Last month, IDC published a report: Cybersecurity Threats: Eight Things CIOs Need to Know.
In this article, we will explore a few of those principles, discuss how specifically it affects organizations in the public cloud, and what CIOs/CISOs should be aware of when evaluating cloud security solutions.
Critical Knowledge for CIOs
The challenge for business leaders is that the cybersecurity threat landscape in the public cloud has evolved significantly over the past few years.
CIOs must be aware of a critical principle as they design and implement their cybersecurity programs: cybersecurity professionals and attackers have completely different success criteria for their efforts.
Whether its able to infiltrate the cloud environment and perform cryptojacking or use compromised API keys to launch bitcoin mining instances, an attacker only needs to be successful once out of thousands of exploits. On the other hand, cybersecurity teams are required to prevent attacks 100% of the time, which is not a trivial task in the public cloud given the complexity of cloud controls and services. The primary threat facing major organizations today is a sophisticated and focused attacker that is looking to exploit weakness in the security armor, with the public cloud environment being the ultimate achilles heel.
Figure below focuses on eight important facts about the cybersecurity threat landscape that CIOs should keep in mind as they plan their security programs.
The Greatest Threat May Come from Within
When most business leaders think of potential cybersecurity threats, they often imagine foreign adversaries looking to steal intellectual property or engage in malicious activity. The reality is that the individuals seeking to perform those actions may be closer than you think.
According to the 2018 Verizon DBIR report, more than 25% of cyberattacks have been at the hands of insiders who exploit their authorized access. Trusted employees, contractors, and business partners pose a substantial risk to organizations. They often have the ability to bypass many security controls that focus on keeping outsiders out and either are not capable of viewing insider activity or are tuned to ignore actions by authorized users. In the cloud, security teams have to understand the extent of these insider threats and enforce appropriate cloud controls to detect unauthorized actions by insiders.
Whether the threat comes from employees, former employees, contractors, or malware that was installed on an infected endpoint, the end guidance is the same – anyone without authorized access should not have the ability to touch and interact with critical cloud assets. Once employees are hired, organizations should monitor user activity and track every API call to confirm that user actions comply with security and compliance policies.
Beware of the Social Engineer
Social engineering is an easy attack vector for hackers to gain a foothold on an organization’s network. In SailPoint’s 2017 Market Pulse Survey, the company found that 77% of technology leaders believe that users are one of their greatest risks. Attackers dupe users to enter their passwords through elaborate impersonation schemes that involve creating false websites and sending phishing messages.
In addition to educating users about the risks posed by social engineering in the cloud, organizations should also implement strong multifactor authentication and control access to cloud services and operations beyond strong password enforcement.
Most Organizations Are Slow to Detect and Respond to Threats
Organizations take a significant amount of time to discover the breaches that do occur on their networks. Media reports of security breaches provide bountiful anecdotal evidence of this trend, offering reports of organizations suffering breaches that took weeks or months to discover. The data supports these anecdotes. In Mandiant’s M-Trends 2018 report, the incident response consultants use the dwell time to quantify the speed of incident response. Dwell time is the defined as the number of days between the earliest time that evidence supports an attacker being present on the victimized network until the breach was discovered. Mandiant reports that the worldwide median dwell time is 101 days, essentially meaning that the attack has over 3 months of undetected access within an organization’s network.
Immediate response to to security incidents depends upon rapid detection of successful breaches. Cybersecurity teams have a multitude of tools such as intrusion prevention systems and security information and event management tools. However, these solutions are effective only if they are well integrated into the organization’s cybersecurity program. Incident detection and response often depends upon the availability of cybersecurity analysts who can quickly assess and respond to such incidents from a sea of logs and alerts generated from the tools.
The Most Serious Threats Aren’t Found in the Headlines
In January 2018, two high-profile security vulnerabilities took the mainstream media by storm. Dubbed Spectre and Meltdown, this pair of exploits target hardware vulnerabilities that reside deep within processors. Meltdown and Spectre are making headlines because of their vast impact on both consumer endpoints (such as smartphones and personal computers) and enterprise servers both on-premise and in the cloud. The vendors are working to patch their services. The processor vendors are working to fix these vulnerabilities; the operating system and browser vendors release patches; and the major public cloud vendors have been working to patch the cloud infrastructure.
Every security vulnerability should be taken seriously and remediated when possible. Spectre and Meltdown are indeed serious vulnerabilities that require patching. Take the time to assess the complete state of vulnerabilities on your network, and prioritize news reports against any other issues that may exist. We wrote a blog about detecting such vulnerabilities in the public cloud.
Dome9 provides comprehensive network security, compliance management and threat detection in the public cloud
Dome9 can protect and safeguard organizations against insider threats/social engineering and ensure security and compliance for organizations. To learn more about how Dome9 protects against such attacks, check out our blog here!
When paired with security information and event management (SIEM) systems, Dome9 can help security teams identify anomalous network or user activity hidden in the logs. To learn more about how Dome9 provides intelligent threat detection in the cloud, check out our blog here!
For a deeper dive into the rest of the principles access the full report here.