Battling cybersecurity threats in the cloud
Published 24 November 2020
More and more businesses of all shapes and sizes are moving to the cloud, especially during the COVID-19 pandemic, but without effective cybersecurity measures in place, you could be at risk of opening the floodgates to cybercriminals stealing data, holding you to ransom and damaging your business.
With 83% of enterprise workloads expected to be in the cloud by this year, multiple studies have found cyberattacks on cloud systems are exponentially growing.
“I’m concerned with COVID-19 and rush to the cloud to rapidly scale up. They are all moving in fast, and security becomes the least of their concerns or they don’t have a budget for it at that point,” said Alex Ng, the Director of Insyghts Security.
With so many cloud migration options available, from Software-as-a-Service, Platform-as-a-Service, and the fast-growing Infrastructure-as-a-Service, the cybersecurity threats are becoming bigger and spreading faster, and the damages to your business could become untamable.
So how can we fight back?
Your livelihood is at stake
The damaging impacts to your business from cybercriminals are very real, from financial loss to reputational damage.
“I have had customers transfer money to cybercriminals because they claimed to be their vendor, then they ask what they can do. I told them, the only thing I can do is advise you to make a police report because it’s already too late,” said Mr. Ng.
These attacks are commonly caused by human error within an organisation through phishing attacks, poor password protection, lack of reviewing protection regimes and poor training on new systems like cloud-based infrastructures.
“The weak link in an enterprise is always the people and the system that manages the people. You can have the best system, process or training regime, but if the people don’t follow it and still click on phishing attack links, then there’s only so much you can do,” said Mr. Ng.
There are also threats that manifest over longer periods of time and zero-day threats that are exploiting software and infrastructure vulnerabilities in businesses without a strong set of good policy, practices, infrastructure, management systems and people to monitor and manage the risks.
“For security operations teams, when you move to cloud at scale, that means a lot more data in all sorts of environments like the cloud, SaaS, and IoT. The amount of data they have to handle is becoming unmanageable,” commented Mr. Ng.
This is why Mr. Ng advises businesses to look for a managed security service provider (MSSP) that is able to track insider threats and those that manifest over time with a comprehensive security monitoring service that is fast to respond to modern infrastructures like cloud and hybrid environments.
“Most providers are good at point incident like a brute force attack, but if there is an insider or an outsider that has already penetrated their enterprise environment via a vulnerability, which it sits there for weeks and slowly gathers pace, some providers may miss that,” said Mr. Ng.
Are you at risk?
Typically, medium and small sized enterprises, as opposed to larger organisations with larger budgets and bigger workforces, neglect cybersecurity measures and become open targets for cybercriminals. Approximately 43% of small businesses were the victims of data breaches.
“They tend to overlook the need to review or rearchitect how the applications or servers are deployed, secured and monitored in the cloud,” added Mr. Ng.
From an application point of view, organisations leverage cloud-native architectures like Platform-as-a-Service (PaaS) or certain features that are part of cloud infrastructure providers like AWS or Azure.
This typically requires applications to be redeveloped when moving to the cloud, but in the haste of moving to the cloud, enterprises could risk missing out security practices or configurations like zones and access control lists that are less common in on-premise architectures.
“Even before the COVID-19 pandemic, enterprises are already moving to cloud. Although it’s not new, there are some that still lack the understanding of how a public cloud works. Some enterprises think they are essentially secure by just moving to the cloud and forgot the shared risk model,” said Mr. Ng.
As a result, cloud-based infrastructures and applications can amplify vulnerabilities and weak controls like coding practice, identity access and privileged access management for both internal and external individuals logging into the infrastructure.
“When you move to public cloud, you may want to look into zero trust access management because so many more people can access the cloud and your data, so you want to trust no-one and control who actually has access and monitor what they do on the infrastructure,” advised Mr. Ng.
Out with the old
Failure to adhere to best practices like neglecting three tier architectures and Network-based Intrusion Prevention Systems (NIPS), a lack of access control or even simple patching regime to update your applications and internal data centers can put your business at serious risk.
Last year, Security Boulevard found that 60% of security breaches involved unpatched vulnerabilities where a patch was available but not applied.
“We have seen customers that have servers so old and unpatched because they are so worried about the application going down. This is scary. When they move to the cloud, they should have a good patching and vulnerability management regime, as well as an incident management system and effective monitoring of cloud resources,” said Mr. Ng.
To avoid the risks from legacy infrastructures, key decision makers in an enterprise must find the motivation to upgrade the system and mindset to continuously educate, or else they will be held ransom by the application.
Mr. Ng has seen customers with old applications and unsupported servers struggle to find ways to extend support by buying additional security software to support the legacy system. However, he believes this is the wrong approach, as enterprises will ‘eventually need to move out of the application and build a new one if the budget allows’.
“The IT world keeps changing, the security world keeps changing, and the hackers are evolving. Virtual patching can buy you some time, but it is not the fix. If you don’t evolve with the flow of time, you will have problems in the future,” said Mr. Ng.
Cybersecurity teams should take some time to review the increasingly new and sophisticated risks, put forth a strategy to narrow the gap, and adopt technologies and systems to monitor these threats. The CISO or vCISO should be able to help the organisation measure their risk, balance business and cybersecurity objectives, develop a strategic plan and oversee a ISMS in place to bring the organisation eventually to the desired security maturity state.
How can we stop the cybercriminals?
Beyond the visibility, strategy and plan, and controls that need to be in place, you need good visibility on the threats on an ongoing basis. Without a good platform to perform fast analytics, enhanced with a level of artificial intelligence, the amount of data security operation center (SOC) teams will become unmanageable, leading to increased cybersecurity vulnerabilities.
To future-proof and protect your business, Mr. Ng suggests looking at MSSP with monitoring system that leverages big data, solutions using AI, and User and Entity Behavior Analytics (UEBA) to manage the exponentially growing amount of data and automate some of the work for your security team. This can bring about savings of time and resources that can be transferred back to the business.
“You need to look for one that is able to build that attack chain up and then alert the customer that this is a potential threat and not just an incident,” advised Mr. Ng.
For enterprises moving to the cloud, it is important to look for a MSSP that understands public, private and hybrid cloud environments, with connectors to SaaS and platform providers like SAP and Salesforce.
“Meaningful monitoring is crucial, but I don’t think a lot of existing providers are equipped to handle the different types of cloud services, there will be a lot of data from different cloud sources, and you need some tools to help monitor and manage the threats,” said Mr. Ng.
In recent years, other security monitoring solutions like extended detection and response (XDR), endpoint detection and response (EDR) and managed detection and response (MDR) have entered the cybersecurity scene to collect data from various digital environments and infrastructures.
“These focus on the endpoint portion and not monitoring the entire company’s data assets. Your security monitoring, EDR or XDR needs to include an integrated approach,” said Mr. Ng.
To have a successful integrated approach, you need to collect data from all systems to build a strong database of threats and potential threats in your system. For example, you need to collect contextual information from user, infra and cloud, and other data from server and endpoint, etc, to track how the threats are moving from one stage of attack to another.
“All the data necessary. If you have just part of the solution, then it would be like monitoring a data center without looking at the endpoint. It’s insufficient,” advised Mr. Ng.
Insyghts Security leverages a strong analytic platform with threat model mapped to industrial framework, such as MITRE ATT&CK, etc, as based threat modelling to track multi-stage threats that will manifest over a period of time. MITRE ATT&CK is described as a comprehensive compilation of tactics and techniques used by cyberattackers, which help security teams identify potential threats and understand how they move from different stages of attack.
To complement all this data, businesses need a dedicated security operation team to manage the day-to-day operations to respond to incidents, triage and recommend remediation and recovery options for endpoints and services.
“XDR only gives you the data. You still need people to dig it out and do some form of threat hunting to find a breach and fix it. It doesn’t just magically happen and you still need the people there. That is why an integrated approach and the people are so important,” said Mr. Ng.
Organisations reach out to Insyghts Security for their deep knowledge of traditional infrastructure, secure hosting environments and cloud services experience, particularly when businesses may not have a full security team with a lack of training.
“There are different types of MSSP and consultants. Some consultants focus mostly on information security management, and solution providers offer point solutions that don’t happen to cover the end-to-end scope to threats faced by the organisation,” said Mr. Ng.
Insyghts Security provides enterprises with end-to-end gap analysis of their security maturity, capabilities to respond to threats, propose and architect improvements, offer strategies, manage the security services and security monitoring.
“We pride ourselves by having deep knowledge and we pair this with a strong security practice and consultancy at a price point that is attractive to mid-size companies. We can definitely help large enterprises, but we pride ourselves on the mid-size companies because they are the precise companies that we think are in need because they are usually resource or cash strapped and they need a lot of care in managing their information security and cybersecurity,” added Mr. Ng.
For enterprises that may not have a Chief Information Security Officer (CISO), Insyghts Security offers a virtual CISO to provide a pool of cybersecurity experts who help translate an organisations’ business requirements into a security need and build a strategy to improve their security practises at a fraction of the cost of a full-time CISO.
Even businesses with an internal CISO can benefit from a vCISO by receiving add-on services to help them meet their key performance indicators and feel reassured that their strategies are sound.
“The CISO can sleep in peace when they know their objectives and security is inline and there is a plan to improve them,” said Mr. Ng.
Overall, Insyghts Security aims to make cybersecurity affordable, so that businesses of all sizes can stop the cybercriminals and protect their livelihoods.
What should you do next?
You could look at cybersecurity as a three-step process. One, know what you don’t know and visibility into the weak points. Two, put in place policies, controls and solutions for what you now know is lacking. Three, have a dedicated internal or outsourced team to deliver the security practice, controls and solutions, and day-to-day operation necessary to keep threats at bay.
Just like a security guard needs to know all weak points of a building, you need to have the visibility to monitor all forms of threats in your digital environment by tracking vulnerabilities, perpetrators and insider and outsider dangers.
Would you leave your door wide open at night? Would you leave your car unlocked?
Your business now has digital infrastructures that will become more complex than ever before and need protecting with a proper strategy and a team of virtual and human security guards.
By Stuart Crowley, Editor, W.Media