More than 80% of surveyed organizations use Azure and AWS cloud services. 55% use Google.
Most organizations report an increase in the number of buckets and storage containers they use in Azure (89%), AWS (84%), and Google (74%) clouds.
22.4% of surveyed organizations lack the requisite expertise for using AWS and Azure clouds securely.
30% of organizations are actively planning to decommission on-premises Active Directory as cloud legacy support improves.
49% of organizations have less than half their cloud accounts covered by cloud-native application protection (CNAPP) solutions.
| Multicloud Security challenges | Context |
|---|---|
 |
A primary benefit of cloud operations is the speed at which new instances and tools can be spun up or eliminated based on specific business needs. But keeping track of how organizations and their employees are using services and tools is difficult from a security perspective. With ephemerality being the norm rather than the exception, security teams often struggle to maintain oversight of one cloud environment, let alone multicloud deployments. |
 |
As organizations extend their cloud footprint, many assume greater risk of security breaches related to insecure connections, unsecured assets, and code errors that provide attackers with exploit opportunities. A 2024 study found the average organization with multicloud deployments had 351 attack paths that attackers could exploit to reach valuable company assets. |
 |
Each cloud deployment is a hive of data in transit and in storage, running applications and APIs, access points, users, and connected devices. Keeping track of all these assets and processes is a difficult monitoring task; security teams must track and correlate logs from a variety of systems, which can easily create blind spots. |
 |
Each cloud provider works off its own version of the shared responsibility model. Moreover, the providers regularly offer new services and products, which are typically subject to updates and specific conditions. Staying current with each provider’s offerings and conditions places another tax on the time and energy of security teams tasked with monitoring cloud deployments. |
 |
Data breaches are one of the most common, and costly, cyber breaches among organizations of all types. The multicloud environment can amplify the challenge of protecting data through a similar principle: more and varied cloud deployments creates greater potential for misconfigurations, insufficient access controls and security settings, and more complex networks in which data can be lost, captured, or ransomed by malicious actors from the outside or inside of the organization. |
 |
Attackers are well aware of the prevalence of multicloud operations and have shifted their tactics to exploit potential security weaknesses. They may target user credentials and CSP trust relationships to move from one cloud environment to others. They can exploit errors in security access controls, APIs, download malicious files or modules to cloud infrastructure systems, among other attack vectors. Increasingly, attackers have found methods of obscuring their attack patterns and escalations within normal cloud traffic, which is difficult to detect without the ability to analyze multiple sources of data.
What’s more, attackers also are developing methods for evading common security tools, such as endpoint detection and response (EDR) and cloud-native application protection platforms (CNAPP) with PowerShell scripts, windows management instrumentation (WMI) tools, cloud exploitation frameworks like Pacu and other techniques that make their intrusions blend in with normal cloud traffic and workflows. A recent CISA advisory about over-reliance on EDR tools emphasized this reality. |
Tool Consolidation and integration
- Network detection and response can incorporate many monitoring, alerting, and reporting functions within a single framework, and reduce tool sprawl. As a pillar of the SOC Visibility Triad, it often complements EDR, system information and event management (SIEM) and data lakes, extended detection and response (XDR), and other solutions that are common in multicloud and hybrid cloud environments. Cloud-capable NDR will often integrate with CSPM, CWPP, and other cloud-native security solutions.
Scalability
- NDR platforms can support a centralized monitoring and metadata extraction from multiple cloud deployments through strategic sensor placement and without over provisioning of cloud resources. Coupled with an ability to correlate data flows, these features provide NDR with an elastic, scalable design suitable to expanding multicloud deployments.
Compliance Monitoring
- In addition to helping with the documentation necessary to prove compliance around data usage and other regulatory requirements, NDR’s monitoring capabilities can reveal shadow IT and help SOCs determine if the organization is using cloud tools and services in ways that increase cyber-risk.
Expedited detection and incident response
- Enriched network metadata generated and synthesized by NDR platforms can expedite the detection and disruption of cloud-specific threats and malicious tactics such as the use of command and control (C2) channels. It can also highlight behavioral anomalies that may require more investigation or provide a starting point for advanced threat hunting. By providing SOCs with more enriched evidence from cloud network logs, NDR can improve mean time to detect (MTTD) intrusions and increase the likelihood of faster incident resolution.
Complete visibility in multicloud and hybrid cloud environments
-
Corelight’s sensors parse north/south and east-west traffic and enable security teams to identify all services within their cloud environments. Consistent network telemetry coupled with host data enrichment enable comprehensive visibility integrated with cloud control planes. Corelight collects detailed network metadata (e.g., HTTP headers, DNS queries, SSL certificates and ciphersuites, bytes transferred) and tracks network sessions, bridging blind spots between container runtime events. Corelight also enriches cloud traffic observed with additional metadata through our Cloud Enrichment and cloud app ID packages:
Cloud-specific detections
- The Corelight NDR platform leverages the power of the open source community, MITRE ATT&CK mapping, and our own research to provide users with threat detections and intelligence that can detect and disrupt attacks TTPs that target cloud infrastructure, such as lateral movement, data exfiltration, C2 channels, attacks initiated with cloud exploitation frameworks and more. Corelight evidence can help security teams detect cloud hosts that reach out to or access multiple services, and other behavioral anomalies that may indicate stealthy attack patterns.
AI-powered workflows
-
Corelight’s SaaS solution, Investigator, automates workflows and includes customizable dashboards that expedite and simplify alert triage, and make raw network data and packet capture (PCAP), accessible through simple steps. The platform also includes ML-based summaries, interactive visual timelines and triage history to make incident response more comprehensive, targeted, and efficient.
Accelerated incident response
- Corelight’s enriched data helps investigators correlate suspicious or anomalous traffic with specific cloud actions, account movements, and container processes — leading to faster, more accurate threat detection and response.
Book a demo
We’re proud to protect some of the most sensitive, mission-critical enterprises and government agencies in the world. Learn how Corelight’s Open NDR Platform can help your organization mitigate cybersecurity risk.
