beat attackers at their own game. The strategy stresses the use of automation and the proliferating number of third-party cloud detection technologies to connect the dots from data points across multiple environments and applications into an integrated view. Technologies like Extended Berkeley Packet Filter (eBPF), a lightweight, sandboxed virtual machine within the Linux kernel, provides enhanced visibility into system calls and networking operations to enable faster detection and response.\n\nAutomation, APIs and infrastructure-as-code mechanisms can then be deployed to enable rapid response and remediation. These cloud-native functions are organizations\u2019 most valuable assets to respond quickly and effectively.\n\nThe 5\/5\/5 Benchmark \u201cis an operational benchmark that indicates cybersecurity maturity,\u201d Morin said. \u201cMistakes will happen, but we can prepare for the inevitable attack and be ready to detect and respond as soon as it happens.\u201d\n\nDownload the 5\/5\/5 Benchmark for Cloud Detection and Response.