Cloud Security

A new architecture for modern cloud defense

Most security tools show pieces of cloud activity, but miss how events and data connect across layers. Cloud context reveals the full story: how identities, configurations, behavior, and workloads interact in real time. With this visibility, security teams can detect, investigate, and respond to threats with speed and precision.

Traditional security tools focus on scanning files written to disks, but what happens when no file ever lands there? Fileless attacks bypass static analysis and disk-based detection by executing directly in memory, often through existing tools like Bash, Python, or PowerShell. Although the Linux system call has benefits for software development, especially in the cloud, including use in sandbox frameworks, containerized applications, and temporary computations, those benefits are manipulated by threat actors to carry out attacks.

Real-time cloud visibility is the foundation for modern incident response. It lowers MTTD, MTTC, and MTTR. It empowers every SOC tier. And it turns scattered workflows into one seamless response.

We're an industry obsessed with what we do, but often at the expense of why it matters.

By now, you’ve probably read Verizon’s 2025 Data Breach Investigations Report (DBIR) (or skimmed the highlights on LinkedIn.) Ransomware attacks are up. Credentials are leaking like a broken pipe. Exploits are targeting your edge devices. You know the drill. But let’s step back. What the DBIR really reveals, beneath the usual stats and graphs, is something much bigger. It exposes a fundamental misalignment in how most organizations think about cloud security.

In a recent webinar, Stav Sitnikov, Chief Product Officer at Stream Security, and Tushar Kothari, Former CEO and Board Member of Attivo Networks, explored how organizations can turn the tables on cyber attackers using Stream Traps—deceptive cloud decoys designed to detect and delay malicious actors.

Cloud traps, deception assets embedded in cloud infrastructure, offer a proactive way to detect, delay, and divert attackers, buying security teams the signals and context they need to respond effectively. Rather than chasing faster MTTR alone, cloud traps focus on slowing the adversary down — turning every interaction into a tactical advantage for defenders.

In the dynamic realm of cloud security, the challenge of maintaining a comprehensive view of your environment can feel like navigating a complex Kabuki play. The illusion of security, created by disconnected security tools, often leads to costly investigations and wasted resources. This is especially true when it comes to understanding the interplay between your cloud infrastructure and your perimeter firewalls.

Throughout the course of my career in information security, I’ve witnessed a disturbing trend firsthand: the alarming rate of burnout among SOC analysts. It's not just a statistic; it's a real and present danger to our teams and our organizations.

A widely used GitHub Action, tj-actions/changed-files, was compromised sometime before March 14, 2025 with a malicious payload, leading to the exposure of secrets in public repository logs. The incident has been assigned CVE-2025-30066 and is a stark reminder of the growing risks in the software supply chain.

As enterprises accelerate their cloud adoption, traditional security tools struggle to keep pace. The cloud introduces unique attack surfaces, rapid changes in infrastructure, and cloud-specific threats that solutions like SIEM, EDR, and SOAR weren’t designed to handle. This is where Cloud Detection and Response (CDR) comes into play—providing real-time cloud visibility, contextual insights, and guided response to threats across multi-cloud environments.

The momentum behind CDR isn’t just hype—it’s necessity. Cloud threats are evolving in real time, and security teams need tools that can keep up.

I'm thrilled to announce I've joined Stream as the Field CISO. After years immersed in the security world, including my time at OG&E, where I focused on building and maturing their cloud security infrastructure and processes, I'm excited to take on this new challenge and contribute to a company that's truly at the forefront of Cloud Security.

CSPM was never built for detection and response. It was built for prioritization. Trying to bolt real-time response onto a static, scan-based system doesn’t just fall short—it actively misleads security teams.

The MITRE ATT&CK framework is a globally recognized knowledge base of adversary tactics and techniques that provides a structured model for cyber threats. In the context of cloud computing (such as Amazon Web Services),ATT&CK is extremely useful for mapping out potential attack paths and strengthening AWS security. By aligning AWS security monitoring and incident response with ATT&CK tactics, security teams gain a common language to describe threats and can ensure coverage for each phase of an attack lifecycle. This helps SOC analysts and cloud security engineers systematically detect malicious behavior and respond effectively, using AWS’s native tools and logdata.

Make your existing SIEM work for the cloud with Stream Security’s Cloud Detection & Response platform

Discover how real-time context in cloud security can reduce false positives and improve threat response. Stream Security provides visibility into network reachability, identity exploitability, and security controls, helping teams prioritize genuine risks and mitigate threats efficiently without disrupting business operations.

As organizations increasingly migrate to the cloud, the landscape of cybersecurity evolves, presenting new and complex challenges for security teams. The dynamic nature of cloud environments, coupled with the scale and sophistication of potential threats, demands a proactive and context-driven approach to threat detection. Traditional security measures often fall short, requiring security teams to adapt and develop strategies that can effectively identify, prioritize, and neutralize threats in the cloud. In this blog, we’ll review threat detection challenges in the cloud, and how Stream Security can help overcome these challenges.

Struggling with cloud security false positives? Learn how to overcome alert fatigue and focus on real threats by understanding the root causes of false alarms in dynamic cloud environments. Explore specific examples and discover how Stream Security can help you drastically reduce false positives and streamline your security response. Prioritize real risks and improve your cloud security posture today.

Cloud Application Detection and Response (CADR) is an emerging approach to cloud security that offers real-time protection and response capabilities. Crucially, CADR is designed specifically for Security Operations (SecOps) teams, setting it apart from other cloud security frameworks. To understand its significance, we need to examine its core components and how they compare to existing solutions, particularly the Cloud-Native Application Protection Platform (CNAPP) framework.

The complexity and pace of cloud environments result in constant changes that are difficult to monitor and secure. Security teams are inundated with alerts, each requiring thorough investigation to determine if it represents a real threat. This constant vigilance can lead to resource overload, missed threats, and delayed responses. Here’s why CDR is indispensable:

Discover how Amazon Detective enhances security investigations by analyzing AWS log data. This guide covers its features, including interactive visualizations and continuous monitoring, to help detect threats and understand security incidents.

In the ongoing battle between cyber adversaries and defenders, the odds are often stacked against the guardians of digital assets. Defenders face a challenging task – they must secure their systems 100% of the time, while adversaries need only find one vulnerability to breach their defenses. This inherent imbalance presents a significant challenge to the cybersecurity community, where constant vigilance is necessary.

In the realm of cybersecurity, the escalation of threats, especially in cloud environments, demands robust and adaptive strategies for threat detection and response. The MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, offers a structured approach to understanding and tackling security threats. This article delves into the utilization of the MITRE ATT&CK framework for enhancing cloud threat detection.

Amazon GuardDuty is a threat detection service that uses machine learning and other techniques to identify malicious activity and unauthorized behavior in your AWS accounts and workloads. It integrates with other AWS security services to provide a comprehensive view of your security posture and helps Security, DevOps, Compliance and Incident response teams to quickly respond to security threats.

The Security pillar of the AWS Well-Architected Framework is focused on ensuring that workloads are designed, deployed, and managed in a secure manner. It includes implementing security best practices, such as protecting data confidentiality, integrity, and availability, managing user access and privileges, and implementing network and application-level security controls.

Amazon GuardDuty serves as a threat detection solution that employs machine learning and various methodologies to detect malevolent activities and unauthorized conduct within your AWS accounts and workloads.

Strengthening Your Cloud Infrastructure: A Deep Dive into the AWS Well-Architected Framework's Security Pillar

Understanding CNAPP and the Market Shift Towards It

IAM roles for service accounts provide a secure and efficient way to manage access to cloud resources in a cloud environment. By assigning roles to service accounts instead of individual users, organizations can improve their security posture by minimizing the risk of human error or credential misuse.

Cloud Investigation and Response Automation (CIRA) - CIRA vs CDR

IAM plays a crucial role in securing access to resources in an AWS EKS cluster, therefor it’s important to have a strong understanding of IAM (Identity and Access Management) to effectively troubleshoot any issues that may arise.

Deploying Sysdig Falco on an Amazon EKS (Elastic Kubernetes Service) cluster

Breaking down the CTEM (Continuous Threat Exposure Management)

Cloud Infrastructure Entitlement Manage (CIEM) solutions automate the process of managing user entitlements and privileges in cloud environments.

Amazon Web Services (AWS) introduced Macie, a fully managed sensitive data scanner designed to detect and protect sensitive information in the cloud. This article takes a closer look at AWS Macie, its features, benefits, and how it can help safeguard your organization's sensitive data.

The shift to the cloud has brought new challenges in securing environments, with traditional static rules and static graph algorithms-based approaches to security falling short. In this article, we will explore why static rules and static graph algorithms are no longer sufficient, and why dynamic graph algorithms present a better solution for cloud security management (CSPM, CIEM, and KSPM)

Traditional security measures, such as periodic scans, have become increasingly inadequate in ensuring the safety and integrity of cloud environments. The cloud's rapidly evolving and dynamic nature necessitates a more practical approach: real-time change impact analysis. In this article, we will explore the limitations of periodic scans for cloud security and delve into the benefits of real-time change impact analysis as a superior alternative.

What is a Cloud Workload Protection Platform (CWPP)?

AWS Inspector is a fully managed, automated security assessment service that enables you to improve the security and compliance of your applications deployed on Amazon Elastic Compute Cloud (Amazon EC2) instances. It analyzes your EC2 instances and identifies potential security vulnerabilities, deviations from best practices, and exposure to common attack vectors. With AWS Inspector, you gain valuable insights to help you mitigate risks and build more secure applications.

Stream.Security offers a solution that supercharges SecOps by providing real-time visibility and change impact analysis, enabling organizations to respond quickly and effectively to emerging threats. The core value of Stream Security lies in its ability to adapt and scale with evolving cloud environments, delivering real-time analysis, and facilitating faster troubleshooting and response times.

AWS Config is a service that delivers an all-encompassing perspective on your AWS resource inventory, configuration history, and change alerts, facilitating security and governance.