Cloud Detection and Resposne (CDR) is an evolving approach to proactively defending cloud infrastructure against cyber-attacks. CDR takes a lot of approaches from traditional Threat Detection and Incident Response (TDIR) and applies these approaches to cloud-native infrastructure. This approach allows for optimized strategies specifically designed to fit the cloud-native threat landscape, given the limitations of traditional TDIR in cloud-native infrastructure.

CDR strategies combine cloud threat detection and incident response by employing several techniques, including active monitoring, log analytics, threat intelligence, incident response, forensic analysis, and threat analysis. This is advantageous since security teams are enabled to be agile and more productive; hence CDRs are rapidly becoming essential tools for security teams focused on protecting cloud-native infrastructure, including detection engineers, cloud security engineers, cloud incident responders, and SOC teams.

However, enabling efficient CDR strategies is challenging for several reasons, including cloud complexities, insufficient expertise, and cloud misconfiguration. These challenges often lead to blindspots; some cloud attacks are not detected, leading to successful compromises. Furthermore, the ephemerality of cloud resources requires continuous assessment, validation, and configuration of CDR to align with the evolving threat landscape. This level of security validation is challenging for most teams, and there are hardly solutions that can be easily leveraged.

Security Chaos Engineering (SCE) is an evolving approach to cyber security that employs empirical evaluation of security controls to proactively gain evidence about their effectiveness via quick feedback loops. These feedback loops, a core of system thinking, allow for quick analysis and adaption of security systems to stay ahead of cyber attacks. SCE is aligned with cloud-native infrastructure, given its roots are chaos engineering, a discipline Netflix formulated as part of its digital transformation process over a decade ago. Consequently, SCE empowers cloud security teams to quickly and continuously evaluate CDR efficiently in a variety of ways.

This talk provides practical steps and examples based on a hybrid CDR system consisting of AWS GuardDuty, AWS Detective, and Datadog Cloud SIEM. Security chaos engineering experiments are conducted using the Mitigant Cloud Immunity platform, which is the first of its kind. Using the examples, we are able to demonstrate how CDR systems can miss malicious patterns, including those defined in the MITRE ATT&CK library. The talk provides recommendations on how to remediate these blindspots to enhance CDR systems' efficiency.