When it comes to mitigating the risk of cyberattacks, speed really does matter. Simply put, the faster an organization can respond, the faster it can lower the risk.

Cloud security provider Sysdig today unveiled an ambitious new framework at SANS CyberFest 2023 that aims to accelerate threat detection and response times for organizations operating in the cloud. Dubbed the "5/5/5 Benchmark for Cloud Detection and Response," the goal is to get organizations to be able to detect threats in 5 seconds, investigate and correlate alerts within 5 minutes, and respond to confirmed attacks in 5 minutes after the correlation phase.

The impetus behind these aggressive goals is the speed at which attackers are able to operate in cloud environments. According to Sysdig research, malicious actors are able to fully execute an attack in less than 10 minutes after finding a weakness in cloud infrastructure or applications.

[Related: Data security in the cloud best practices]

The new benchmark was created by Anna Belak, director of Sysdig’s office of cybersecurity strategy and a former Gartner analyst. Belak told SDxCentral that the new benchmark is intended to be an aspirational goal that is made possible thanks to the way the cloud works.

"The argument we're making is that things are different in the cloud," she said. "On the one hand, you have challenges like ephemeral assets; on the other hand, you have opportunities where the cloud actually makes things possible that were either very hard or impossible if you're working on premises."

In the cloud, services are largely API-driven and there is the possibility for an organization to potentially have better visibility than on premises, in Belak's view.

Cloud-native application protection platform (CNAPP) technologies such as Sysdig's platform can arguably provide visibility into cloud workloads in ways that aren't as easily possible for technologies running on premises that are not API-driven.

"My point is you want to be able to get all the pieces into place and to correlate them as you're going through and not after," Belak said.

The framework's first goal is detecting individual security signals like system calls within 5 seconds. It's important to note that actually detecting all types of attacks inside of 5 seconds is an aspirational goal and isn't something that is necessarily easily achievable in all situations. The 5-seconds-to-detect guideline is not about being able to discover any and all attacks inside of that short time frame, but rather the ability to quickly identify individual signals.

The signals that Belak wants organizations to be able to detect quickly include common indicators of a potential attack.

"So I'm saying if I see a system call to the Linux kernel, I need to be able to match a rule to that within five seconds and I think that's actually pretty realistic," she said. "It becomes more complicated when you deal with things like logs where there's a latency on the data hitting the thing on which you might be detecting."

In Belak's view it's more feasible to hit the 5-second detection threshold for some sources more so than others. But the point she emphasized that the 5/5/5 benchmark is trying to make is that organizations need to collect all of the signals super fast so that the data can be correlated in the second step, which might be where the actual complex threat detection occurs.

Belak explained that within 5 minutes, the framework aims to correlate the various detected signals to each other as they occur. By connecting related security events in real time, defenders could potentially stop attacks earlier in the kill chain.

The final goal is initiating an automated response to detected incidents within 5 minutes after the correlation stage. Belak argued this could be achieved through technologies like cloud-native APIs and infrastructure-as-code. However, challenges like noise and legacy application designs could hamper adoption and execution in the real world.

Tools from Sysdig are aimed to help measure adherence to the framework, but Belak cautioned it remains aspirational for now. “If we show a demo, and it takes 12 minutes, I'll be like, ‘look, we're not there either, it's hard to set a benchmark,’” she said.