Data is moving to the cloud, but the security controls offered by cloud providers vary widely. According to Gartner, one-third of consumer data will be hosted in the cloud by 2016. Skyhigh’s own usage data shows that the average organization uploads 3.1GB of data to the cloud each day, but that only 9.3% of cloud providers meet requirements of large enterprises for data protection, identity verification, service security, business practices, and legal protection. Given these trends, many CIOs have recognized the need for the IT organization to respond to threats in the cloud while also enabling cloud services that drive innovation and growth. We asked CIOs how IT is adapting and the questions they expect security teams to answer. Their responses, and the complete ebook this post is excerpted from are below.
We’ve broken down their questions into the four pillars Gartner uses to describe the steps companies take to secure their data in the cloud: visibility, compliance, threat detection, and data security. In this first post (of the 4-part series), we’ll focus on the questions CIOs expect their organizations to be able to answer about threat detection. Cloud services, like on-premise systems, can be the target of attacks aimed at stealing corporate data or damaging the business. Attacks typically leverage the cloud in one of two ways: 1) they use cloud services as sources of sensitive data to steal, or 2) they use cloud services to exfiltrate stolen data.
Cloud services as sources of sensitive data
Some enterprise-ready cloud services have security capabilities that exceed those of the enterprise data center, but that does not necessarily protect them from insider threats or compromised identities. In fact, compromised identities and insider threat are the two main drivers of the first threat vector (cloud services as the source of data to steal), and they are far more common than most IT professionals realize.
According to the Cloud Security Alliance, 17% of companies reported an insider threat last year, but in fact 85% of companies experienced one. This discrepancy exists because so many attacks go undetected. In order to protect against insider threats, organizations can employ machine learning to identify anomalous behavior that indicates a threat in progress. Triggers are often large or repeated downloads of sensitive data or excessive privileged user access. Malicious insiders could be stealing enterprise data from the cloud, such as IP from a file sharing service or security infrastructure from an IT management service, but the most common insider threat is the theft of customer sales data from CRM services, perpetrated by sales reps or sales operations managers who plan to leave the company.
Additionally, malware attacks are also now targeting cloud services. Last year’s much-publicized Dyre malware monitored browser activity to steal credentials for cloud services that housed valuable corporate data. As a result of this attack and others, 92% of companies have at least one corporate cloud service login credential available for sale on the darknet today. Taken together, 12% of users at an average company have at least one identify compromised and Skyhigh has identified one Fortune 500 company with a staggering 10,156 compromised identities.
Cloud services as vectors of data exfiltration
Attackers also increasingly use cloud services as a way to exfiltrate data without being detected by traditional monitoring technologies such as the organization’s SIEM or intrusion prevention system. With the average company using 923 cloud services today and IT often not having visibility into their usage, it can be challenging for organizations to separate malicious use of cloud services against the background noise of billions of routine events.
In one attack uncovered by Skyhigh, malware employed by a foreign national government used a popular video sharing site to exfiltrate stolen intellectual property. Once attackers gained access to sensitive data, they compressed and encoded the stolen data into video files, and then uploaded them to a popular video sharing website. The videos would play on the site, but once downloaded and decoded the compressed segments could be unpacked providing the attackers with the stolen data. In another startling example, malware leveraged a Twitter account to exfiltrate stolen data, 140 characters at a time, over a sequence of 86,000 tweets.
Incidents such as these occur every day, and CIOs are recognizing the need for IT to perform threat detection across the vast number of cloud services in use by employees in order to prevent data theft and exfiltration. With this as a backdrop, we polled CIOs to discover the core questions they were asking their staffs regarding cloud threat detection. These were the most frequent questions:
- What does normal behavior for ‘cloud service X’ look like?
- How does a user’s role affect their normal cloud service usage patterns in ‘cloud service X’?
- How do I monitor and baseline usage across the enterprise for both local and remote employees?
- Which users are accessing large volumes of sensitive data?
- Which administrators are accessing large volumes of sensitive data?
- Which cloud services have behavioral anomalies that indicate insider threat?
- Which cloud services and users have behavioral anomalies that indicate malware at work?
- Which cloud services and users have behavioral anomalies that indicate an account is compromised?
- Which cloud services in use are rated as high-risk and have an anonymous use policy and who is using them?
One of the challenges Gartner has identified with regards to detecting these types of threats in the cloud era is that organizations need new controls. With on-premise applications, IT security has deployed an array of technology to control application access from authorized users and from defined locations while also inspecting for malicious content, regardless of the network channel or protocol. However, in the cloud era, enterprise cloud applications are now accessible to anyone with an Internet connection. Because of this fundamental change, new controls are required in order to protect enterprise data. Particularly, new controls are needed for cloud service to manage events such as:
- Access from known suspicious countries, locations, devices, locations, or unusual access times or data volumes.
- Access from compromised cloud service accounts.
- Access from canceled accounts or from accounts that have remained idle for excessive periods of time.
- Access directly to cloud services that bypasses security controls.
- Access via outdated operating systems or browsers that are no longer supported and are thus more vulnerable to attacks.