Can There Be Too Much Cloud Visibility in a Cloud Environment?

author_profile
Vladi Sandler
Monday, Apr 19th, 2021

Everywhere you look in cloud security, you’ll see experts waxing lyrical about the importance of visibility. Trust us, we get it! If you can’t get an active and accurate view of everything that’s going on inside your environment, from containers and workloads, to buckets, instances and users, how can you make sure your ecosystem is functioning the way that it should? 

But while visibility is an important tool in identifying security threats or performance issues, does a view of the whole forest stop you from seeing the trees?

How Is Visibility Provided?

Today, in the pursuit of greater visibility, cloud providers such as AWS, GCP, Azure, and Oracle will provide security alerts that can tell you when something out of the ordinary has been found. This could be in relation to an existing list of threats, or something unusual that doesn’t fit the profile of ‘normal’ cloud behaviors. Your platform will collect data and show you all of this information, whether that’s pulled from an external engine such as the CIS Benchmark, or a list of compliance rules, or based on your own internal policies. You’ll get it displayed on a dashboard, or sent via a list of alerts. 

Some of this information is essential. It’s going to help you to save the day, keep your environment running at peak performance, and keep those hackers at bay, too. But to be honest… the vast majority of that information can be ignored. The more visibility that you get into every single detail, the less you’re going to be able to find what really matters. 

Quality over Quantity

No security team would ever say “The more alerts, the better”. However, when we talk about visibility, that’s often the result. We want information pulled from more sources, we want more information about our processes and our user behavior, we want to know it all! As a result, we get hundreds of alerts, and we really don’t know much about their urgency or importance. Your teams start skimming alerts, ignoring them entirely, or making assumptions based on past behaviors or experience, and suddenly you may as well be relying on gut instinct instead of data. 

It might sound counter-intuitive, but your security teams aren’t wrong. The answer isn’t to tell them to sift through all of these alerts, because it’s just not a good use of their time. And their time equals your own bottom line. Remember, the more vendors you have, providing an increasing number of alerts all in the name of visibility… the larger this problem becomes. It’s not maintainable, and you need a better way. 

Visibility With a Side of Prioritization, Please

It’s time to move the focus from the visualization of each of these pieces of data in isolation, to the prioritization of actual real-world threats, based on that data. Instead of providing customers with a mass of information, security tools need to take the next step, and aggregate and analyze this data into actionable items that can be fixed and shored up to address vulnerabilities. 

Context is what gives meaning to visibility. Without it, you’re just adding busy work to your environment, and encouraging security teams to either waste time sifting through raw data to find that meaning, or accepting that the alerts will remain meaningless. 

At a minimum, your security solutions should be able to show you what is critical and needs immediate attention, what is important and should be made a high priority, and what can be left until the next update cycle. On top of that, your vendors should dramatically reduce the number of irrelevant alerts that you receive at all. 

From Dozens of Security Alerts Down to a Few

We would even go as far as to say that the number of events and findings that you generate doesn’t really matter. After all, this information is only valuable in the context of the threat to your environment. With priority-based tools, you can highlight the actual issues that need to be addressed inside your cloud environment, side by side with the mitigation that you can take to fix it. 

Think about a simple example, how a single over-permissive policy could open up an attack path to multiple sensitive assets. Traditionally, this could be displayed as a single alert that doesn’t seem to pose much risk. By following the attack path, and looking at the context of the cloud environment, the true nature of the risk becomes clear. On the flip side, you may get dozens of alerts about an issue that doesn’t translate to any real business risk. 

Make Cloud Visibility Count

Your cloud and Kubernetes environment is complex, so we totally understand the drive to visualize it all, and know everything that’s happening under your roof. But in many cases, your cloud security providers are doing you a disservice by sending you unmanaged and unprioritized alerts in the name of visibility. 

In response to this challenge, panoptica takes the next step, prioritizing and contextualizing this information into actionable vulnerabilities in your cloud environment, alongside the steps (and in many cases the tools) for mitigation. 

Ready to say goodbye to the unnecessary noise, and zero in on what’s important? Schedule a call. 

Popup Image