By Anthony Perridge, VP International, ThreatQuotient
Once upon a time, password management emerged to make our systems more secure.
At that time, Active Directory was used to manage computers and other devices on a network, and user passwords were stored locally on each device itself. It was almost a fairy-tale except that this turned regular maintenance into a monumental effort and, as a result, a centralised password manager was built.
Good news? Not exactly. This effort benefited system and network administrators but also provided a huge boost to attackers as now compromising an account or two offered significant lateral movement options.
Fast forward and organisations have been steadily moving to the cloud - especially in the 12 months since the last State of the Cloud Survey, where we’ve seen both public and private cloud adoption significantly increasing. The survey showed that the number of respondents now adopting public cloud is 92 percent, up from 89 percent in 2017. Private cloud has been adopted by 75 percent of those surveyed, up from 72 percent in 2017. As a result, the overall portion of respondents using at least one public or private cloud is now 96 percent. The cloud is therefore a major trend seen across multiple industries. However, seduced by its benefits, whether offloading an enterprise-wide application like email, leveraging a third-party service such as SFDC/Box/GitHub, or leveraging third-party hosting infrastructure like AWS, organisations tend to overlook the downfalls, including security shortcomings.
Hackers are now aiming attacks against these bigger targets
When leveraging a third-party service, your security team can find itself in a situation where it loses visibility into that environment. Even though most reputable cloud services will offer a security alert feed, it likely won’t be as granular or flexible as the team will need, or in a digestible file format. This leaves the organisation blind and completely reliant on the cloud provider’s internal team. Admittedly, most large service providers have very large security teams - some of the best in the industry – but these are hamstrung by the inverse problem: only having access to what they see and not the full picture.
So now, put yourself in the shoes of an attacker. Historically you’ve been targeting individual companies one-by-one via script or hands on a keyboard launching your attack against 20 to 30 different companies either at once or staggered across a couple of campaigns. Seems like a big hassle. Particularly when you suspect 85% of your targets are leveraging the same cloud provider for some aspect of their business. Would it not be better to target that provider and grab access to all your victims at once? Not only are there efficiencies to be gained, but it also creates some obfuscation. Sounds like a winning strategy.
With all organisations moving to some form of cloud, it’s pretty reasonable to assume every attacker, from nation-state to crimeware, is now focusing attacks against these bigger targets in order to find that initial foothold into the unwitting downstream victim.
What can you do to maximise your protection?
Down the road, customers would need to mould attacker data against their deepest, darkest weaknesses and the only way to comfortably do that is within their own walls. This means that by having all data within a Threat Intelligence Platform (TIP) sit on-site, customers can ensure the confidentiality of their proprietary research in addition to making sure sensitive intelligence does not leak out into an open environment. The data security of a cloud-based design is often a black box approach and doesn’t offer the details of how that information is protected. This is especially concerning in co-mingled environments and leads to questions about data ownership conflicts.
While there’s no doubt that large cloud providers appreciate how much security has become a top concern for companies of all sizes, having your data stored on a TIP on-site is probably the best way to sleep well at night. Your data is home, locked in and safe.
Get more out of your existing security resources
I mentioned earlier the lack of visibility for your security team when partnering up with a Managed Service Provider (MSP), some security solutions now provide defenders with the context, customisation and collaboration needed for increased security effectiveness and efficient threat operations and management. This enables the security team to speed up the transformation of threat data into actionable threat intelligence. On top of that, by integrating these security solutions with the tools, technologies, people, organisations and processes that protect businesses, defenders gain further control and ensure that intelligence is accurate, relevant and timely to their business.
Threat intelligence platforms continue to evolve and offer additional aspects of control – automation, SIEM-like functions, sensor detections, or most recently, the ability to conduct collaborative investigations and to coordinate response across teams. Regardless of which features pique your interest the focus is on providing greater control to determine the right response and to act faster than previously possible.
As organisations are urged to make the move to the cloud, they should always have security at the top of their agenda and work on balancing the risks. So please mind the gap between the premises and the cloud and remember to take your security resources with you.