New detection capabilities bring deeper insight and broader context for enhanced threat identification

Mary Singh·September 19, 2023·6 min read

How did the cloud attacker escape? They ransomware.

Cloud threat detection is often overlooked when considering the full spectrum of capabilities in cloud infrastructure and security tools. IT and security teams see a problem like an over-provisioned user, or access to a web server from an unauthorized IP address, and immediately want to address it; how the attacker got there and when the risk first surfaced can feel far less important in the day-to-day of business operations.

Despite its role out of the spotlight, the process of identifying cloud risk and the corresponding threats to that risk is a critical foundation to any robust security posture. The Identify stage happens to be the first component of the National Institute of Standards and Technology’s (NIST’s) five-part cybersecurity framework, introduced back in 2014 and surprisingly still applicable in today’s cloud security landscape. Without proper tools and visibility in place, alerts on malicious activity are often surfaced too late, giving attackers more leeway and time to fully entrench themselves in a cloud environment.

Figure 1: NIST’s Cybersecurity Framework

Given the foundational importance of identifying risk and the ever-changing cloud threat landscape, security providers like Lacework need to continuously invest in new processes to link risk with actual in-the-wild attacks. This threat linkage helps end users understand the most effective ways to remediate and reduce the potential effects of attacks.

This month, Lacework has upgraded and launched a constellation of threat-based security improvements to incorporate more effective detections, provide enhanced threat intelligence, and augment alerts with environmental context to help organizations with their security investigations and response.

Collectively, the family of updates creates a more holistic platform that treats every aspect of cloud security — from prevention to response — as a data problem. Through alignment of risk, anomaly, and behavioral detection with threat context, Lacework helps end users protect assets, investigate, and respond to attacks in the cloud as quickly as possible.

Early detection

Several improvements have been made to Lacework’s detection capabilities that enable earlier identification of activities in the attack lifecycle and better visibility into what assets or accounts may need remediation.

Lacework provides deeper and broader detections through a variety of upgraded capabilities. With the launch of dozens of new detections including cloud storage enumeration, service account deletion, and changes in network communication, the findings on data analyzed by Lacework’s enhanced visibility has grown significantly. The expanded capture of system calls, or “syscalls,” provides comprehensive insight into behaviors occurring on hosts and containers. This additional data enables Lacework to create deeper behavioral baselines through the Polygraph® Data Platform, and provides opportunities for activity analysis beyond surface level static indicators.

Additionally, Lacework upgraded its threat identification pipeline to perform at faster speeds. The detection engine now runs continuously, giving security operators and incident response teams access to critical security events in minutes instead of hours. Lacework will alert on suspicious activity earlier in the attack, reducing the potential business impact of security incidents, and allowing security teams an opportunity to remediate compromises sooner.

Together, the broadened visibility, larger data surface, and earlier detection will help security teams using Lacework identify and mitigate risk quickly. Ultimately this reduces the overall dwell time of undetected malicious actors that may be present in cloud environments.

Enhanced threat intelligence

Lacework now enriches alerts with a host of new feeds. Historically, much of the alert context has been based on known bad Indicators of Compromise (IoCs), which allow security teams to address known threats. As businesses grow to leverage more cloud assets and data storage the frequency of IoC appearances is accelerating, which makes it harder to separate the signal from the noise.

To bring more focus to the right alerts, Lacework now places a heavier bias on threat enrichment. Alert severity is now dynamically updated based on the type and commonality of each indicator associated with detected activity. The detection engine automatically calculates the severity of each IoC-generated alert using the total number of threat intelligence providers that marked the indicator as malicious, as well as prevalence across all Lacework-analyzed cloud signals.

As a result of treating security as a data problem, the impact assessment is more accurate, adaptable, and ultimately reduces the time security teams need to spend on investigating less relevant threats.

Actionable alerts

Launched in February, composite alerts are a new, comprehensive tool from Lacework that groups individual signals into a higher level investigation for users. Through Lacework’s machine learning and incident tagging capabilities, the platform has since learned more about the threat landscape as rolling composite alerts were triggered.

Thanks to more data in the system, Lacework has now used this new behavioral evidence to improve the correlation engine that drives composite alerts. Correlation accuracy, incident detection confidence, and alert actionability have all improved as a result of these upgrades. Lacework’s incident builder, the system that manages this process, continues to learn as more alerts are triggered.

Figure 2: Lacework detects and analyzes collected data to gain deep insights into host and container behaviors

The new “Compromised Google Cloud identity” alert is an example of Lacework harnessing these detection signals specifically for Google Cloud. Improper cloud credential use can be difficult to detect with individual signals, but with composite alerts, Lacework is able to correlate weaker signals in Google Cloud environments. This correlation enables identification of anomalous usage and suspicious activity from cloud identities as soon as they are compromised.

To make these findings more actionable, Lacework provides additional attribution context and the underlying evidence used to construct the composite alert. User experience improvements enable more advanced users to investigate faster with a detailed timeline view of events and supporting evidence summaries. When an incident does occur, the additional visibility also assists with incident scoping and remediation.

Comprehensive mapping

One of the biggest recent updates to the enhanced threat detection capabilities at Lacework is improved mapping to industry-standard frameworks. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Thanks to improved visibility and detections on the Lacework platform, it’s now easier to match and react to attack scenarios based on industry standards.

Zooming out on those industry frameworks, the collected threat detection updates complete the Lacework approach of security from code to cloud. Lacework has unparalleled visibility into multi-cloud environments, workloads, containers, and more. This enhanced visibility into build-time and run-time enables Lacework to provide unique detection value and insights to reduce the business impact of real and potential incidents.

Lacework has taken a broad approach to embrace prevention, detection, and response in the cloud — investing heavily in each of the five areas identified by NIST. By building robust threat identification tools, Lacework has cast the widest net possible to capture the right threats at the right depth. After that, the use of composite alerts, anomaly detection through Polygraph®, and intelligent threat mapping help ensure that only the right, meaningful threat activities are presented as alerts.

Expanding the industry context further, enhanced threat detection capabilities fit snugly into several categories covered by CNAPP, or Cloud-Native Application Protection Platforms. The ability to better understand, detect, and surface threats greatly improves a company’s cloud and Kubernetes security posture management (CSPM/KSPM) while also protecting assets within the cloud workload protection platform (CWPP) family of capabilities.

Check out our interactive demo to learn more about how these enhanced threat detection capabilities bring deeper insight and context for faster identification.