Cloud Security Insights and Trends

Cloud Security Isn���t a Feature—It’s a Muscle. Here’s How to Train It in 2024. Last year, an AWS misconfiguration at a Fortune 500 retailer exposed 14M customer records. The culprit? A ‘minor’ S3 bucket oversight their team ‘fixed’ 8 months ago. Spoiler: They hadn’t. During a recent CSPM (Cloud Security Posture Management) audit, we found a client’s Azure Blob Storage was publicly accessible by default for 11 months. Their DevOps team swore they’d locked it down—turns out their CI/CD pipeline silently reverted settings during deployments. Cost of discovery? $458k in compliance fines. Cost of prevention? A 15-line Terraform policy. Modern cloud breaches aren’t about hackers outsmarting you. They’re about teams failing to enforce consistency *across ephemeral environments. Tools like AWS GuardDuty or Azure Defender alone won’t save you. Why? 73% of cloud breaches trace to* misconfigurations teams already knew about *(Gartner 2024) Serverless/IaC adoption has made drift detection 23x harder than in 2020* Proactive Steps (2025 Edition): 1️⃣ Embed Security in IaC Templates Use Open Policy Agent (OPA) to bake guardrails into Terraform/CloudFormation Example: Block deployments if S3 buckets lack versioning + encryption 2️⃣ Automate ‘Drift’ Hunting Tools like Wiz or Orca Security now map multi-cloud assets in real-time Pro tip: Schedule weekly “drift reports” showing config changes against your golden baseline 3️⃣ Shift Left, Then Shift Again GitHub Advanced Security + GitLab Secret Detection now scan IaC pre-merge Case study: A fintech client blocked 62% of misconfigs by requiring devs to fix security warnings before code review 4️⃣ Simulate Cloud Attacks Run breach scenarios using tools like MITRE ATT&CK® Cloud Matrix Latest trend: Red teams exploit over-permissive Lambda roles to pivot between AWS accounts The Brutal Truth: Your cloud is only as secure as your least disciplined deployment pipeline. When tools like Lacework or Prisma Cloud flag issues, they’re not alerts—they’re invoices for your security debt. When did ‘We’ll fix it in the next sprint’ become an acceptable cloud security strategy? Drop👇 your #1 IaC security rule or share your worst ‘drift’ horror story.

☁️ Most cloud security problems don’t start with a breach. They start with blind spots teams underestimated. I just reviewed a cloud security resource that brings together something many teams still struggle to connect in practice: Cloud security is not just about protecting workloads. It’s about understanding the full attack surface behind them. What makes this especially useful is that it does not stop at “cloud is important.” It covers the bigger picture: ✅ cloud vulnerabilities and security concepts ✅ privacy and access control issues ✅ threat models and attack taxonomy ✅ intrusion detection approaches in cloud ✅ security tools, VM introspection, hypervisor introspection, and container security That matters because real cloud risk is rarely isolated. It spans: • misconfigurations • weak access control • virtualization layers • network exposure • monitoring gaps • and containerized environments 🎯 My takeaway: The teams that improve fastest in cloud security are not always the ones with the most tools. They’re the ones that understand: where attacks happen, how they spread, and which layers actually need visibility. That’s where better architecture and better defense start. #CloudSecurity #CyberSecurity #CloudComputing #CloudNative #ContainerSecurity #KubernetesSecurity #DevSecOps #ThreatDetection #IncidentResponse #NetworkSecurity #InfrastructureSecurity #CloudArchitecture #SecurityOperations #InfoSec #Virtualization #SOC #CyberDefense #CloudRisk #SecurityEngineering #DetectionEngineering

🚨 ☁️ - New Recorded Future Insikt Group report! This research examines how cloud intrusions are converging on a consistent pattern: adversaries rarely need to deploy traditional malware once they obtain a valid identity. The operational pivot is quiet but consequential. Access now precedes tooling. After authentication, attackers increasingly rely on native platform functionality to enumerate environments, manipulate backups, alter encryption states, and move data through sanctioned workflows. From the system’s perspective the activity is compliant. The infrastructure does exactly what it was designed to do, just for the wrong principal. What emerges is a different kind of compromise. Historically an intrusion introduced foreign code into a trusted environment. In cloud environments the attacker instead borrows trust from the environment itself. Detection therefore becomes less about identifying artifacts and more about interpreting intent, which is a far less stable signal. Administrative behavior, automation, and malicious action begin to occupy the same telemetry space. That shift quietly reshapes response and policy. Attribution frameworks built around infrastructure and tooling struggle when the operational layer is indistinguishable from legitimate enterprise administration. Actions that produce real operational impact can occur through standard consoles, tokens, and APIs. The observable evidence increasingly looks like misused governance rather than external penetration. The dependence on shared platforms compounds this effect. A single compromised vendor or federated identity can propagate access across multiple tenants, turning what would once have been an isolated incident into a cross organizational event with systemic characteristics. The boundary between incident response and resilience planning narrows accordingly. Cloud security is therefore drifting away from the traditional model of defending systems toward validating authority. The practical question is less whether an environment was breached and more whether the actor operating inside it had the right to act at all.

Wanted to share 4 takeaways from one of the most data-rich CTI publications I’ve read all year. Elastic just released their annual Global Threat Report and here’s the four trends that stood out to me: 1️⃣ Stealth is dead. Speed is the new attacker playbook. Attackers have stopped hiding and started sprinting. Windows execution tactics doubled year-over-year (16% → 32%), overtaking evasion for the first time ever. What this means: Adversaries are betting they can outrun your defenses. Defenders need runtime protection that can act in seconds, not hours. 2️⃣ Infostealers are the new ransomware. 1 in 8 malware samples target your browser credentials for initial access brokers to supply the marketplace. Those credentials are then used to compromise cloud environments at scale. What this means: Browsers are the front door to your entire cloud infrastructure. Credential hygiene is your first line of defense. 3️⃣ Cloud compromise has a 3-step recipe. Across Azure, AWS, and GCP, 60%+ of incidents come from just three tactics: Initial Access, Persistence, Credential Access. What this means: Every breach looks different, but the playbook is the same. Focus telemetry there. 4️⃣ The OAuth wars have begun. State-backed and criminal actors are now phishing for tokens, not passwords. Elastic and Volexity both observed adversaries using legitimate Microsoft OAuth flows to mint tokens, bypass MFA, and persist via Entra ID. What this means: You can't MFA your way out of compromised authorization. Defenders need to auditing OAuth applications, monitor for suspicious token activity, and implement session controls that verify device and location context. Authz is the new battleground. The threat landscape is consolidating around speed, identity, and cloud attack paths which means that modern defenses will need to: - Detect threats in real-time, not retrospectively - Secure the browser-to-cloud attack chain - Solve authorization, not just authentication

Mandiant (now part of Google Cloud) just released our annual security report - M-Trends 2024. The report summarizes the trends we observed in our breach investigations throughout 2023. There are so many gems throughout the report. Here are a few of the observations that stood out to me: 1️⃣ Espionage actors are increasingly exploiting 0-day vulnerabilities and deploying custom malware on edge devices (firewalls, VPNs, and security appliances) and other systems like VMware hypervisors that don’t commonly support EDR solutions. ☣️ Most of these systems are closed and require significant effort to examine for evidence of compromise. They often require the vendor to acquire forensic data from it (not every vendor will do this). ☣️ Some vendors have created file integrity checking solutions to help organizations identify when devices have been compromised. ☣️ As an community, we have a *long* way to go to address this problem. We anticipate we will continue to see espionage actors targeting these systems to obtain initial and persistent access to victim environments. 2️⃣ The median attacker dwell time (the duration between the initial compromise to detection) is 10 days. 6% of the cases we worked had a dwell time between 1-5 years. 3️⃣ The dwell time for ransomware & multifaceted extortion events was 5 days, usually because the threat actor sent an extortion communication to the victim by day 5. 4️⃣ 54% of our clients learned about the incident by a third party (law enforcement, security firm, threat actor, or media). 5️⃣ Exploitation of vulnerabilities continue to be #1 way in which threat actors gain initial access to victim environments (38% of our cases). Phishing is next (17%). 6️⃣ 15% of the incidents that we responded to last year were a result of a prior security incident that wasn’t fully remediated e.g. a backdoor wasn’t found/removed or a service account’s password wasn’t rotated. 7️⃣ Stolen credentials by infostealers accounted for 10% of the intrusions. This is an issue with both corporate assets and personal computers. ☣️ Many people occasionally access their work email from their home computers. People (or their children) sometimes install pirated software on their home computers that are laced with infostealing malware. ☣️ Threat actors are increasingly leveraging stolen credentials or cookies from home computers to access corporate environments. 8️⃣ 17% of the cases we investigated had multiple threat actors in the environment. Thanks to the hundreds of Mandiant professionals that contributed to this report and analysis! Special shout out to Kirstie F., Scott Runnels, Nick Richard, Kelli V., Adam Greenberg, Maria Pavlick-Larsen, Melanie Leboeuf, Kerry Matre, Jennifer Guzzetta, Amanda C., Adrian Sanchez Hernandez, Alexander Marvi, Alyssa Glickman, Angelus Llanos, Ashley Pearson, Austin Larsen, Brandon Wilbur, Brendan McKeague, and so many more. Link to the report: https://lnkd.in/eSqtxgSJ

🔐 Unlocking Cloud Security: Introducing Automated AWS Key Rotation in CipherTrust Cloud Key Management (CCKM) from Darshana Manikkuwadura (Dash) I provide an in-depth exploration of how the latest Amazon Web Services (AWS) Key Rotation capability in Thales CipherTrust Cloud Key Management (CCKM) is transforming cloud-native security for modern enterprises. As organizations face increasingly sophisticated cyber threats and rising regulatory demands, the need for automated, scalable, and auditable key management has never been more urgent. The article explains why cryptographic key rotation is a foundational security practice, reducing exposure windows, strengthening compliance alignment, and ensuring long-term data protection across distributed cloud environments. It highlights how the new Amazon Web Services (AWS) Key Rotation feature in CCKM automates the entire lifecycle of Amazon Web Services (AWS) KMS keys—allowing security teams to define rotation schedules, manage keys across accounts and regions, and generate audit-ready logs with minimal operational overhead. The article also delves into the powerful AWS Key Discovery Tool, which helps organizations uncover key sprawl, identify dormant or orphaned keys, and centralize governance for thousands of cryptographic assets. Through detailed insights, practical examples, and a cloud security expert’s perspective, the article demonstrates how Thales and Amazon Web Services (AWS) together enable stronger data sovereignty, operational efficiency, and zero-trust alignment. It is an essential read for CISOs, cloud architects, security engineers, and compliance leaders shaping their cloud security strategy for the future. #CloudSecurity #DataSecurity #CyberSecurity #Encryption #KeyManagement #AWS #AWSCloud #AWSKMS #Thales #ThalesCipherTrust #CCKM #CloudCompliance #DataSovereignty #ZeroTrust #InfoSec #CyberResilience #SecurityAutomation #MultiCloud #HybridCloud #CloudGovernance #DigitalTrust #SecurityArchitecture #CloudStrategy #EnterpriseSecurity #RiskManagement #CISO #CloudInnovation #SecurityEngineers #CloudTransformation #CyberDefense #darshanamanikkuwadura Darshana Manikkuwadura (Dash)

I’ve spent years researching cloud security. Australia's $2 billion Top Secret Cloud deal shows where the future of national security is headed: Australia's AWS partnership isn't just another IT project. It reflects a fundamental shift in how intelligence agencies operate. They're moving to the cloud - despite its security risks - because they have no choice. • Real-time data-sharing is now mission critical • Legacy systems can’t handle today’s massive datasets • AI-driven threat detection requires cloud-scale computing power. But the cloud introduces new vulnerabilities. My dissertation research found 78% of multi-cloud environments have critical security misconfigurations. And even elite security teams struggle with proper configurations. This creates the intelligence paradox: Agencies must adopt cloud technology for superiority ↳ While simultaneously accepting elevated security risks. Australia’s new $2 billion partnership signals: 1) The intelligence advantages outweighs the risks 2) While extraordinary security measures are needed 3) To protect its most sensitive data This follows the American playbook. The US has already committed billions through the Pentagon's JWCC, the CIA's C2E, and the NSA's Wild and Stormy contract. Australia's adoption signals more US allies will follow suit, expanding the market for secure cloud solutions globally. For security-focused entrepreneurs and investors, massive government spending creates opportunities in: 1) Multi-cloud security orchestration 2) "Zero-trust" architecture for intelligence systems 3) AI-driven threat detection for classified environments It's not just about building tomorrow's digital infrastructure, but securing it.

Key Trends for 2024 Dear LinkedIn Community, As we look to 2024, the world of cybersecurity is, once again, undergoing a transformation that demands our attention. The threat landscape is more dynamic and complex than ever before, driven by emerging technologies, evolving attack vectors, and a new era of cyber threats. As a Chief Information Security Officer (CISO), I believe it's crucial for us to stay ahead of these changes to protect our organizations effectively. Here are some key trends and insights that I believe will define the cybersecurity landscape in 2024: 1. Ransomware Evolution: Ransomware attacks have taken center stage in recent years. We will continue to see sophisticated ransomware strains that target critical infrastructure, demand larger ransoms, and employ innovative tactics to evade detection. Our defenses must evolve accordingly, with a focus on proactive threat hunting and robust incident response plans. 2. Zero Trust Architecture: As perimeter-based security models become less effective, organizations are embracing the idea that trust should not be assumed, even within their networks. Implementing Zero Trust architecture is about verifying every user, device, and transaction, regardless of their location, to minimize the attack surface. 3. Artificial Intelligence (AI) and Machine Learning (ML) in Cybersecurity: AI and ML are becoming invaluable tools in the fight against cyber threats. They enable us to detect anomalies, automate threat detection, and respond to incidents more rapidly. However, we must also be aware of the risks associated with adversarial AI, which attackers can manipulate to their advantage. 4. Supply Chain Security: Recent high-profile supply chain attacks have highlighted the vulnerabilities in our interconnected digital ecosystem. As CISOs, we must collaborate with our vendors and partners to assess and mitigate supply chain risks, ensuring the security of the entire ecosystem. 5. Cloud Security: With the continued migration to the cloud, securing cloud environments is paramount. Embrace a holistic cloud security strategy that includes identity and access management, data encryption, and continuous monitoring. 6. Privacy and Compliance: Evolving data privacy regulations and increasing consumer expectations for data protection require us to maintain a strong focus on compliance. Ensure that your organization's data handling practices align with the latest privacy laws. Let's keep the conversation going. I'd love to hear your thoughts on these trends and how you're addressing the evolving challenges in your organization. #Cybersecurity #CISO #InfoSec #TechnologyTrends #DataProtection #ZeroTrust #AI #ML #Ransomware #SupplyChainSecurity #CloudSecurity #PrivacyCompliance #CybersecuritySkills #cisolife #cybersecurity #informationsecurity

2024 State of Cloud Security Study Key Insights A great morning read from Datadog ‘analyzed security posture data from a sample of thousands of organizations that use AWS, Azure, or Google Cloud.’ ↗️ Long-lived credentials -> remain a security risk, with 60% of AWS IAM users having access keys older than one year. Unused credentials are widespread, increasing attack surfaces across all cloud providers (AWS, Azure, GCP). Recommendation -> Shift to temporary, time-bound credentials & centralized identity management solutions. ↗️ Public access blocks on cloud storage increasing AWS S3 & Azure Blob Storage are increasingly using public access blocks, with S3 seeing 79% of buckets proactively secured. Recommendation -> Enable account-level public access blocks to minimize risks of accidental data exposure. ↗️ IMDSv2 adoption growing AWS EC2 instances enforcing IMDSv2 have grown from 25% to 47%, yet many instances remain vulnerable. Recommendation -> Enforce IMDSv2 across all EC2 instances & use regional settings for secure defaults. ↗️ Managed Kubernetes clusters Many clusters (almost 50% on AWS) expose APIs publicly, with insecure default configurations risking attacks. Recommendation -> Use private networks, enforce audit logs, & limit permissions on Kubernetes worker nodes. ↗️ 3rd-Party integrations pose supply chain risk 10% of third-party IAM roles are overprivileged, creating risks of AWS account takeover. Recommendation ->Limit permissions, enforce External IDs, & remove unused third-party roles. ↗️ Most cloud incidents caused by compromised cloud credentials Cloud incidents are often triggered by compromised credentials, particularly in AWS, Azure, & Entra ID environments. Patterns of Attack + Compromised identities + Escalation via GetFederationToken + Service enumeration + Reselling access + Persistence techniques Microsoft 365 -> Credential stuffing, bypassing MFA, & malicious OAuth apps for email exfiltration. Google Cloud -> Attackers leverage VPNs & proxies for crypto mining and follow common attack patterns. Recommendations -> Implement strong identity controls & monitor API changes that attackers may exploit. ↗️ Many cloud workloads are excessively privileged or run in risky configurations Overprivileged cloud workloads expose organizations to significant risks, including full account compromise & data breaches. Recommendation ->Enforce least privilege principles on all workloads. Use non-default service accounts with tailored permissions in Google Cloud. Avoid running production workloads in AWS Organization management accounts. The study shows improved adoption of secure cloud configurations -> better awareness + enforcement of secure defaults. However, risky credentials & common misconfigurations in cloud infrastructure remain significant entry points for attackers. P.s. use the info to strengthen your org cloud security posture. Full study report in the comment ⬇️ #cloudsecurity #cloudsec #cybersecurity

Cloud & App security remains a top priority for CISOs & security leaders into 2024. However, distinguishing between the ever-evolving categories within this domain has become increasingly challenging. Excited to share my deep dive into the major categories. My piece primarily segments the landscape into six areas: 1) AST Solutions (SAST, DAST, IaC) 2) Software Supply Chain (SCA) 3) Cloud Security Vendors (CNAPP) 4) SaaS Security (SSPM/CASB) 5) Vulnerability Management (VMs) 6) Runtime security (WAF, RASP, APIs) In recent years, there's been a blurring of lines and convergence amongst many of these areas, but I believe each of these six areas represents distinct parts. Looking forward to the rest of 2024, here are the top trends and themes that kept coming up in my research. 1) More vendors wanting to become ASPM (Application Security Posture Management) layer aggregating code scanning tools together and provide across your application 2) Security teams want to leverage better Cloud Detection and response (CDR) with good ingest and alerting capabilities. 3) More Cloud runtime security vendors with a focus on having more agents on cloud workloads to provide deeper detection capabilities 4) Resurgence in API security and web application scanners. 5) AI Security Posture Management (AI-SPM) is still early, but many are thinking about how to incorporate AI into their AppSec programs. Ultimately, the platform winner of this category will be determined by the vendor that can 'truly' incorporate code-scanning and cloud security from development to runtime into one single native solution. Read more for details and open to thoughts: https://lnkd.in/eTzC6HBS