In 2020, digital transformation across all sectors accelerated at lightning speed out of sheer necessity. As a result of this collective cloud scramble, security likely took a back seat to the urgent need to pivot to a fully remote workforce during the height of the pandemic.
Now, as we start to take a deep breath after the cloud storm and revisit the cloud strategies made in the moment, it is essential to scrutinize cloud (in)security and determine how to move forward to ensure cloud adoption with confidence.
David Lathrop, VP Utility Strategic Business, Unlimited Technology, and Christopher Walcutt, VP of Strategy, DirectDefense, recently joined IronNet Senior Threat Hunter Joel Bork in the now on-demand webinar “Cloud (in)security” to unpack the root causes of cloud misconfigurations and, more important, best practices for enterprises to secure what’s in the cloud, per Cloud Service Provider (CSP) shared responsibility models.
Tackling cloud misconfigurations
There are 22,000 cloud misconfigurations in the U.S. per month. The rush to expand the security border to accommodate post-pandemic work-from-home environments has not contributed to the cloud security cause, by any means. As Chris Walcutt explains, “It is common for an organization under stress and pressure to make decisions that don’t follow their normal control process.” In the case of the COVID-19 scramble to the cloud, many organizations had to adapt quickly without a plan, stopping in-flight processes or ending up with hybrid environments, bring your own computer (“BYOC”) situations, and other sub-ideal setups.
He elaborates, “You can’t secure the environment the way you would expect to do so normally. In these hybrid scenarios, we end up with situations where people are really struggling to put together secure architectures that encompass everything they want to do. The software vendors couldn’t keep up. The hardware vendors couldn’t keep up. The enterprises ended up a little behind the eight ball.”
A closer look at cloud misconfigurations
Cloud misconfigurations arise from erroneous settings of any cloud-related system, asset, or tool, placing cloud data at risk. Indeed, misconfigurations are a popular lure for attackers waiting to seize the opportunity in order to steal data. Adding insult to injury, misconfigurations typically are hard to detect. Some reports indicate, for example, that “99% of misconfigurations in enterprise IaaS environments go unnoticed.”
While CSPs provide basic infrastructure, it is still up to the enterprise to configure it in a secure fashion. So while there is a great degree of flexibility of AWS as a cloud platform, for example, that means there are many options to get wrong. “Even one misconfiguration,” says Walcutt, “can put an entire enterprise at risk: leaks from containerization, permissions leakage, etc. that can have pretty disastrous results.”
Needless to say, a “set it and forget it” approach to security configuration has fallen by the wayside. Continuous is key, and enterprises must perform regular audits and penetration tests to identify vulnerabilities and check security control capabilities. As a managed service, cyber and physical security provider, Unlimited Technology has developed a “RED PEN” approach to best practices for avoiding misconfigurations. These are buckets that categorize the configurations to follow to protect the infrastructure.
Best practices for access control
Preventing access to privileged accounts is particularly critical. One of the biggest concepts about least privilege is determining what is actually necessary for any specific function. When you look at the capabilities across the enterprise network, it’s important to truly understand what level of access is necessary to perform any action (e.g., sending an email, the ability to log in, the ability to overwrite data or add data).
One of the most common attack vectors at the hands of the end-user is credential reuse. The “new norm” necessitates a closer look. On-prem privileged access accounts that are local to the machine, for instance, may or may not have rights in the cloud. Or in the cloud you may have multiple platforms with the same set of credentials. It’s imperative, then, to assess, clarify, and tighten access controls.
Leveling up access control for cloud
While identity and access management (IAM) solutions and multi-factor authentication can enable better access control, enterprises are now looking to role-specific access authorization (with time-keeping parameters) to further minimize access risks from compromised credentials and data misuse.
Upping the ante, attribute-based control enables functionally beyond what the user base is doing. This approach adds a layer of security wherein users cannot access cloud data or assets unless certain attributes are verified (e.g., that they are using up-to-date anti-virus software) automatically before given cloud access. To make this approach work, you must understand where your sensitive data is and how to access it, because it’s hard to know which attributes are required “if you don’t know where your critical information is sitting in the cloud — that is, if you don’t know the data flows,” says Walcutt.
The bottom line in both cases: Without a baseline for normal behavior, you do not know what is anomalous. Take several steps back to move many steps forward with your cloud adoption.
Setting baselines for normal behavior
As Walcutt points out, “Getting granular is the only way you are going to set baselines for what constitutes normal behavior for moving around in the network. Organizations need to understand what the new norm is for their baseline and be able to establish the user behavior, and even the machine-to-machine behavior, to catch behaviors that are out of place.”
This commitment to setting a baseline is particularly important during what Walcutt calls the “breach season” of the last 18 months, as anytime there is a major world event, attackers seize the opportunity to piggyback on burning topics in emails that “catch the eye of a user, even of an administrator.” These events carve out an arena that is ripe for attackers and potential compromise. After all, says Walcutt, “No matter how good the enterprise is at security itself, you still have end-users.”
Achieving greater visibility in the cloud
You have to see behavior to monitor it, however. Both Lathrop and Walcutt agree that overcoming the notorious blind spots of cloud migration is a way to lift confidence in all that the cloud promises. Gaining visibility is key. As Lathrop explains, “Being able to have visibility into net flow and all endpoint assets is needed for incident response and real-time monitoring so that if something does happen, speed is of the essence. NDR and endpoint detection are critical for achieving this visibility.”
Now, enterprises are in scenarios where end-users may not be reliant on corporate infrastructure at all. The end user may be going directly to the cloud and may not even interact with the office infrastructure. As Walcutt emphasizes, “All of a sudden, these traditional models are the things that can make or break whether or not you are able to be secure.” You need to see what is going to the cloud. Network detection and response (NDR) tools shine the light on network anomalies that otherwise would have slipped by, unnoticed, in the cloud.
What level of visibility do you need in the cloud?
Lathrop says that you should be able to answer these three questions at all times to ensure that you can detect any anomalous activity in your cloud environment (whether public, private, hybrid, or multi-cloud):
- What’s on your network?
- Who’s on your network (i.e., are the right people accessing)?
- What’s happening on your network?
To answer these questions successfully, you need to be able to see the raw network flows to and from the cloud. Although all CSPs offer logging and monitoring tools to capture a history of all API calls (e.g., the caller’s identity, source IP address, and request parameters), only fine-tuned detection capabilities for determining anomalous behaviors within the network traffic will truly secure what’s in the cloud.
Network detection and response solutions driven by behavioral analytics, such as IronNet’s IronDefense, enable you to see the truth in the traffic from network data, including both network logs and sensor-based traffic, closing the known visibility gap that plagues full-on cloud adoption. Further, PSB EXERO offers Health Based Monitoring and automatic intervention for all assets on your network. With both IronNet and EXERO installed, you have 100% visibility and can answer the questions of who’s on your network, what’s on your network, and what’s happening on your network in real time.
With AWS and Azure integrations, for example, IronNet’s IronDefense can access cloud logs to detect and analyze threats and provide anonymous, correlated context that no single enterprise would have on its own. This capability gives the enterprise the visibility it needs to take timely and relevant action on what they now are able to see with IronDefense, instead of being left in the dark.
Need more advice on tightening up your cloud security? See “Cloud (in)security: Your guide to stronger cloud security with NDR.”
IronNet has partnered with DirectDefense, Unlimited Technology, and Exero to offer a four-phased approach to a stronger enterprise security program, including cloud security. The Enterprise Security Program Review takes the current and desired future state of your network infrastructure and measures it against the National Industry Standards and Technology (NIST) cybersecurity controls (800-53, 800-171). From there, you can analyze your specific risk of threat exposure and determine where to prioritize and implement security controls that make the best business and fiscal sense. Learn more about the Enterprise Security Review Program.