A misconfigured storage bucket in the cloud can often go unnoticed but it can result in a cyberattack. Mike Campfield, VP, Global Security Programs, ExtraHop, explains what the problem is and how companies can address it.
Misconfigurations are killing data security in the cloud and you can find evidence of self-inflicted wounds in almost every high-profile breach in recent years.
When the sensitive data of millions of airline customers were leaked in 2019, the culprits behind the breach were not expert cybercriminals using the latest advanced hacking tools to gain access.
A misconfigured storage bucket was to blame for exposing the data to the public Internet. It’s an all-too-common problem and one that often goes unnoticed – even by seasoned IT professionals – because of the speed of innovation and almost limitless scalability cloud adoption allows.
A global problem
A 2019 report from the cybersecurity firm McAfee stated that 99% of misconfigurations in Infrastructure-as-a-Service (IaaS) environments go unreported. The same study noted that businesses report an average of 37 cloud misconfigurations a month. The actual number, according to McAfee’s data, is more like 3,500 a month.
The result? Nearly 70% of records exposed on the Internet – 5.4 billion total – were caused by unintentionally misconfigured services and portals. And according to a recent DivvyCloud report, breaches caused by cloud misconfiguration cost companies an estimated US$5 trillion worldwide over the last two years.
As eye-popping as those figures are, they’re not surprising.
The public cloud has transformed the way enterprises do business. At the same time, it’s introduced new vulnerabilities.
Risk versus reward
Public cloud environments enable businesses to scale up at a lower cost by moving compute power out of the on-premises data centre. The cloud also drives innovation, providing developers with the freedom to create ground-breaking applications and spin up revenue-increasing instances with minimal friction (or oversight) from security teams.
When there is a lack of proper vetting to ensure that every cloud instance is securely configured, businesses run the risk of becoming the next in a long line of data breach victims. And because of the shared responsibility model for cloud security, those businesses will be left holding the bag.
Shared responsibility and sleepless nights
A cloud service provider (CSP) such as Amazon Web Services, Microsoft Azure or Google Cloud Platform, with a deep roster of highly skilled professionals, does a great job of securing the infrastructure of the cloud. CSP customers, however, often struggle to protect workloads and data in the cloud.
Those customers are well aware of the problem. Sixty percent of respondents in the 2019 European Insight Intelligent Technology Index (ITI) listed cloud security as the issue most likely to keep them awake at night.
In a dream world, every business would have the necessary resources to build a first-class cloud security team. In the real world, cloud security specialists are in short supply. A 2019 ISSA report showed that cloud security was the area most affected by the cyber skills gap.
The search for solutions
As more enterprises migrate business-critical applications and data to the cloud, we can expect the cyberskills gap to grow and the search for solutions to expand. One solution is to make sure everyone on the payroll understands the inherent security risks in the cloud, including those created by misconfiguration.
However, even instilling a company-wide culture of security may not be enough to bridge the gap between what a firm needs to protect its cloud environment and what is readily available on the job market in the form of skilled analysts, threat hunters, forensic investigators and incident responders.
Many companies choose to invest heavily in products that promise to improve their cloud security posture and CSPs offer their own native solutions. Unfortunately, those products don’t always seamlessly integrate or align with the tools an organisation already uses. And far too many security tools – regardless of their manufacturer – struggle to provide visibility, threat detection and response capabilities in cloud and hybrid environments.
The missing piece in cloud security
Traditionally, businesses have relied heavily on endpoint detection and response (EDR) and security information and event management (SIEM) tools for incident management and response. But enterprises often lacked access to an essential piece of the SOC visibility triad in the cloud – network data.
Capturing network data for analysis often required deploying agents, a costly, complex and time-consuming process. With the introduction of virtual taps in the cloud, cloud-focused security teams could finally leverage agentless network detection and response (NDR) products that represented the missing piece in cloud security.
NDR solutions provide observed ground truth with context and they cannot be turned off or evaded by savvy attackers. With the ability to passively monitor everything happening in the east-west traffic corridor in real time, NDR products enable security teams to quickly detect, investigate and respond to threats that other tools miss.
Those threats include misconfiguration. By ingesting information about asset usage and observing Internet protocols (IPs) touching cloud resources such as storage buckets and applications, NDR products can alert security teams when they detect the types of anomalous or malicious behaviours that indicate a breach. Analysts can then quickly drill down into copies of network packets to determine what happened and why.
Data from NDR products can be shared among security, network and development and operations teams, eliminating silos and providing insight from a single, comprehensive source.
NDR solutions can also integrate with a wide range of CSP-native and third-party vendor products, helping to reduce tool sprawl by making more effective the products an organisation already uses.
The cloud has truly transformed the way we do business and it’s also raised the stakes for security by introducing new and emerging threats, including those from misconfigurations. If your cloud-focused security team can’t adapt to overcome those threats, you’re playing a losing hand.
Click below to share this article