Why Context Matters In A Successful (And Scalable) Cloud Remediation Strategy

Ran Nahmias, CBO, Tamnoon.

It’s Monday morning. You feel great after making progress on your backlog of tasks the week before.

Then, you see 346 new critical alerts, of which 40 are publicly accessible S3 buckets.

It’s going to be a long day. Eh, week. Maybe two.

So, what should you do next?

The answer depends on what contextual information is available.

You can’t begin remediation if you cannot validate and understand the risk associated with each alert. Unfortunately, this is a problem for many organizations, with 69% saying their security tools don’t provide enough context to understand risk.

The problem doesn’t stop there. This leads security teams to ignore 23% to 30% of security alerts due to a lack of context or frequent false positives.

That’s why context is critical to prioritize and remediate threats strategically. Context allows you to determine your next steps in scenarios where the biggest risk is what you don’t know.

How To Approach This Hypothetical Scenario

We’ve established 346 new critical alerts and 40 publicly accessible S3 buckets.

So, where do you start?

1. Start by determining why 40 S3 buckets are publicly accessible. Next, you need to determine priority based on the context of your environment, architecture and business priorities. The buckets may be open for a reason, or these alerts are false positives. You need to identify where the buckets are and what they do.

2. Look at where the buckets are in your environment. Buckets in a staging environment are far less critical than those containing sensitive data or those in production.

Tying these things together tells a story, helping you determine the best path forward.

The Real Question: Why Are These Alerts The Priority?

Still, there’s a more important question to answer.

Why are the 346 criticals and 40 S3 buckets the priority?

346 critical alerts spread out across an organization may pose no immediate risk at all compared to three medium-priority threats present in a single environment—often known as toxic combinations.

Instead, ask yourself: what is the most dangerous attack path in those 346 critical alerts?

Can you identify which of the critical alerts is most important to fix? A critical can be bad, but it can also be a simple misconfiguration or lacking correct labeling.

Today’s cybersecurity tools are very good at prioritizing and categorizing threats—but they fall short because they can’t contextualize the customer’s environment. These tools aren’t customized to the environments being protected. Most tools (and security teams) focus on remediating the low-hanging fruit of your critical alerts.

This often devolves remediation into these simplified approaches:

• Tackling alerts based on established priority

• Addressing alerts using a first in, first out (FIFO) or last in, first out (LIFO) approach

But if you step back and examine the available context, you will understand the broader relationship between alerts and your environment, giving you a clear picture of where to start.

Why Most Companies Get Context Wrong

Cybersecurity is a numbers game, and many companies lack the time and breadth for contextualization. This makes it nearly impossible to manage your risk at scale.

It’s important to understand that context transforms data points into actionable intelligence your remediation efforts need to be successful.

Using the original 346 critical alerts and 40 publicly accessible S3 buckets problem—there are a few takeaways to consider:

• Systems often compare characteristics of buckets and may classify them as the same. Reading the metadata will verify this, but it’s very time-consuming.

• Solving this problem by hiring more people isn’t sustainable, especially as your organization grows and matures.

• Investigating ownership to learn more about the problem works in smaller organizations but isn’t scalable in enterprise environments with thousands of stakeholders.

Effective cloud remediation takes time. On average, our research shows that a single cloud misconfiguration can take 198 days to remediate. Now multiply that by 346 issues. You can see how this quickly becomes overwhelming.

In truth, the goal should never be to get to zero alerts. No, the goal should be to create a more secure environment—but doing this requires prioritization.

Why A Successful Cloud Remediation Strategy Requires Context

How can your teams protect your cloud environments if they don’t know where to start?

With context, improving your cloud security posture management (CSPM), mapping risk and employing prioritization in your remediation efforts becomes far more manageable at scale. This enables you to:

• Understand the paths a threat can take

• Apply business context and compliance requirements to prioritization

• Make informed decisions when it comes to remediation

So, give your security teams the context they need. I promise they’ll love you for it.

---

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

---