Saturday, 8th August 2020

Why Insider Threats Are Harder to Detect in Cloud Environments

The adoption of cloud computing by businesses is progressing at an incredible rate. The cloud allows organizations to decrease their operating expenses by allowing them to outsource their infrastructure needs to cloud service providers (CSPs). The competitive market for CSPs has also driven them to develop optimized offerings for different use cases, allowing organizations to choose best-of-breed solutions for each of their business needs. By Patrick Vernon, technology writer.

However, the cloud does come with its downsides, and one of the greatest of these is a loss of visibility into an organization’s infrastructure. The new environment with its new rules makes detecting certain threats more difficult, especially more subtle ones like insider threats. Protecting cloud-based resources will require identifying and deploying cybersecurity solutions that can increase visibility in the cloud and are effective at finding these types of threats, like the use of user and entity behavior analytics (UEBA) to reduce exposure to insider threats.

The Challenges of the Cloud

As they move to the cloud, many organizations are finding that it differs greatly from the on-premises environments that they are used to. In an on-premises deployment, the organization has full control of their infrastructure stack, allowing them to achieve full visibility into the systems that they are using and to enforce their security policies and controls consistently throughout their environments.

The same is not true in the cloud. When switching to cloud computing, an organization gives up control of some portion of their infrastructure stack. While this is one of the major benefits of cloud computing, it can also create significant security risks. Cybersecurity in the cloud is based upon a shared responsibility model. Some components of the infrastructure stack are the cloud service provider’s responsibility to maintain and control. Other parts are the responsibility of the client, and some responsibility is shared.

Many organizations are struggling to understand this shared responsibility model, and, to make things worse, organizations’ cloud environments are fragmented. The search for best-of-breed solutions to different business needs has resulted in many organizations using multi-cloud deployments provided by different CSPs. The lack of control over their environment and architectural fragmentation impair organizations’ visibility in the cloud.

Insider Threats Hide in the Cloud

The impacts of this reduced visibility in the cloud are numerous. One common issue is cloud data breaches caused by security misconfigurations. By setting cloud resources to “public”, an organization makes them accessible to anyone over the Internet. Without full visibility into their cloud deployments, this can result in them leaking sensitive information without even realizing it.

Another major impact of reduced visibility in the cloud is an increased exposure to insider threats. In fact, 53% of organizations believe that it is harder to identify and deal with insider threats in cloud environments. Since organizations cannot fully see what is going on in their cloud deployments - and do not have the experience and technology needed to collect the data that they need in the cloud - they have more trouble detecting insider threats.

The challenge with insider threat detection is that they are often more subtle and difficult to detect than “external” threats. An insider, by definition, has been given legitimate access to an organization’s internal environment, so they do not need to go through all of the stages that the average threat actor must perform to gain this level of access. A malicious insider can only be detected when they do something malicious on the network, which is much harder to spot than a spear phishing email or an attempted exploit of a vulnerability in the organization’s web apps.

Not Just Employees

When discussing the complexity of detecting and remediating insider threats in the cloud, it’s important to consider the fact that insider threats are not limited to employees. An insider is anyone who has legitimate access to an organization’s internal systems. Many organizations provide external vendors, service providers, and partners with accounts on their systems. In fact, this is the case in 94% of organizations. 72% of the time, these partners are even given administrator-level access to the systems, allowing them complete control over any system that they can access. This third-party access to an organization’s environment creates a number of threats. The simplest is that a malicious service provider could abuse their access to steal data or cause damage.

However, this is not the only threat. When an organization provides legitimate internal access to a third party, the organization’s security is only as good as the partner’s security. Improper storage of account credentials or compromise of the partner’s environment can allow an attacker to jump to the organization’s network as well. This is what happened in the Target breach, where an attacker used legitimate account credentials of Target’s HVAC vendor to access the Target network and plant malware.

Securing Cloud Environments

The cloud is a very different environment from on-premises deployments, and many organizations are having difficulty adapting their security programs to work in the cloud. This problem is only exacerbated by the fact that many organizations have adopted multi-cloud deployments, where security settings may differ from vendor to vendor.

A major impact of moving to the cloud is a loss of visibility into an organization’s cloud-based infrastructure. This loss of visibility increases vulnerability to subtler risks like insider threats. Protecting an organization’s cloud deployment requires achieving visibility into cloud environments by deploying security solutions like UEBA to monitor insiders’ activity on the cloud.

By Joseph Carson, chief security scientist at Thycotic.
By Miles Tappin, Vice President, EMEA at ThreatConnect.
By Dan Schiappa, Executive Vice President and Chief Product Officer, Sophos.
By Jesper Frederiksen, VP and GM EMEA at Okta.
By Keith Banham, mainframe R&D manager at Macro 4, a division of UNICOM Global.
By Mikkel Stegmann, Principal Scientist at Fingerprints.