Cloud — Adoption on the rise, Security Concerns remain
Over the last few years, the domain of cloud computing has proliferated. Cloud platforms are enabling new, complex business models and orchestrating more globally-based integration networks. Amazon Web Services is a $12B business, with Microsoft & Google right behind. Even industries that traditionally follow On-Prem model (Government, Financial Services, Telecom etc.) are increasingly moving some of their services and solutions to cloud.
However, Security Concerns continue to plague the industry. Recent data breaches (RNC, Verizon, Dow Jones) shine the spotlight, yet again, on the insecurity of data and assets in the cloud. A Rough Few Weeks for Cloud Security: Dow Jones Exposes Millions of Users’ Data
Common link in the latest incidents is that the data leaks were caused due to the lack of secure configuration of S3 storage buckets in respective cloud instances of these victims. S3 is Amazon’s Simple Storage service.
While these breaches were caused due to lack of secure configuration of S3, there are other potential threat vectors that can place the users of IaaS at risk. It’s not an Amazon specific problem, same can happen for Microsoft Azure, Google Cloud, IBM Softlayer and other providers. The critical issue here is for customers to understand the nuances of the Shared Responsibility Model for Cloud Security and devise plans & strategies accordingly.
Shared Responsibility Model for Cloud Security
• IaaS — Infrastructure as a Service — As Amazon states this crisply “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer”
While working on cloud security with a coworker in a previous life, we joked that “Challenge sometimes is not with cloud, it’s the SMOG that causes the security holes in the cloud” (SMOG is “Systems Managed Outside of Governance”)
This term was meant to broadly cover the risks that are caused due to insecure configuration or misconfiguration of services, instances, storage, assets, and so on that are hosted and available in the cloud.
• SaaS — Software as a Service — Office365, Dropbox, Salesforce, Google Apps are some of the prominent SaaS applications.
SaaS as a cloud model is focused on managing access to applications, from anywhere in the world, leveraging any type of internet connection. Access to a document through an insecure Wi-Fi connect in parts of Asia is possible as is the access to it through a secure LAN in one’s office. The two scenarios clearly pose a diverse security risk, which needs to be understood and acted upon. The organization needs to empower IT security with technologies that highlight anomalous behavior that may indicate a security breach or data leak, or insecure deployment of an approved SaaS subscription that has been deployed to comply with organization’s business profile and risk appetite.
Real time Visibility is Key
In the Shared Responsibility Model for Cloud Security, Visibility across the diverse IaaS & SaaS application set is key for customers peace of mind.
Due to lack of visibility across the cloud services used by employees, the firm doesn’t know how the employees are using these cloud services. Employees might upload files containing sensitive information to the cloud, without approval from the firm. In case of a data breach at the cloud service, the firm stands to be compromised. Owing to the lack of visibility across cloud, organizations might fail to comply with the regulations and can end up being fined
This is where Security Analytics solutions centered on Machine Learning and Artificial Intelligence have a critical role to play. Not only do they help provide Visibility across the diverse IaaS & SaaS setups and enable Rapid Response, the Behavioral models also allow for a proactive approach to Security. Sophisticated software based tools can detect anomalous behavior by detecting unusually large data transfers and leakage of sensitive data to cloud; as well as provide full visibility for secure usage and operations of enterprise cloud services such as Office 365.
Paradigm Shift towards Data Science driven Behavioral Analytics
Traditional security systems work on the principle of rules. If the attack being employed by the hacker has patterns like past break-n events, they will be caught. If the attack does not meet any rule listed in the rule book, the attack is likely to go undetected. This traditional approach of detecting attack has caused more harm than benefits and may provide a false sense of security to an organization A recent survey concluded that only 10–30% of the attacks carried met the rules of the rule book. Hackers are getting smarter day by day. If we continue using security systems which operate on some predefined rules, we will always be one step behind the attackers.
Machine Learning & Artificial Intelligence based solutions can detect malicious attacks without any pre-defined rules. These attacks could be persistent unauthorized connections and access attempts made from multiple sources around the world that had been erroneously exposed to internet. Lack of timely detection would almost definitely lead to a compromise of the entire network of that organization.
RANK’s VASA performs correlation of data with Rules-based analysis followed by deeper analysis with Machine Learning algorithms, and Anomaly Detections based on 40+ analysis dimensions.
Risk scoring, as illustrated in picture, considers 6 factors, the weight of each factor can also be customized. These factors are listed below:
1. Asset Importance
2. Relationship with other assets
3. Rule violation frequency
4. Critical Rule Violation
5. Anomaly Frequency
6. Anomalous Behavior
Case Study of a Global Firm
RANK VASA is currently been leveraged by a leading global professional services firm for
A — Visibility — Real time Security Monitoring across a diverse set of IaaS & SaaS solutions
B — Vulnerability Assessment around Insider Attacks & External Threats
C — Contextualization & Prioritization of Vulnerabilities
D — Visualization dashboard for real time access of security vulnerabilities including ability to be proactive and hunt for vulnerabilities based on Indicators of Compromise
• Within days of implementing VASA for the customer, the system noted many attempts from malicious hosts in China to connect to company’s AWS servers over SQL and RDP ports. Consequently, these and other well-known ports on EC2 instances were closed by default to internet, and be opened only on need basis.
• VASA also alerted them about the high-risk vulnerability by detecting insecure logins for root and other privileged accounts in AWS.
• VASA alerted the customer about the patterns of high EC2 usage at unusual times as well as incidents indicative of data snooping within their AWS environment.
• VASA also detected abnormal DNS requests targeted at a single server. Customer realized that the requests were not sourced from a known location and hence they disabled the DNS port for unknown communications
• VASA also detected abnormal access by IPs from Eastern Europe and Asia
RANK VASA provides continuous monitoring for Amazon S3 and would generate an alert if it detects a bucket enumeration behavior in the AWS environment or if it detects any change in the S3 permissions.
RANK VASA also provides integration for SaaS applications for monitoring the setup for threats and anomalous behavior. This would include attempts to connect to the application from unauthorized devices, data leakage, privilege modifications, unauthorized access attempts, snooping etc.
Cybersecurity’s Next Step — From Reactive to Proactive
RANK’s core belief is that Machine Learning and Artificial Intelligence driven Behavioral Analytics is the fulcrum for helping Predict, Prevent and Defeat cyberattacks. RANK’s core offering VASA is an enterprise security analytics and visualization platform focused on high velocity, real-time contextual and behavioral analytics. Combining Big Data Technologies, Machine Learning and patented Algorithms, RANK’s User & Entity Behavior platform helps discover insightful information and actionable intelligence around insider threats, targeted attacks and more.