WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
As companies have become more comfortable moving more workloads and more corporate data to the cloud, hackers have become more comfortable launching attacks to try to get it.
As proof, security vendor Alert Logic saw significant increases in brute force attacks and vulnerability scans in the cloud. According to its latest State of Cloud Security Report, based on a survey of its customers involving incidents that occurred from April through September of 2013, brute force attacks in the cloud grew from 30 percent to 44 percent and vulnerability scans jumped from 27 percent to 44 percent.
Noting that such attacks were traditionally aimed at on-premise rather than cloud environments, Stephen Coty, Alert Logic's director of threat research, said the findings point to the need for companies to step up their cloud security game.
"Companies have traditionally spent time, money and man hours implementing in-depth security solutions within the corporate space, using multiple tools like antivirus, forensics, netflow collection, routers and firewalls," Coty said. "Our data shows a need for the same kind of approach within the cloud. As an IT manager or CISO, you need to drive that. You need to look at all the different layers of security that can be applied in the cloud."
Shared Responsibility for Cloud Security
The key difference, Coty said, is that companies share responsibility for security with their cloud providers. Unfortunately, he believes there is some confusion regarding the division of responsibility.
Coty at one time worked for a service provider, where he took calls from customers experiencing issues with their WordPress deployments. For example, he said, people with malicious intent toward a website would leverage a WordPress vulnerability to publish fake blogs on the site.
"I would find out the customer had installed a plugin but hadn't scanned the plugin or their code," he said. "I would tell them that of course we'd do what would could to assist, but ultimately that was their responsibility."
Coty said service providers are generally responsible for computing, storage, databases, physical controls and "technology that sets the foundation for their services," for example doing logical network segmentation at the network level and hardening of the hypervisor at the host level.
The application layer, however, is "100 percent the responsibility of the customer," he said. "You need to secure your code, implement a software development lifecycle, and make sure you inject security into any code changes or applications you deploy in the cloud."
(This article offers tips on how to improve application security.)
"You must understand where the lines of responsibility fall and go in with your eyes wide open" when contracting with cloud service providers, he said.
Hackers still reserve their most sophisticated malware or botnet attacks for on-premise environments, Coty said, largely because these environments typically contain the most valuable data.
Alert Logic did see an increase in malware activity in the cloud, Coty said, but often involved new variants of older attacks like the Zeus trojan or Conficker worm. Alert Logic collected cloud malware using honeypots it deployed in public cloud infrastructures across the globe, then ran it through VirusTotal, an open source tool used to analyze malware. Using VirusTotal, Alert Logic found that 14 percent of the malware would not have been detected by 51 of the top antivirus programs.
While that sounds scary, Coty said it shows the importance of a multi-faceted approach to security both on-premise and in the cloud.
"You hear antivirus is dead, but it still caught 86 percent of the malware dropped on these honey pots. It does reinforce the point of having a security in-depth solution in the cloud. That 14 percent that wouldn't be caught by AV would be caught by some other security technology along the stack," he said.
Looking ahead, Coty predicts hackers may employ more sophisticated attacks in the cloud as more companies move to a virtual desktop infrastructure (VDI). That said, he believes VDI will improve companies' overall security posture because it allows them to maintain more control.
"If you have a centralized enterprise console for your AV solution, you can get cloud devices plugged into it so they are no longer standalone. You can use your Active Directory controls for access management for those devices," he said. "Everything you can put in place for a security strategy on-premise can now be applied to the cloud."
Catching Hackers with Honeypots
Coty also foresees a growing role for honeypots in the corporate environment. While "no one has really figured out a great corporate strategy on how to use them efficiently," he believes they have great potential.
"If someone wants to attack you, they are typically going to scan your IP addresses and go after the easiest one first," he said. "If the easiest one is actually a honeypot, you can gather intelligence and use it against the attackers. Honeypots can maybe give us a heads-up and help us stay a step ahead of the bad guys."
Ann All is the editor of eSecurity Planet and Enterprise Apps Today. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.