The cloud security crisis no one’s talking about

Security teams are overwhelmed by a flood of alerts, most of which lack the context needed to accurately assess and espond to threats, according to ARMO.

Respondents report receiving an average of 4,080 security alerts per month – or 136 alerts per day – related to potential cloud-based attacks, with 61% handling between 1,001 and 5,000 alerts monthy. Yet despite this deluge, the average number of true security incidents per year is just 7, meaning it takes an average of 6,994 alerts to uncover one bona fide incident.

This “needle in a haystack” challenge is the result of different tools raising “their perspective” of the same event, false positives, and a lack of contextual information – such as asset sensitivity, exploitability, and behavioral baselines – that would help SOC teams quickly zero in on high-risk events. Without context, even benign activity can trigger alarms, stretching resources thin.

Slow detection undermines cloud threat response

Detection times are also lagging. The average time to detect an incident is 4–12 days, with 71% of organizations taking 1–7 days to identify a cloud-based attack pointing to an ongoing backlog of alerts and inconsistent monitoring capabilities.

The mean time to detection (MTTD) remains too slow for organizations to stay ahead of fast-moving cloud threats. Industries with high-value data and expansive attack surfaces – especially financial services (43%) and eCommerce (39%) – are among the hardest hit, and would benefit significantly from improvements in alert contextualization and detection speed. Other high-risk sectors, like healthcare and entertainment, should similarly prioritize faster, more accurate cloud threat detection.

Only 13% of organizations say they successfully correlate alerts across different security tools, indicating there is a significant gap in visibility and response coordination.

“Over the past few years we’ve seen rapid growth in the adoption of cloud runtime security tools to detect and prevent active cloud attacks and yet, there’s a staggering disparity between alerts and actual security incidents,” said Shauli Rozen, CEO at ARMO. “Without the critical context about asset sensitivity and exploitability needed to make sense of what is happening at runtime, as well as friction between SOC and cloud security, teams experience major delays in incident detection and response that negatively impacts performance metrics.”

Organizations are missing active cloud attacks

When it comes to detecting and responding to active attacks in cloud environments, 89% of respondents – or, nine out of ten organizations – admit they are missing active attacks. The reasons cited for this include an overwhelming volume of alerts from their security tools (43%), struggling with correlating correlating alerts from different tools (30%), and false positives generated by current security solutions (16%).

97% of organization use 3-8 security tools to detect and respond to attacks in the cloud, while 30% miss attacks due to the complexity of correlating alerts. Unsurprisingly, 92% believe that a single, comprehensive, cloud runtime security solution is sorely needed to improve response time.

63% of organizations use more than five security tools to detect and respond to cyberthreats in real time within their cloud-native applications and associated infrastructure.

This indicates tool sprawl, which forces security professionals to waste a lot of time on collating tool data from disparate sources manually, and impedes their efforts to respond efficiently to various incidents.

The most frequently encountered challenges that organizations face in detecting and responding to cloud-based attacks are alert fatigue due to high volume of notifications (46%) and high volume of false positives (45%). Fragmented visibility due to too many separate tools is the third biggest challenge (44%), particularly for CISOs (61%) and those who hold roles in cloud security (57%).

Friction between SecOps and cloud security teams

38% of SecOps find the cloud security team most difficult to work with, reflecting the need to shift to cloud-native approaches to improve visibility, automation, threat detection and collaboration. This suggests that security processes may be too siloed, resulting in a lack of clear communication channels with other teams.

The fact that 63% of organizations have a dedicated team in-house responsible for detecting and responding to cloud-based attacks, indicates that they understand that cloud-native attacks are different from traditional security threats, and explains why they choose to invest in a dedicated cloud security team rather than scale the traditional SOC team.