The Double-Edged Sword of Public Cloud Security

While the public cloud addresses many pain points in historical security operations, it also introduces new challenges that require security practitioners to adapt. Multiple tasks, such as tracking ephemeral assets and managing decentralized functions, are added to an already crowded “to do” list. Teams must learn new skills and technology to complete such tasks so they can secure their cloud environments.


The public cloud can also create potential blind spots, that offer more ways for adversaries to use and compromise critical and sensitive customer assets. Mandiant Consulting currently estimates that 25% of their incident response engagements involve public cloud assets, suggesting that more needs to be done to secure cloud environments.

Cloud security

This is the Achilles heel of cloud security: Your security is only as good as the procedures used to secure your access.

The Attack Tool Kit

There are many ways for attackers to get access to credentials, from spear phishing and watering hole attacks to installing a remote access trojan (RAT). Public cloud compromises can even occur without any cloud hacking at all. Instead attackers use phishing, client-side exploits or victim missteps—and sometimes all three—to acquire and use valid credentials to commit crimes.

Flying Below the Alert Radar

It can be difficult to identify an attack before it impacts your organization. In the banking industry, for example, hackers may insert fake entries into the source training data to make large, fraudulent transactions appear normal. If the attacker succeeds, the nightly fraud analytics batch job will include the altered data with millions of fake transactions added. The next day, any large transfers to a suspicious account will be considered normal. The thieves can then begin issuing fraudulent transactions without the system flagging them.

On their own, the observables to alert security teams about this kind of attack are considered weak signals. To create an alert that gets the attention of a security operations center (SOC) analyst, they must be aggregated by:

  • Collecting and normalizing all relevant events.
  • Performing frequency analysis, geospatial analysis, and other analytics on the data.
  • Correlating the analytical findings.
  • Escalating the findings to a SOC analyst for full review.

All these activities must be logged and reviewed, requiring robust automation techniques for collecting each event. Only then can machine learning be applied to help identify when multiple events are working together to form a suspicious pattern.

Considerations for a Cloud Security Plan

Cloud security requires all traditional security solutions that cover network, endpoint and email to be enhanced with visibility and analytics-based capabilities.


Protect Your Infrastructure

Modern cloud security infrastructure protection must incorporate security controls native to the cloud provider’s control plane and management system. It is just as (or more) important to implement sound cloud infrastructure management policies for network and identity as it is for traditional host-based controls.

These protections should:

Enforce guardrails that allow developers to move quickly while ensuring mistakes won’t lead to immediate compromise.

Simplify complicated cloud environments by consolidating management consoles to reduce the chance of neglect.

Automate risk surface reduction tasks, so functions such as network policies have permissions that start out as specific as possible, making it more difficult for an attacker to get access.

Protect Against Misuse of Cloud Assets

A comprehensive and effective cloud security plan should include contingency capabilities for when (not if) traditional defenses are bypassed by a determined attacker. This requires the detection of misused cloud assets through analytical methods including big data, artificial intelligence and machine learning.

Data should be collected from all cloud platforms in use (such as Google, Microsoft, Azure, AWS) and analyzed in a single, consolidated place. Cloud providers already collect a variety of data as part of their security obligations, which may support part of this process.

The FireEye Approach

As the cloud grows, so do security threats. Credential abuse, misconfigurations and lack of visibility creates vulnerabilities for targeted attacks. Organizations working with cloud environments need to include specific cloud security activities in their strategy, and consider additional training and development for competent execution.

FireEye and Mandiant Solutions approach cloud security holistically to provide protection, visibility and detection technologies alongside a comprehensive range of services to help with security assessment, staff expertise training and augmentation.

To learn more about cloud security, visit: