►
From YouTube: Mapping Motives Tells a Story: Analysis of 2,000 Enterprise Cloud Detec... David Wolf & Joshua Smith
Description
Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Mapping Motives Tells a Story: Analysis of 2,000 Enterprise Cloud Detections - David Wolf & Joshua Smith, Devo
We analyzed more than 2,000 live cloud-based detections across hundreds of IaaS customers to identify common themes and defensive patterns that also revealed gaps in the typical enterprise control set. Our analysis set out to answer the question, where are enterprises investing in cloud controls, and where are the control weak points? Next, we applied the MITRE ATT&CK Cloud framework as a machine learning corpus to illustrate the attacker stories and detections required to detect, interrupt, and respond to cloud impact. By applying a novel approach to the verb and noun relationships of cloud infrastructure and workspaces, we were able to map attacker motives to actionable control stories in an approach that can be applied with any SIEM or big data solution powering the modern security operations center (SOC). Join us for a practical journey in learning how to strengthen the multi-cloud SOC, with lessons learned and actionable insights from a cloud detections engineering team.
A
All
right
guys,
thanks
for
coming
we're
from
Devo
and
we're
giving
a
talk
on
our
detections
research
and
the
studies
that
we've
had
covering
at
the
end
more
than
6
000
Cloud
native
detections
across
the
world
across
Industries.
My
name
is
David
wolf,
I'm,
a
security
researcher
and
I'm
part
of
the
Devo
cisect
organization,
we're
responsible
for
different
forms
of
product
Innovation
and
engineering.
A
B
B
Technical
operations
doing,
pin
testing
going
after
Nations
adversaries
and
doing
doing
defensive
work.
So
my
role
at
Devo
is
to
create
content
or
create
out
of
the
box
alerts.
So
I
I
will
recreate
environments
to
to
exploit
systems,
so
I
can
obtain
the
logs
and
I
write
the
the
some
of
the
alerts
that
David's
going
to
be
talking
about.
A
A
My
background
comes
from
an
OT
and
an
ICS
environment,
studying
Financial
Services,
connected
Health,
Care,
the
extended
campus
and
iot,
and
for
for
me
and
coming
and
seeing
how
detections
are
deployed
in
different
organizations
around
the
world
was
a
new
research
opportunity.
We
didn't
the
item
in
this
part
of
our
research
portfolio
came
from
product
Innovation,
but
it
became
immediately
apparent
that
we
were
learning
new
things
that
we
weren't
expecting.
Oh
and
it
is
we
started
digging
in
this
session,
follows
typical
research
format.
A
We'll
give
you
a
little
bit
about
our
research
lab
and
our
team
as
to
why
it
is
that
we're
conducting
this
type
of
research
and
give
an
overview
of
our
methods
and
scope.
One
question
was:
how
did
we
aggregate
the
alerts
and
where
are
they
coming
from
and
what
like,
how
did
we
get
them,
and
what
were
we
looking
for
and
can.
B
I
jump
in
real,
quick
yeah.
One
thing
I
will
note,
is
the
slides
were
prepared
in
advance
and
and
put
out
on
the
site
we
modified
those
slides.
So
if
you're,
following
along
on
the
ones
that
were
originally
posted
you
there
will
be
some
confusion
in
there
we're
going
to
get
the
newly
revised
ones
uploaded
to
sketch.com
or
whatever
it's
called
to
as
soon
as
possible
like.
But
after
this
talk,
unfortunately,
so
I
I
didn't
want
there
to
be
any
confusion
when
people
are
trying
to
follow
along.
A
Fair
enough
at
our
Labs,
we
have
three
major
themes
that
our
portfolio
aligns
to.
We
have
the
autonomous
sock
sort
of
the
second
brain
for
analysts,
and
how
is
it
can
we
instrument
action
that
follows
an
intelligent
response
and
reaction
at
Enterprises
and
feeding
into
soar.
Detection
is
the
trigger
for
actual
orchestration.
The
second
major
thing
that
we
have
is
the
augmented
analyst:
how
can
we
put
an
enrich
the
data
supplies
and
the
views
that
analysts
are
taking
in
the
sock
while
monitoring
their
data
Lake?
A
Devo
seisek
we
have
a
clear
Mission.
We
as
researchers
are
researching
emerging
threats,
reviewing
the
vendors
and
products
in
our
ecosystem
and
the
data
supplies
that
all
the
Enterprises
are
using
and
we
use
those
supplies
to
solve
novel
customer
use
cases
with
a
security
Focus
I
as
a
Sim
provider.
Devo
is
strongly
related
to
visibility
and
analytics
and
enriching,
and
deriving
Insight
from
data
pipeline
is
a
core
part
of
PSI
sex
Mission.
A
We
have
the
three
primary
themes:
automated
stock
controls
in
the
autonomous
sock,
the
second
brain
to
the
augmented
analysts,
whom
we
enrich
with
context
and
fundamentally
alert
management
being
a
a
third
catch-all
bucket
for
the
to
illustrate
problems
and
the
solutions
that
we're
trying
to
provide
to
our
end
users
for
This
research
project.
We
Loosely
adhered
to
the
miter
attack
framework
for
the
purpose
of
research
being
three
phases
of
assess.
What's
there
assess
the
coverage,
identify
the
gaps
and
then
tune
and
acquire
new
defenses,
so
this
was
a
detections
engineering,
Innovation
project
like
what?
A
A
B
Real
quick
to
David's
point:
one
thing
we
will
talk
about
is
when
we're
talking
cloud
providers
and
the
disparity
of
how
analysts
have
to
understand
and
and
know
those
Cloud
providers.
So
I
just
wanted
to
point
that
part
out
since
when
it
was
brought
up
about
the
cloud
providers
and
and
the
detections,
that's
all.
A
A
A
Two
almost
two-thirds
are
coming
from
the
states
one-third
from
emea
and
Asia
pack
inside
the
lab.
Our
project
was
focused
on
developing
machine
learning,
classifiers,
for
example,
for
zero
trust
and
miter
attacked
labeling
and
the
generation
of
new
kinds
of
alert
metadata,
as
well
as
identifying
what
type
of
motives
attackers
would
have,
what
verbs
they're
executing
and
against
which
nouns
so
what
fundamentally
assets
were
being
targeted,
especially
within
a
cloud
context.
A
Overall,
we
had
something
on
the
order
of
just
about
400,
distinct
customers
within
the
data
set.
Let's
see
here
now
when
it
comes
to
mapping
the
detections
the
labeling,
it
is
that
we
generated
filled
in
most
of
what
we
can
refer
to
as
the
miter
attack.
Cloud
Matrix-
and
this
is
a
composite
Matrix
for
both
infrastructure
and
workspaces.
A
Briefly,
in
terms
of
scope,
a
few
points
to
to
harvest
from
here
are
that
Financial
Services
technology
companies
and
operational
technology
companies
provided
the
bulk
of
our
data
set.
We
have
significant
presence
for
managed
security
providers,
managed
security
service
providers
and
the
differences
between
how
msps
are
developing
custom
alerts
specifically
compared
to
Enterprises
was
interesting.
It's
clear
that
there
are
good
reasons
for
an
Enterprise
to
Outsource
to
an
MSP,
depending
on
their
maturity
and
capabilities.
A
We
have
three
research
themes
and
the
first
is
the
autonomous
sock
and
the
autonomous
sock
is
a
place
where
action
happens,
influenced
by
Machine
learning,
influenced
by
artificial
intelligence.
The
ultimate
output
is
some
kind
of
decision
making.
That's
been
automated
and
in
the
autonomous
sock
and
using
that
as
a
research
theme,
some
of
our
findings
came
and
emerge
that
shed
differences
between
how
the
sock
in
a
traditional
Enterprise
is
different
than
that
for
a
cloud.
One
key
finding
is
that
cloud
Defenders
are
significantly
more
likely
to
use
out
of
the
box
detections.
A
There
are
multiple
reasons
behind
this.
In
our
interviews
and
our
annual
sock
performance
report,
we
see
that
cloud
specialization
for
analysts
is
a
huge
skills,
problem,
familiarization
and
understanding
of
what
to
do
and
why
to
do
it
per
cloud
makes
cloud
defense
even
more
difficult
for
an
analyst.
A
Josh
is
building
detections
for
all
three
major
providers
and,
let's
just
having
three
testing
environments,
is
enough
of
a
pain
but
to
actually
build
the
skills
and
the
vocabulary
and
to
understand
the
resources
involved
and
how
they're
different
is
is
a
huge
skills
barrier
in
in
the
end.
Cloud
Defenders
are
not
only
deploying
infrastructure
as
code
and
tariff
and
essential
we're
at
a
kubernetes
conference.
A
Something
that
became
clear
is
a
pain
point
in
our
interviews,
as
well
as
the
data.
Is
that
we're
well
past
the
point
that
organizations
are
defending
a
single
cloud,
it's
painful
at
the
very
least,
if
some,
if
a
company
is
on
AWS,
there
are
more
than
likely
to
have
a
second
Cloud
they're,
more
than
likely
to
be
also
defending
Office
365,
of
course,
they're
going
to
be.
A
They
need
to
have
a
cloud
detection
strategy
and
a
soar
strategy
both
for
workspaces
and
infrastructure,
and
it's
not
just
a
single
Cloud
anymore,
and
that
that
increases
the
complexity
for
the
sock
analysts.
It
increases
the
complexity
in
terms
of
alert
management,
and
what
we
see
here
is
we're
at
the
point
now
that
approximately
one
in
four
socks
are
have
a
majority
of
their
stuff
of
their
detection.
Stack
monitoring
cloud
cloud
has
become
a
new
normal
when
it
comes
to
out
of
the
box
and
custom
detections.
A
We
have
a
sense
of
on
the
on
the
far
side.
We
have
managed
security
providers
being
the
most
likely
to
craft
custom
detections,
that's
part
of
the
service
that
they
provide.
They
have
their
own
libraries,
they're.
Building
custom
detections
rolling
them
out
across
all
of
their
customers,
and
it's
part
of
the
secret
sauce
that
the
msps
bring
to
the
equation
for
defending
Enterprises,
whereas
if
we
go
and
look
at,
for
example,
an
OT
and
ICS,
we
have,
if
we're
thinking
about
factories,
we're
thinking
about
Supply
chains
and
transportation.
A
We
have
less
Innovation
within
the
sock
and
we're
still
at
basic
visibility,
implementing
controls
that
are
that
are
off
the
shelf
and
available
and
in
the
case
of
technology
companies.
What
we
have
are
more
standardized
assets.
We
have
fewer
different
types
of
devices,
fewer
kinds
of
iot
devices,
fewer
custom
detections
that
are
required,
so
two
takeaways
from
the
autonomous
sock.
B
Boom
boom
boom.
There
we
go
thanks,
David.
So
sorry,
let
me
let
me
just
sorry
about
that.
Let
me
start
off
by
saying
real
quick
I
am
not
very
comfortable
with
this.
There
started
off
with
three
people
which
I
liked,
and
now
it's
grown.
I
should
like
it
and
I
will,
like
it.
I
appreciate
everybody
coming
here,
so
let
me
get
right
right
down
to
it.
I
just
had
to
you
know,
put
it
out
there
for
you,
let's
talk
about
an
augmented
analyst
and
and
what
it
means
so
augmenting.
B
An
analyst
is
simply
just
providing
them
enriched
data
you're,
giving
them
metadata
and
you're
giving
them
information
that
they
need
to
help
make
informed
educated
decisions,
one
of
those
methods
every
Sim
out
there
or
seam.
However,
you
want
to
pronounce
it
everyone
out
there.
They
they
use
miter
as
part
of
their
enrichment,
part
of
augmenting
the
analyst
and
from
what
we
can
see
here
is
typically,
the
analysts
have
more
visibility
towards
the
beginning
portion
or
I'm.
B
Sorry
yeah
at
let's
build
sorry
less
visibility
at
the
beginning
portion
told
you
I'm
not
very
good
at
this
at
the
beginning
portion
of
it
and
more
towards
the
end.
So
like
persistence
for
cloud-based,
coverages,
right
or
cloud-based
detections,
they
got
a
lot
of
a
lot
of
cloud-based
detections
for
persistence,
but
not
a
whole
lot
for
execution
in
the
cloud.
B
It
draws
some
concern
because
you
kind
of
it's
a
different
environment
than
people
are
just
we're
still
not
wholly
accustomed
to
working
in
the
cloud,
and
they
may
not
know
what
to
look
for
or
they
may
not
have
the
information.
They
need
sound
yeah,
all
right,
whoo!
Sorry!
Thank
you
all
right.
So,
let's
talk
about.
B
Let's
talk
about
zero
trust
and
and
the
typical
connect.
The
typical
alerts
that
we've
seen
with
analysts
have
been
on
devices,
networks
and
identities,
and
it's
not
covering
all
the
pillars
of
zero
trust.
And
it's
been
it's
something
where
we
need
to.
We
need
to
help
provide
better
education
into
I,
would
say,
or
better
more
assistance
and.
A
Of
course,
we
have
network
controls,
network
activity,
the
the
network
pillar
is
key
devices
communicate
with
one
another
through
a
network
and
network
controls
are
fundamentally
different.
It's
not
it's
not
an
antivirus,
it's
not
an
agent,
it's
not
a
passive
scan.
What
is
it,
what
is
what
network
controls
offer
are
coming
from?
Firewalls
are
coming
from,
proxies
are
coming
from
the
communications
between
sources
and
destinations,
clients
and
servers,
and
network
controls
are
again
coming
from
sort
of
an
old
school
perspective
of
firewalls,
create
tons
of
logs
the
classic
Enterprise.
A
The
number
two,
the
first
two
buckets
of
alerts
that
they're
going
to
have
are
device
based
and
then
firewall
based
alerts.
And,
of
course,
why
do
we
have
these
alerts
at
the
end
of
the
day?
It's
users,
it's
people,
it's
identities
and
alerts
based
upon
logins
authorizations,
identity,
authentications
and
these
three.
These
are
three
of
five
zero
trust
pillars,
but
those
three
pillars
account
for
three
quarters
of
all
alerts
in
an
Enterprise
in
an
Enterprise
sock.
A
A
B
So
spilling
into
that
a
little
bit
more
is
just
the
the
type
of
device
protections
that
we've
seen
the
most
and
it's
I
I
really
can't
add
much
to
what
you
said
so
I'm.
Just
that's!
Basically
what
this
is
these
two
slides
play
into
one
another
where
this
is
talking
about
the
analysts
protecting
caring,
more
about
device
protection.
So
what
is
device
protection?
It's
these
these
endpoints,
it's
the
cloud
detections,
so
yeah,
I.
A
Slide
that
map
to
zero
trust
devices,
networks
and
users
are
where
are
this
the
resources
that
are
primarily
covered
by
our
alert
strategy?
We
see
a
bucket
here,
that's
cloud
and
that's
what
it
turns
into
is
that
the
cloud
detections
are
fundamentally
different.
They
have
only
a
few
types
of
providers,
they
have
different
kinds
of
assets,
we're
not
thinking
about
anti-virus
we're,
not
thinking
about
classic
firewalls
and
appliances
that
are
hooked
into
networking
gear
and
Cloud
by
itself
is
something
of
approximately
20
percent
of
all
detections
in
the
stack.
A
So
from
an
analyst
perspective
and
from
a
strategic
perspective
by
mapping
to
zero
trust,
we
can
get
classes
or
buckets
of
alerts
that
themselves
can
have
specialization.
Network
alerts
can
be
by
protocol
and
we
can
stack
our
alert
strategy
and
detection
strategy
by
Network.
In
the
networking
layer
we
can
have
our
DNS
alerts,
HTTP
alerts,
FTP
SSH,
our
our
remote
desktop
and
file
sharing
protocols
or
in
a
hospital
or
in
an
industrial
environment.
A
B
Yeah,
so
it's
just!
This
is
just
elaborating
further
on
it.
It's
just
talking
about
the
different
Cloud
providers
and
which
one's
more
predominant,
the
the
top
takeaways
that
we
wanted
you
to
get
from
this
is
that
they,
the
analysts,
need
more
there's
too
many
Cloud
providers
out
there,
not
enough
analyst
knowledge.
So
we
need
to.
We
need
to
work
with
the
analysts
to
to
get
the
detections.
They
need
to
understand
Cloud
providers
and,
honestly,
we
need
to
start
pushing
for
for
standardization
across
the
cloud
providers.
B
We
it's
we've,
moved
on
from
the
days
when
an
analyst
just
had
to
understand
windows,
and
then
you
had
one
team
that
knew
windows
and
one
team
that
knew
Linux
right.
Those
two
would
talk
to
each
other.
Those
days
are
long
gone.
They
also
need
to
know
the
cloud
set
up.
They
need
to
know
what
to
look
for.
They
need
to
know
what
credentials
where
credentials
shouldn't
be
getting
stored.
B
They
they
need
to
know
all
these
different
things
and
part
of
our
part
of
the
purpose
behind
this
research
is
to
also
be
advocates
for
the
analysts,
because
I
mean
that's
what
a
Sim
is
right,
it's
supposed
to
advocate
for
them,
and
you
can't
expect
someone
to
have
AWS
knowledge
and
come
in
there
and
work
on
gcp
detections,
and
so
that's
the
long
long
story.
Sorry,
that's
a
very
big
sticking
point
for
me:
is
the
helping
out
the
analyst
and
giving
them
the
visibility
that
they
needed
in
the
miter
framework.
A
And
and
to
add
to
that,
for
the
result
of
our
interviews
and
what
it
is
that
we're
hearing
from
customers
and
also
during
alert
migration,
where
we're
trying
to
define
the
original
strategy,
what
we
see
is
that
customers
that
are
coming
that
have
multiple
clouds,
don't
have
a
coherent
strategy.
That's
one
for
one,
consistent
coverage
across
Cloud
sources:
gcp
has
a
different
set
of
controls
that
have
been
custom.
A
A
It's
at
the
center
and
what
are
our
fundamental
safeguards
around
data,
and
when
we're
looking
at
visibility,
analytics
and
triggering
soar,
we
saw
that
x
controls
around
exfiltration
and
data
collection.
After
we've
gotten
past
the
the
perimeter
were
weak
across
the
board.
If
in
financial
services
for
msps,
so
we're
we
understand
and
what's
changed
in
our
Innovation
portfolio.
What
detections
we're
going
to
create
are
to
help
to
fill
in
these
gaps
in
visibility
that
the
analysts
are
naturally
having,
as
well
as
the
msps,
to
help
to
help
enable
our
MSP
partner
strategy.
B
Thank
you,
I'm,
going
to
have
to
speed
through
some
of
these
things,
if
I
skim
over
something
that
y'all
that
people
really
did
want
to
see.
Just
just
stop
me.
This
thing
is
about
as
informal
as
you
can
get
and
if
you
don't
like
informal,
that's
fine,
it's
formal,
don't
worry
about
it,
we're
good
all
right,
so
alert
management,
all
right.
So
this
graph,
the
purpose
of
this
graph,
is
to
highlight
a
couple
things.
One
is
in
the
Devo
sock
report.
We
we
questioned
about
many
different
things.
B
You
can
go
to
soccer
port
and
see
what
we
what
the
different
types
of
questions
are
in
apps.
You
can
tell
I,
don't
remember
them
offhand,
but
the
important
thing
that
we
wanted
you
to
grab
are
the
two
ones
that
are
highlighted
up
here
about
alert
management.
So
the
one
on
the
left
is
alert.
Management
was
critical
to
to
high
performance
High
performing
stocks,
some
way
to
manage
all
of
their
alerts
and
the
one
on
the
right
is
showing
that
management
inside
of
high
performance
stocks
management
doesn't
care
as
much
as
analysts.
B
So
the
analysts
need
alert
management
management
isn't
too
concerned
about
it
nearly
as
concerned
as
we
would
want
them
to
be,
and
if
your
management
just
reverse
it
you'll,
be
happy
everything's
good
all
right,
so
we
needed
to
also
establish
a
baseline.
Some
of
you
may
or
may
not
know
what
zero
trust
is
bada
bing.
Here
it
is
it's
off
the
sizza,
zero
trust
maturity
model.
2021.
B
I
would
tell
you
what
page
to
look
at,
but
I
forget
the
the
important
thing
behind
this
one
is
to
know
that
there's
another
step
in
there,
as
David
had
pointed
out
where
you
should
add
the
Sim
in
there
and
going
back
to
the
other
things
that
we
were
talking
about
about
the
various
pillars
and
what
we
were
missing
this.
This
is
what
we're
referencing.
A
And
as
a
note,
so
we're
coming
from
Devo
and
Devo
is
a
Sim
provider.
Many
of
our
customers
are
using
it
as
a
data
Lake
to
enable
visibility
and
analytics
for
infrastructure
for
application,
performance,
monitoring
for
devices
and
machine
data
data,
Lake
use
case
primary
use
case
secondary
use
cases
actually
generating
security
decision
making
in
action
based
upon
a
functioning
data
lake
with
full
visibility.
A
So
Devo
is
a
visibility
and
analytics
foundational
layer
or
that's
what
we
operate
as
assume
and
we
integrate
with
something
like
500
vendor
products
that
are
covering
the
pillars
of
xero
trust.
The
the
endpoint
device
protection
vendor
products
are
feeding
into
our
visibility
and
analytics
platform.
So
the
coverage
that
we
have
across
vendor
products
is
from
a
visibility
and
analytics
perspective.
And
fundamentally
we
were
able
to
see
that
the
across
all
functioning
organizations,
all
pillars
are
represented,
but
we
saw
weaknesses
with
data
data
and
in
Cloud
protecting
the
application
workload.
B
Thank
you
all
right,
so
here
we're
just
trying
to
show
you
that
when
we,
when
we
talk
about
the
various
alerts,
we
we
notice
that
in
Cloud
detections
there
were
more
concerned.
The
analysts
were
more
concerned
with
with
visibility.
You
know
what
can
I
see
who's
doing
what
things
like
that,
but
in
Enterprises,
are
more
concerned
about
device
connections
which
would
make
sense.
B
A
Actually
another
another
note
about
this
is
what's
different
between
Cloud
control
and
traditional
Enterprise
control
is
being
very
clear
that
the
traditional
Enterprise
is
thinking
about
devices
and
yes
in
Cloud,
we
can
think
of.
We
can
think
of
containers
and
VMS
as
being
devices.
We
can
think
of
every
node
in
our
architectural
map
as
being
devices
and
that's
accurate,
but
the
device
Focus
for
actual
controls
and
detections
is
doesn't
even
come
close
to
the
traditional
Enterprise
dealing
with
MDM
dealing
with
workstations
and
dealing
with
the
the
iot.
A
A
But
in
the
cloud
where
we
have,
let's
say,
better,
access
to
runtime
or
more
consistent
access
to
runtime
we're
able
to
generate
workload,
detections
we're
able
to
build
native
detections
for
application
monitoring
and
application
control,
regardless
at
the
end
of
the
day
by
the
time,
and
we
see
it
in
our
in
migrations
as
well.
By
the
time
we've
managed
to
deploy
our
device
protections
and
network
detections
where
we're
losing
steam
by
at
the
end
of
the
actual
goal
of
protecting
the
data.
A
B
B
B
One
of
the
biggest
things
we
want
to
talk
about
was
logging
per
vendor.
One
thing
that
I
did
find
out
yesterday:
I
was
speaking
with.
We
were
speaking
with
Melinda
marks
over
at
Tech,
Target
I,
think
yeah,
Tech
Target,
and
she
said
that
through
their
service,
we're
able
to
to
drill
down
to
get
more
data
about
each
one
of
the
cloud
service
providers,
AWS,
Google
cloud
or
Azure.
B
This
is
something
that
I
put
off
that
we
pulled
off
from
from
websites
is
trying
to
understand.
You
know
what
do
they
offer
again
Cloud?
You
can
see
right
here
the
disparity
in
what's
offered
between
the
various
providers.
It's
it's
annoying
and
it's
also
hard
for
you
to
drill
down
to
be
able
to
find
what
you
you
need
to
audit
right.
You
don't
know
what
you
don't
know.
B
Out
of
the
box,
detections
are
key
in
stock
automation,
so
I,
in
other
words
you're
supposed
to
you,
need
something
that
provides
you
detections
written
for
your
cloud
provider
written
like
gcp
AWS,
whatever
you
need
those
detections
already
built
into
your
sim
to
help
your
analysts
and
make
sure
they
don't
start
off
from
ground
zero.
So
whatever
you're
looking
for
you
need
to
have
those
out
of
the
box
detections
now
I
I
could
sell
you
our
product,
but
that's
not
my
job
but
yeah.
B
A
Five
takeaways
and
Five
Lessons
Learned
during
the
course
of
This
research.
The
first
one
was
that
cloud
was
big
and
we
were
surprised
at
how
many
detections
Enterprises
were
using,
especially
in
financial
services,
to
cover
Cloud.
We
were
surprised
to
see
one
in
four
socks
that
a
majority
of
their
detection
stack
was
cloud-based,
safeguarding
infrastructure
and
workspaces,
and
we
can
expect
those
to
continue
to
grow
that
cloud
eventually
dwarfs
Data,
Center
and
campus
for
coverage
and
control
coverage.
A
The
final
stages
before
impact
actually
occurs
out
of
the
box
for
the
win.
We
see
it
clearly
for
cloud
that
the
extra
for
multiple
reasons,
the
extra
complexity,
the
skills
required,
the
challenges
of
multiple
providers
and
different
vocabularies,
that
out
of
the
box
boilerplate
detective
strategy
where
you
can
essentially
piece
together.
A
strategy
as
opposed
to
individual
alerts,
is
the
best
way
to
to
support
alert
management
instead
of
having
400
random
alerts.
We
have
five
buckets
with
a
coherent
view,
mapped
to
zero
trust
with
pillars,
clearly
defined
and
mapped
with
miter
attack.
A
A
That
was
a
practical
output
for
our
actual
customers
that
put
our
Research
into
actually
moving
the
needle
in
our
business
processes,
to
make
migrations
faster
to
enable
alert,
Management
in
a
coherent
way
and
then
to
have
specializations
within
analysts.
That
analysts
might
come
from
a
network
security
background
and
therefore
be
better
suited
for
Network
alerts
or
coming
from
a
cloud
background
focusing
on
cloud
alerts
and
to
enable
specialization
within
the
sock.
B
So
we
went
five
minutes
over
I
apologize,
no
we're
five
minutes
over.
It's
we're
supposed
to
stop
at
11
35.
we
I'm
I'm
available.
We
both
will
be
available
out
there.
If
you
have
any
questions,
there's
a
young
lady
boom
cast
Tess
what
yeah
her
caslin
she's.
She
needs
interviews
for
a
podcast.
So
look
her
up
good
questions,
just
trying
to
get
word
out
about
this
conference.