Cloud Security Alerts Take Six Days to Resolve

Written by

Cloud security teams are exposing their organization to potential days of elevated cyber risk by failing to deal promptly with alerts, a new Palo Alto Networks report has warned.

The security vendor monitored tens of thousands of sensors deployed in organizations across various cloud service providers (CSPs), industries and countries, as well as public sources including GitHub and the National Vulnerability Database (NVD).

Its resulting Cloud Threat Report Volume 7 warned of a rapidly expanding cloud attack surface worsened by increasing volumes of vulnerabilities and misconfigurations.

Read more on cloud security breaches: Four-Fifths of Firms Hit by Critical Cloud Security Incident.

Palo Alto Networks found that security teams take 145 hours – or around six days – on average to resolve a security alert, with 60% of organizations taking longer than four days. Previous Palo Alto research revealed that threat actors often begin exploiting a newly disclosed vulnerability within hours, leaving a potentially lengthy window of exposure for many firms.

Although unpatched vulnerabilities are by no means the only source of such alerts, they are a popular target for threat actors. Almost two-thirds (63%) of codebases in production have unpatched vulnerabilities rated high or critical, and more than one in 10 (11%) hosts exposed in public clouds feature high severity or critical bugs.

“In a cloud environment, a single vulnerability in the source code can be replicated to multiple workloads, posing risks to the entire cloud infrastructure,” the report warned.

Many of these vulnerabilities appear in open-source packages, with the complexity of code dependencies making it challenging to find and patch them.

Around half (51%) of codebases depend on more than 100 open-source packages, but just a quarter (23%) of packages are directly imported by developers, the report claimed. The rest (77%) of the required packages – often containing bugs – are introduced by “non-root packages” or dependencies.  

Threat actors are also exploiting the software supply chain at scale: over 7300 malicious open source packages were discovered in 2022 across all major package manager registries, according to the GitHub Advisory Database.

Elsewhere, the report found that:

  • Cloud users make the same mistakes over and over again. Just 5% of security rules trigger 80% of the alerts, meaning that if organizations can prioritize remediating things like unrestricted firewall policies, exposed databases and unenforced multi-factor authentication (MFA), they could drive security ROI
  • Sensitive data is regularly exposed in the cloud. Personally identifiable information (PII), financial records and intellectual property are found in 66% of storage buckets and 63% of publicly exposed storage buckets. A lack of visibility into these is hampering security efforts
  • Leaked credentials are everywhere. Some 83% of organizations have hard-coded credentials in their source control management systems, and 85% have hard-coded credentials in virtual machines’ user data. Leaked credentials played a part in every cloud breach analyzed by Palo Alto
  • Organizations are failing on MFA. Three-quarters (76%) of organizations do not enforce MFA for console users, and 58% do not enforce MFA for root/admin users. This puts consoles in particular at risk of brute force attacks using credentials found on the dark web

What’s hot on Infosecurity Magazine?