Digesting vast amounts of data stored on modern data platforms such as a graph database is a primary benefit of true cloud attack path analysis. This is called contextual cloud security at scale. And it’s the key to noise reduction, improvement in Mean Time To Resolve (MTTR) and other cloud security benefits.
The most efficient way to secure your cloud environment is by looking at it through the eyes of an attacker. Attackers focus on either an entry point specific to their victim's cloud environment or achieving a successful attack through a third party or other supply chain risk. Often what’s publicly facing and what’s vulnerable are the juiciest targets :
- If it’s insecure and public it can and will be hacked. Attackers are constantly scanning your environment if you’re a target of choice. They can get to know your infra better than you sometimes.
- Attackers will look for the lowest hanging fruit. New assets can mean less hardened, newest code that might have been launched by accident, maybe rushed to market without detailed security review.... In short “new” is the arbitrage opportunity an attacker is looking for. After all, they only have to be right once.
NOTE: Speed of attack surface discovery matters. Staying ahead of attackers means being one step ahead not just in finding your assets but securing them to avoid a breach. Lightspin offers an EASM solution called Attack Surface Discovery that can provide security findings with zero integrations and zero cost. See your public cloud today, for free 👉 Show me my vulnerable cloud assets.
Why Black Box Attack Path Analysis?
If Gartner’s right and 99% of breaches are going to be a result of human error in cloud misconfiguration then the most toxic combination of security findings, CVEs, and publicly exposed assets is the number one thing all cloud security engineers should focus on first. But how do you find those toxic combos?
Enter attack path analysis.
At Lightspin, attack path analysis and security findings can be defined as “black box”. Why? Four simple reasons:
- Custom policies take a long time and extend the MTTR with security products.
- Most security teams do not have the adversarial mindset allowing them to think of the most critical paths or cloud security issues.
- Additive queries and customization can be costly and dramatically increase your cloud service provider bill or quote from a CNAPP provider.
- Hybrid cloud and Kubernetes security research and expertise is a rare resource that few can hire.
What is the Main Difference Between an Attack Path and a Security Graph?
Former US Secretary of Defense Donald Rumsfeld has a famous quote:
There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know. - Donald Rumsfeld, 13th and 21st US Secretary of Defense
If you are using a CNAPP vendor to customize queries on a graph, you’re relying on your team to find the known unknowns. They will look for known security issues to find that previously unknown asset where the risk lies. After all, they know their environment well and operate in a white box testing environment with full production access and internal keys to the kingdom.
But they can never fully think like an attacker. They cannot give you the unknown unknowns.
When you match the precious resource of offensive-minded cloud security researchers with graph engineers you get a platform that provides out of the box value via graph algorithms which prioritize, and even help dynamically remediate the most poignant breach risk to your company.