A unified protection approach: Elastic integrates across leading cloud security vendors

Elastic Security has simplified cloud security by unifying cloud detection and response (CDR) capabilities directly into the AI-driven security analytics solution. Elastic supports a wide variety of log sources from major cloud providers, including AWS, Azure, and Google Cloud Platform, as well as key third-party cloud security tools like Falco, AWS Security Hub, Wiz, Crowdstrike, Sentinel One, and Microsoft Defender. 

Using Elastic Security for SIEM allows organizations to achieve real-time threat detection, automated response, and comprehensive threat intelligence within a single platform.

As organizations increasingly migrate to the cloud, securing these environments against sophisticated threats becomes paramount. Cloud infrastructures offer unparalleled scalability and flexibility but also come with unique security challenges. One of the most critical concerns is the risk of privilege escalation, where an attacker gains unauthorized elevated access to resources and potentially compromises the entire cloud environment.

Cloud environments are inherently complex and dynamic. The frequent creation and destruction of virtual machines, containers, and other resources make it difficult to maintain consistent security policies and monitor activities in real time. 

Misconfigurations in access controls, network policies, and security settings can create vulnerabilities that attackers can exploit. Additionally, the integration of various cloud services adds another layer of complexity, requiring security teams to secure both the cloud infrastructure and the applications running on it.

Imagine Alex, a security analyst at a leading fintech company, is performing a routine alert triage when an urgent notification appears. It’s 2:15 p.m., and a security tool has detected suspicious activity in a cloud environment. The alert indicates unusual system calls, execution of unexpected binaries, and attempts to modify critical system files in a Kubernetes environment. This is a potential privilege escalation attempt, and Alex must act swiftly.

To effectively address this threat, Alex uses an integrated security approach that combines real-time threat detection, response plan, and comprehensive threat intelligence. Here’s how this approach unfolds:

1. Initial alert from Falco: At 2:15 p.m., Alex receives a couple of alerts in the Elastic alerts page from Falco indicating suspicious activity in a Kubernetes cluster.

Alert: Suspicious activity detected in pod nginx-787c85fb6b-sl4rm

• Unusual system calls detected (attempt to read /etc/shadow)
• Execution of unexpected binary (/bin/bash in a distroless container)
• Attempt to modify critical system files

2. Out-of-the-box correlation and enrichment: As Alex opens the alert flyout, Elastic automatically correlates and enriches it with contextual information from Wiz and AWS Security Hub:

• From Wiz
  • Overly permissive pod security policy detected
  • Vulnerable application with CVE-2024-38821
  • RBAC misconfiguration: over privileged role with * permissions

• From AWS Security Hub
  • EC2 instances hosting the Kubernetes node have outdated security patches
  • Security group allows unrestricted inbound access on port 10250 (kubelet)

This vendor-neutral workflow enables Alex to see the full context of the alert without switching between multiple tools, saving valuable time.

3. Response planning: Based on the analysis, Alex quickly assesses the situation and formulates a response plan. The Elastic platform provides Alex with suggested actions based on best practices.

• Isolate the affected pod to prevent potential lateral movement
• Capture a snapshot of the pod's filesystem for forensic analysis
• Initiate a cloud wide vulnerability scan focusing on CVE-2024-38821

Alex reviews these suggestions and, using the bi-directional cloud connectors integrated with Elastic, prepares to manually execute these actions through the respective cloud and Kubernetes management interfaces.

4. Threat intelligence integration: To provide deeper context, Elastic seamlessly integrates relevant threat intelligence into the alert. The system automatically maps the detected activity to the MITRE ATT&CK framework, identifying it as a clear instance of the TA0004: Privilege escalation technique. Alex notices an additional insight: recent threat intelligence indicates that this specific attack pattern aligns with a known Kubernetes-focused campaign targeting financial institutions. This information elevates the urgency of the incident and helps Alex prioritize the response strategy.

5. Incident response and reporting: Armed with insights from the integrated platform, Alex swiftly responds by manually isolating the affected pod and initiating a filesystem snapshot for forensic analysis. Coordinating with the DevOps team, Alex launches a cluster-wide vulnerability scan focused on the identified CVE. Within Elastic, Alex compiles a preliminary report detailing the root cause analysis, the attack timeline, and a comprehensive remediation plan. This plan includes patching vulnerabilities, implementing least privilege policies, and tightening security configurations across the Kubernetes cluster and associated AWS infrastructure.

The integrated view provided by Elastic that combines data from Falco, Wiz, and AWS Security Hub proves crucial in rapidly understanding and responding to the threat, enabling Alex to communicate effectively with stakeholders about the incident status and next steps.

To implement this integrated solution, follow these steps:

1. Onboard your runtime events from Falco and posture/vulnerabilities findings from AWS Security Hub/Wiz. Simply start by setting up integration with Falco, AWS Security Hub, or Wiz in your Elastic account. Choose from various integration options.

2. That's it from your end! Elastic takes care of the context enrichment and correlation to speed up your threat detection and investigation journey!

Stay ahead of the curve by embracing these new cloud security capabilities and ensure that your cloud environments remain secure, compliant, and resilient against the evolving threat landscape.

We welcome your feedback on which vendors you’d like to see included. Join our community Slack to pass on the inputs to the cloud security product team directly!

Existing Elastic Cloud customers can access many of these features directly from the Elastic Cloud console. Not taking advantage of Elastic on cloud? Start a free trial.