CEO and co-founder of Ermetic, a provider of public cloud security technology for AWS, Azure and Google Cloud infrastructures.
getty
It takes only a glance at the daily headlines to see that cybercriminals are using increasingly sophisticated methods to breach cloud defenses and access sensitive data. The complexity of cloud frameworks makes it extraordinarily difficult to detect nefarious activities. In many cases, attackers lurk in systems for weeks or months before pulling the trigger.
In most cases, these adversaries aren’t looking to exploit a single vulnerability — they’re probing for any and all weaknesses, mining data and engaging in a variety of actions that ratchet up the stakes. At some point, they'll likely launch a denial of service (DoS) or ransomware attack or exfiltrate financial, legal or human resources data.
At the center of constructing an effective defense strategy is the need to understand the psychology and behavior of today’s attackers. It’s tempting to think about cybersecurity as discrete events based on actions and reactions. However, an effective framework transcends individual events. Most attacks are not "smash-and-grab" operations. They’re carefully orchestrated campaigns that play out in slow motion.
While rummaging through systems, adversaries manipulate settings, plant malware and perform other actions that make it extremely difficult for an organization to purge the attackers. This approach gives them greater flexibility during and after an attack — even after an enterprise has paid a ransom or seemingly eliminated malware. Crooks can reinfect systems and use other attack methods. In fact, 80% of organizations that pay a ransom suffer a repeat attack.
Fighting Back Against Attacks
The bottom line is that organizations must approach cloud security from an entirely different perspective. It’s important to recognize that no matter how many preventative measures are in place, attackers will eventually get a foot in the door. However, they can't navigate in a target environment without revealing traces of their behavior — and actions.
With the right tools, technologies and framework, it’s possible to detect their presence and reduce the blast radius of a compromise by shutting down the attack. There are five critical steps that can help your organization reduce the cloud attack surface and restrict the blast zone if an intrusion occurs.
Step 1: Adopt best practices for configurations. Clouds spawn an enormous number of configurations — along with inevitable misconfigurations. Not surprisingly, the cloud security posture management (CSPM) security category is brimming with vendor solutions. Most detect issues such as unsecured credentials, extreme network exposure and vulnerable workloads via a centralized dashboard. Yet, CSPM should only serve as a starting point for security. It can't bulletproof a cloud framework because it doesn’t encompass and address the entire spectrum of risks.
Step 2: Achieve least-privileged access in entitlements management. Managing permissions in the cloud is remarkably difficult. Moreover, these permissions are highly fluid. This creates a large attack surface and makes it easier to hide aggressions. Although CSPM tools deliver insights into risks and vulnerabilities, understanding this information and establishing appropriate policies can be challenging. Consequently, it’s wise to adopt an approach called cloud infrastructure entitlements management (CIEM) to display all permissions and understand what resources are needed to remediate gaps. An added bonus: CIEM solutions eliminate the need to query or do specific coding.
Step 3: Segment your network and use zero trust to isolate workloads. By dividing a network into subnetworks, it’s possible to better control and compartmentalize the flow of traffic. An enterprise can manage events through policies that are triggered by a specific activity. In addition, if a breach or breakdown occurs, an organization is equipped to contain the mess. Yet, traditional perimeter-based segmentation isn't typically adequate. Clouds, mobile devices and other systems require a more advanced and nuanced approach that centers on network virtualization and provisioning. When this approach is combined with zero trust — which includes things like least-privileged access and network segmentation — it’s possible to boost protection by an order of magnitude.
Step 4: Log and monitor activity to detect potential lateral movement. The nefarious nature of attacks means that you can have 99 things right, but one remaining vulnerability is fatal. Because it’s impossible to view and detect all vulnerabilities, it’s critical to identify and respond to anomalous behavior and activity. This translates into having tools in place to detect unusual activity in real time — along with logs to review events and compare them to what’s supposed to be happening. For instance, an activity analysis automation tool, which may rely on artificial intelligence and machine learning, can deliver an immediate alert that lets you stay ahead of the battle and remediate any damage that's already occurred.
Step 5: Have a contingency plan, incident response playbook and backups. One of the most overlooked aspects of cybersecurity is having a full-fledged contingency plan in place if and when an attack unfolds. It’s critical that different groups know what to do — and what not to do. This includes understanding how to shut down key systems so that an attack doesn’t spread and what to say to the press. Backups are also critical, although it’s important to recognize that ransomware attacks now take aim at backups. In the end, it’s critical to think through a backup and business continuity strategy and consider how to best navigate the entire space from attack to resolution.
Gaining The Upper Hand
To be certain, protecting clouds is difficult. Reducing the potential blast zone from an intrusion can be daunting. However, with the right strategy and the right tools, it’s possible to gain an upper hand on the cybersecurity front. An enterprise can ensure that the fallout from any incident is contained, minimized and overcome.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
