While the public cloud addresses many pain points in historical security operations, it also introduces new challenges that require security practitioners to adapt. Multiple tasks, such as tracking ephemeral assets and managing decentralized functions, are added to an already crowded “to do” list. Teams must learn new skills and technology to complete such tasks so they can secure their cloud environments.DOWNLOAD NOW >
The public cloud can also create potential blind spots, that offer more ways for adversaries to use and compromise critical and sensitive customer assets. Mandiant Consulting currently estimates that 25% of their incident response engagements involve public cloud assets, suggesting that more needs to be done to secure cloud environments.
There are many ways for attackers to get access to credentials, from spear phishing and watering hole attacks to installing a remote access trojan (RAT). Public cloud compromises can even occur without any cloud hacking at all. Instead attackers use phishing, client-side exploits or victim missteps—and sometimes all three—to acquire and use valid credentials to commit crimes.
It can be difficult to identify an attack before it impacts your organization. In the banking industry, for example, hackers may insert fake entries into the source training data to make large, fraudulent transactions appear normal. If the attacker succeeds, the nightly fraud analytics batch job will include the altered data with millions of fake transactions added. The next day, any large transfers to a suspicious account will be considered normal. The thieves can then begin issuing fraudulent transactions without the system flagging them.
On their own, the observables to alert security teams about this kind of attack are considered weak signals. To create an alert that gets the attention of a security operations center (SOC) analyst, they must be aggregated by:
All these activities must be logged and reviewed, requiring robust automation techniques for collecting each event. Only then can machine learning be applied to help identify when multiple events are working together to form a suspicious pattern.
Cloud security requires all traditional security solutions that cover network, endpoint and email to be enhanced with visibility and analytics-based capabilities.
Modern cloud security infrastructure protection must incorporate security controls native to the cloud provider’s control plane and management system. It is just as (or more) important to implement sound cloud infrastructure management policies for network and identity as it is for traditional host-based controls.
These protections should:
Enforce guardrails that allow developers to move quickly while ensuring mistakes won’t lead to immediate compromise.
Simplify complicated cloud environments by consolidating management consoles to reduce the chance of neglect.
Automate risk surface reduction tasks, so functions such as network policies have permissions that start out as specific as possible, making it more difficult for an attacker to get access.
A comprehensive and effective cloud security plan should include contingency capabilities for when (not if) traditional defenses are bypassed by a determined attacker. This requires the detection of misused cloud assets through analytical methods including big data, artificial intelligence and machine learning.
Data should be collected from all cloud platforms in use (such as Google, Microsoft, Azure, AWS) and analyzed in a single, consolidated place. Cloud providers already collect a variety of data as part of their security obligations, which may support part of this process.
As the cloud grows, so do security threats. Credential abuse, misconfigurations and lack of visibility creates vulnerabilities for targeted attacks. Organizations working with cloud environments need to include specific cloud security activities in their strategy, and consider additional training and development for competent execution.
FireEye and Mandiant Solutions approach cloud security holistically to provide protection, visibility and detection technologies alongside a comprehensive range of services to help with security assessment, staff expertise training and augmentation.
To learn more about cloud security, visit: www.FireEye.com/cloudDOWNLOAD NOW >