Cloud security · 4 MIN READ · SARAH CRONE · MAY 2, 2025 · TAGS: AWS / Guidance / Kubernetes
TL;DR
- This is part one of our blog series, Cloud Decoded
- Part one covers what MDR really means for cloud, and debunks common myths associated with it
- Stay tuned for part two, which will cover what cloud attackers don’t want you to know
Cloud security is seriously complex. Even the most advanced tech companies in the world struggle to secure their cloud environments against emerging threats. At Expel, we help organizations—large and small—navigate this complexity with 24×7 monitoring and cloud-specific expertise. That’s why we created Cloud Decoded, a three-part blog series designed to demystify cloud security.
In this first post, let’s tackle some of the most common cloud security misconceptions and shed some light on what securing the cloud really means.
What we mean by “secure the cloud”
Before we debunk some common myths, let’s level-set what we mean when we talk about cloud security. First, it extends well beyond just the control plane. Expel provides monitoring across the entire cloud stack—from the control plane to the application layer—to ensure comprehensive protection. Here’s a quick look at each layer and the security challenges it presents.
Cloud infrastructure layer
This foundational layer is where cloud providers like AWS, Microsoft Azure, Google Cloud, and OCI manage resource provisioning, configurations, and user permissions. Expel integrates directly with these infrastructures to monitor logs, traffic, and configuration changes for signs of threats. For example, if a new virtual server appears out of nowhere, it could indicate cryptomining—where attackers hijack resources to generate cryptocurrency. Expel detects and alerts on this kind of unusual activity.
Orchestration layer
This is where containerized workloads are managed using tools like Kubernetes (EKS, AKS, GKE). Expel analyzes logs, monitors traffic, and tracks configuration changes related to containers and virtual machines. Need a real-world example? If a user unexpectedly gains permissions to shut down all your containers supporting a critical application, Expel identifies the high-risk event and enables a swift response.
Platform layer
Here, cloud workloads run and execute files and processes. Expel continuously monitors for threats such as malware, unauthorized access, and misconfigurations. For instance, if a malicious file is downloaded within your cloud environment, Expel detects it and takes action to mitigate the risk before damage is done.
Application layer
At the top of the stack, this layer is where users interact with software and services in the cloud. Expel monitors network traffic and user behavior to spot anomalies, such as unauthorized logins or abnormal data transfers. If sensitive data is being downloaded at an unusual time or from an unexpected location, we flag it as potentially suspicious.
When it comes to securing the cloud, misconceptions run rampant. Some naysayers out there believe managed detection and response (MDR) is just another flavor of endpoint detection and response (EDR). Or others falsely think that built-in cloud security tools have them fully covered. Let’s set the record straight.
Myth 1: MDR is just EDR in the cloud
MDR is much more than endpoint monitoring. Cloud threats often stem from misconfigurations, compromised identities, and cloud-native exploits—things traditional EDRs can’t see. Expel’s approach monitors cloud control planes, Kubernetes workloads, and SaaS applications to catch threats before they escalate. While many of our competitors are new to cloud, our analysts have over eight years of cloud-specific experience, and our detection engineers write and tune detections across hundreds of cloud tools.
Myth 2: Cloud-native security tools are enough
While tools like AWS GuardDuty and Azure Security Center provide valuable signals, they don’t connect the dots across your cloud environment. Expel combines signals from cloud-native tools with activity from other sources like SaaS apps and identity providers. We also write our own detections to supplement these cloud-native signals and fill in alerting gaps across your control plane. Our analysts investigate alerts in real-time, reducing noise and identifying real threats faster.
Myth 3: MDR can’t cover multi-cloud environments
According to a report from Fortinet, 78% of organizations reported using two or more cloud providers. Most modern organizations are multi-cloud, and their security shouldn’t be siloed. Expel’s MDR spans AWS, Microsoft Azure, OCI, and Google Cloud, correlating signals across clouds to detect patterns attackers exploit. By leveraging logs unique to each cloud provider, we enhance security where other cloud-native tools may fall short. With our tailored detection logic, we help eliminate gaps and ensure continuous visibility across your cloud footprint.
Myth 4: The cloud provider secures everything
It’s a common misconception that cloud providers like AWS and Microsoft Azure handle security for you. While they secure the infrastructure itself, it’s up to you to protect your applications, data, and user access. Misconfigurations, excessive permissions, and unmonitored activity are just some of the ways attackers can exploit cloud environments—things cloud providers don’t automatically fix. Expel helps bridge this gap by continuously monitoring and detecting threats across your cloud stack.
Myth 5: Traditional security tools work the same in the cloud
Many organizations assume that the security tools they use for on-prem environments will seamlessly translate to the cloud. The reality? Cloud environments operate differently, requiring cloud-native security approaches. For example, network perimeters are less defined, identities play a bigger role in security, and threats often originate from within cloud configurations rather than just external attackers. Expel’s cloud-native approach ensures threats are identified across infrastructure, workloads, and applications—not just at the perimeter.
Expel stands out in cloud security
Expel’s MDR is built for the complexities of modern cloud environments. Unlike many MDR vendors who started out as managed services built on top of EDR technologies, Expel was built in the cloud. With deep integrations across cloud platforms and SaaS apps, real-time investigations in Expel Workbench™, and proactive recommendations to harden your cloud, Expel empowers your security team to detect, respond to, and prevent cloud threats.
Stay tuned for Cloud Decoded (part 2): Cloud threats uncovered—what attackers don’t want you to know.