Proactively Map Imminent Threats With Holistic CNAPP

Cloud environments are notoriously difficult to secure. Learn how a CNAPP can drive more proactive cloud security with end-to-end visibility and threat mapping.

Ram Pliskin, Principal Security Research Manager, Microsoft Defender for Cloud

April 29, 2024

5 Min Read
Cloud computer networking
amgun via iStock

With 90% of enterprise businesses operating in multi-cloud environments, many security professionals are intimately familiar with the challenge of securing cloud platforms.  

The sheer scale of cloud computing generates thousands of security alerts a day -- 4,484 on average, to be exact -- and it can be difficult to know which alerts need to be addressed first. Identity is also more nuanced in the cloud, expanding beyond simple user identities to encompass non-human identities, too. And due to the interconnected nature of cloud environments, it’s easier for attackers to move laterally throughout your estate upon successful breach. 

For example, Microsoft security researchers recently published a report on a novel attack vector in which adversaries attempted to move laterally to a cloud environment through a SQL Server instance. While we have seen this approach used in other cloud services such as virtual machines (VMs) and Kubernetes clusters, it hasn’t previously been seen in SQL Servers.  

The attackers initially exploited a SQL injection vulnerability in a cloud-based application to gain access to the customer’s environment. They then acquired elevated permissions on a Microsoft SQL Server instance and attempted to abuse the server’s cloud identity to move laterally and access additional cloud resources. Cloud identities are commonly used in cloud services like SQL Servers and often possess elevated permissions to carry out actions in the cloud. Over 50% of cloud permissions were considered high-risk in 2023, meaning they have the ability to cause data leakage, service disruption, or service degradation if abused. This attack highlights the need to properly secure cloud identities to defend SQL Server instances and cloud resources from unauthorized access. 

All of these factors and more come together to create a complex and nuanced security environment that SOC teams have to defend. Luckily, a holistic cloud-native application protection platform (CNAPP) can help teams become more proactive. Here’s how. 

The Identity Challenge With Cloud Security 

When we think about how cloud computing has changed the security landscape, identity plays a significant role in that story. 

In legacy on-premises environments, identity was largely limited to internal users who were assigned to specific domains with a clearly defined set of permissions and access parameters. However, in the cloud, you also have external and guest accounts, such as managed cloud service providers (MCSPs), that you can invite into your directory. Accounts can be generated from different identity providers and synced with your active directory. There are also non-human identities to consider, including application identities and user-assigned managed identities that are decoupled from a resource. 

Compared to the options for protecting and securing human identities, there are fewer solutions that can adequately protect non-human identities. Non-human identities are also more difficult to secure than human identities because they lack a clearly defined lifecycle. Security practitioners can’t just contact a non-human identity to ask why it accessed a certain resource or took a specific action. Instead, they must correlate various signals across multiple cloud solutions to understand that identity’s normal operating patterns. From there, they can begin to flag any abnormal or potentially malicious activity. 

Furthermore, many cloud identities (whether human or non-human) are vastly over-permissioned. Microsoft discovered more than 40,000 permissions were granted in 2023, but just 1% were used. And of the 209 million cloud identities tracked in 2023, 50% were super identities -- meaning they had access to all permissions and all resources across the entire cloud estate. This creates a massive risk if even one super identity were to be compromised, as attackers could leverage it to run legitimately throughout your cloud environment.  

Proactively Map Imminent Threats With Holistic CNAPP  

Today, there are many individual point solutions that manage cloud identities and enforce the zero-trust principle of least privilege access. However, because these solutions are siloed and can’t communicate with one another, they fail to provide full visibility into what identities are actually doing.  

A CNAPP, on the other hand, acts as a single command center where multiple cloud security solutions can be consolidated under one umbrella. These include cloud security posture management (CSPM), multipipeline DevOps security, cloud workload protection platforms (CWPPs), cloud infrastructure entitlement management (CIEM), and cloud service network security (CSNS). Under this model, CNAPPs integrate insights across the data and control planes with identity signals, threat intelligence, and more to provide a deeper, more contextualized view of activity faster across your full end-to-end cloud estate. 

A holistic CNAPP can be broken down into three core components: visibility, pre-breach, and post-breach. 

Visibility is delivered via modeling. Because cloud environments exist on a massive scale, CNAPPs use modeling to drive strong visibility so that security practitioners can see the relationships between all cloud resources and identities.  

Creating an accurate view of these relationships -- or edges -- pre-breach is critical because it allows the CNAPP to build attack paths that end with a critical asset. Security teams can use these attack paths to understand how adversaries can move throughout their environment and proactively shut down those paths before they can be exploited.  

A CNAPP can also prioritize these attack paths based on their potential impact on the business so that security teams know which attack paths they should remediate first. In post-breach, CNAPPs drive value by correlating multiple security alerts into dynamic incidents that can change and evolve over time as an attack unfolds.  

Ultimately, cloud security is a nuanced undertaking, requiring SOC teams to agilely respond to ever-changing threats. However, a holistic CNAPP can help overcome these challenges by providing a more complete view of all identities and activity across your cloud estate. 

About the Author(s)

Ram Pliskin

Principal Security Research Manager, Microsoft Defender for Cloud, Microsoft

Ram Pliskin is a Principal Security Research Manager at Microsoft Defender for Cloud. Ram gained his expertise from over a decade of service with the IDF Intelligence Corp, where he led teams of security researchers and software developers. 

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights