Today, every company has invested in one or more Cloud Security Posture Management (CSPM) tools, such as Wiz, Orca, or Palo Alto Cortex. [1] The CSPM platforms are designed to identify vulnerabilities and misconfigurations across the cloud environments. However, CSPM tools are flooded with numerous alerts and misconfigurations, often numbering in hundreds or thousands. [2]
Additionally, there is a significant shortage of skills and engineers who can understand these alerts and effectively triage them. This exacerbates alert fatigue, as security and infrastructure teams are overwhelmed with alerts and misconfigurations. In some cases, the alerts and misconfigurations remain unresolved for an extended period.
The Complexity of Cloud Infrastructure
Modern cloud infrastructure is highly complex today. Understanding the intricacies of an enterprise’s cloud infrastructure landscape is increasingly challenging for engineers. Enterprises no longer run workloads on a single cloud; instead, they run workloads across multiple clouds, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. According to Flexera’s 2024 State of Cloud Report, 87% of companies employ a multicloud strategy. [3]
This distribution of workloads makes it more complicated for a security engineer to triage on this issue. In some organizations, the team responsible for the infrastructure should take ownership of triaging these issues. However, the developer typically lacks the knowledge of the infrastructure and the tools like Terraform. This disconnect between alert ownership and remediation capability creates the delay in responding to those alerts and the risk of security breaches. These issues must be resolved as soon as possible to prevent any breaches or cyberattacks.
The Need for Scalable Remediation
The constantly growing volume of alerts and the complexity of the infrastructure raise a fundamental question: How can organizations or enterprises remediate these issues in a timely and scalable manner?
The latest advancements in Artificial Intelligence and Large Language models offer a more effective solution. Leveraging AI agents and integrating them into security workflows to help triage, prioritize, and even autonomously remediate cloud misconfigurations will be the most effective way to address the challenge of remediation at scale. [4]
What is an AI Agent?
An AI agent is an intelligent system capable of perceiving the context for different data sources like alerts and cloud configurations, making decisions based on the context, and taking action to remediate the issue. These agents should be able to analyze the logs and configurations and make the necessary changes to fix these issues, such as modifying the Terraform code and opening a pull request. [5]
Use Cases for AI Agents in Cloud Security
- Alert Triage and Prioritization
AI agents can analyze the context of the alerts generated by CSPM tools and prioritize high-risk alerts while deprioritizing trivial ones.
Example: If an S3 bucket is flagged for being public. The AI agent can deprioritize the alert since this bucket belongs to the Red team test account, or prioritize it because it belongs to the production environments. [6]
- Autonomous Misconfiguration Remediation
Rather than a security engineer chasing the developer who owns the infrastructure, the AI agents should locate the code for the infrastructure to make changes in the cloud.
Example: If a new EC2 instance is spun up with port 22 open to the Internet (0.0.0.0/0), the AI agent can locate the code for the EC2 instance configurations and make the necessary changes to remove the rule, creating a pull request (PR) for the changes. [7]
- Asset Visibility across different clouds
Security teams and DevSecOps teams often struggle with fragmented visibility across cloud environments. AI agents can aggregate data from all cloud providers, serving as a single point of contact.
Example: An engineer can ask the AI agent to list all unencrypted EBS volumes with specific filter tags and receive a comprehensive report. [5]
- Autonomous investigation of suspicious behavior
AI agents can correlate information from two different systems, such as Endpoint Detection and Remediation (EDR) and Cloud Security Posture Management (CSPM) platforms, and take action based on the perceived information.
Example: If an unusual SSH login pattern is detected on a critical server, the AI agents can correlate the endpoint telemetry, isolate the user’s device, and lock it for investigation. [3]
Conclusion
The cloud threat landscape is becoming increasingly sophisticated, and security teams are struggling to keep up with the volume of alerts. AI agents offer a new paradigm in remediating cloud security by automating and accelerating tedious remediation by bringing contextual understanding to complex environments.
The agents are not designed to replace engineers, but to augment their capabilities. By integrating AI into security operations, this organization can reduce risk and the time required to remediate these issues.
As cloud environments continue to evolve, AI agents will be essential in helping security teams to combat cloud security threats.
References
[1] Palo Alto Networks – Cortex XDR and CSPM – https://www.paloaltonetworks.com/cortex
[2] Gartner – Cloud Security Alert Fatigue Projections – https://www.gartner.com/en/newsroom/press-releases
[3] Flexera 2024 State of the Cloud Report – https://info.flexera.com/CM-REPORT-State-of-the-Cloud
[4] NIST AI Risk Management Framework – https://www.nist.gov/itl/ai-risk-management-framework
[5] GitHub – Cloud Security Topics – https://github.com/topics/cloud-security
[6] Wiz Security Blog – https://www.wiz.io/blog
[7] Orca Security Resources – https://orca.security/resources
About the Author
Nivathan Athiganoor Somasundharam is a Technical Account Manager at Gravitational Inc. DBA Teleport. He specializes in Zero Trust implementation, identity security, and DevSecOps. He holds a degree in Computer Science from Texas A&M University (Texas, USA) and has extensive experience working with cloud providers, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.
An active contributor to the cybersecurity community, Nivathan shares his expertise through Articles, webinars, and conferences, with a strong focus on identity threat detection and response (ITDR) and cloud infrastructure security. He is also a key contributor to the open-source VMware Carbon Black Harbor Adapter project. Nivathan can be reached at his profile on linkedin
