Reduced visibility and control. Cryptojacking. Stolen credentials. Pilfered access keys. Lost data. These are just some of the risks your organization may face when migrating to the cloud. While cloud computing enables agility by empowering users to create, modify, and scale storage, network and compute resources on-demand, this often occurs with limited security oversight. When cloud security governance issues do arise, incident response teams often face barriers to quick resolution, including:
● Lack of Context: Without context, alert severity is hard to ascertain making it tough to prioritize the appropriate response. For example, investigation of an incident involving a database that is receiving suspicious traffic should be prioritized over an incident involving a database that is associated with an open security group, but not connected to the internet. Risk severity must be algorithmically quantified by assessing context.
● Dynamic Environment: The ephemeral nature of cloud resources makes it challenging to perform investigations in constantly changing public cloud computing environments. For example, how do you investigate what transpired on a particular IP address two weeks ago, when environments are being spun up and torn down daily, and IP addresses are constantly being re-assigned to various applications? A current or point-in-time snapshot of the environment is required to perform a thorough analysis.
● Privileged Users: In the cloud, multiple users with elevated privileges coupled with rapid and constant resource change, makes it difficult to pinpoint the root cause of an incident. An audit trail that can be correlated with all the configuration changes is necessary to quickly pinpoint the responsible user and action that led to an incident.
● Alert Fatigue: The rapid pace of change in cloud environments can inundate the
security team with alerts. In order for security to keep pace, alerts must support auto-remediation, or integrate with existing incident response tools and DevOps workflows.
CSI Trends Report - Key Findings
In addition to these barriers, the threat landscape continues to evolve, creating new challenges for incident response teams. The latest RedLock CSI Trends Report highlighted some of these trends including:
- An average of 27% of organizations experienced potential account compromises, fueled by new attack vectors.
While organizations are ramping up security efforts to deter malicious actors from stealing credentials and access keys, new threats are always at-hand, such as those presented via Instance Metadata APIs.
- Cryptojacking has gone mainstream; 25% of organizations currently have this activity in their environments.
Unfettered access to expensive and high-powered public cloud compute resources is leading to increased cryptojacking attacks.
- Effective compliance must be omnipresent; 51% of organizations publicly exposed at least one cloud storage service.
Confidential data is moving to the cloud and organizations must prove compliance. Employing additional controls such as encryption and security frameworks, such as NISF CSF and CIS, still need to be operationalized.
- Beyond the specter of “Spectre” and “Meltdown”; 24% of organizations have hosts missing high-severity patches in public cloud.
Vulnerability management at scale is extremely complex in the cloud and is a key requirement of GDPR. Organizations need to consider how they will address the issue for their public cloud environments.
4 Tips for Incident Response Teams
In order to avoid major security issues and regain cloud visibility, CISOs must maximize the efficacy of security incident response teams. To accomplish this, the RedLock CSI team recommends following these four security best practices:
- Maintain a Configuration Management Database (CMDB) for the public cloud: Security incident response investigations typically require historical context, which can be challenging to maintain in dynamic cloud computing environments. As an example, you may want to search for all databases that were receiving traffic from suspicious IP addresses last Friday, and subsequently drill down on each resource to determine the current and past configuration state. Furthermore, you may want to identify information about your users who were modifying these database configurations. This requires security teams maintain a very comprehensive CMDB for public cloud, something that traditional CMDB systems were not architected for.
- Prioritize risks: Large cloud environments can generate thousands of alerts. Ensure you have an automated way to risk rank resources; for example, an A thru F ranking based on severity and exploitability of risks. Ranking your resources enables your teams to prioritize remediation based on the severity of business risks, violations, and anomalies.
- Assess impact: Once alerts start pouring in, alert fatigue can quickly set in if the security analysts have limited context or visibility into the cloud environments. Ensure that your tools can not only tell you what potentially could go wrong, but can actually pinpoint the impact of such misconfigurations. For example, knowing you have an open security group isn’t adequate, unless you can pinpoint the actual applications affected by it, the amount and type of network traffic these applications have received, and the developer(s) who introduced the misconfiguration to the environment. Armed with this information, you can make educated decisions, such as whether or not to disable that security group or shut down the impacted applications.
- Respond rapidly. Rapidly address issues by integrating alerts into your existing workflows for automated remediation and policy orchestration. These could include SIEM tools like Splunk and IBM QRadar, as well as automation solutions like Demisto.
Get the NEW Cloud Security Trends - May 2018 - Anniversary Edition
This edition of RedLock’s Cloud Security Trends marks the report’s one year anniversary, and it’s been a sobering year in terms of public cloud breaches, disclosures and attacks. Download the latest Cloud Security Trends - May 2018 report to get 14 tips to fortify your public cloud environment.