The Double-Edged Sword of Public Cloud Security

The public cloud can also create potential blind spots, that offer more ways for adversaries to use and compromise critical and sensitive customer assets. Mandiant Consulting currently estimates that 25% of their incident response engagements involve public cloud assets, suggesting that more needs to be done to secure cloud environments.

The Attack Tool Kit

There are many ways for attackers to get access to credentials, from spear phishing and watering hole attacks to installing a remote access trojan (RAT). Public cloud compromises can even occur without any cloud hacking at all. Instead attackers use phishing, client-side exploits or victim missteps—and sometimes all three—to acquire and use valid credentials to commit crimes.

Flying Below the Alert Radar

It can be difficult to identify an attack before it impacts your organization. In the banking industry, for example, hackers may insert fake entries into the source training data to make large, fraudulent transactions appear normal. If the attacker succeeds, the nightly fraud analytics batch job will include the altered data with millions of fake transactions added. The next day, any large transfers to a suspicious account will be considered normal. The thieves can then begin issuing fraudulent transactions without the system flagging them.

On their own, the observables to alert security teams about this kind of attack are considered weak signals. To create an alert that gets the attention of a security operations center (SOC) analyst, they must be aggregated by:

• Collecting and normalizing all relevant events.
• Performing frequency analysis, geospatial analysis, and other analytics on the data.
• Correlating the analytical findings.
• Escalating the findings to a SOC analyst for full review.

All these activities must be logged and reviewed, requiring robust automation techniques for collecting each event. Only then can machine learning be applied to help identify when multiple events are working together to form a suspicious pattern.

Considerations for a Cloud Security Plan

Cloud security requires all traditional security solutions that cover network, endpoint and email to be enhanced with visibility and analytics-based capabilities.

Protect Your Infrastructure

Modern cloud security infrastructure protection must incorporate security controls native to the cloud provider’s control plane and management system. It is just as (or more) important to implement sound cloud infrastructure management policies for network and identity as it is for traditional host-based controls.

These protections should:

Protect Against Misuse of Cloud Assets

A comprehensive and effective cloud security plan should include contingency capabilities for when (not if) traditional defenses are bypassed by a determined attacker. This requires the detection of misused cloud assets through analytical methods including big data, artificial intelligence and machine learning.

Data should be collected from all cloud platforms in use (such as Google, Microsoft, Azure, AWS) and analyzed in a single, consolidated place. Cloud providers already collect a variety of data as part of their security obligations, which may support part of this process.

The FireEye Approach

As the cloud grows, so do security threats. Credential abuse, misconfigurations and lack of visibility creates vulnerabilities for targeted attacks. Organizations working with cloud environments need to include specific cloud security activities in their strategy, and consider additional training and development for competent execution.

FireEye and Mandiant Solutions approach cloud security holistically to provide protection, visibility and detection technologies alongside a comprehensive range of services to help with security assessment, staff expertise training and augmentation.

To learn more about cloud security, visit: www.FireEye.com/cloud

DOWNLOAD NOW >