The momentum of software-as-a-service (SaaS) adoption speaks to the benefits it provides for enterprise workloads such as agility, productivity, and communication. But sanctioning cloud-based services requires a new approach to security -- one that “assumes breach“ -- and accounts for the limitations of endpoint and perimeter defenses.
To “assume breach” requires a shift in mindset from prevention alone to adaptation. One reason for this is that shared long-term secrets (for example, privileged account passwords) are frequently used to access anything from the guest WiFi SSID to the domain controller. This represents a risk that transcends any prevention technique or policy being currently used, because “turning the cloud off” is not an option.
Even the most tightly locked-down laptop user, for example, can still easily fall prey to an unsophisticated garden variety phishing attack, because traditional protection solutions can’t protect against human error (also known as mistakes). Simply put, if you are interacting with the web outside of your corporate network, and willingly give an attacker your credentials, how could any network or endpoint solution stop you?
Two recent examples of such a scenario are a Dyer malware variant targeting Salesforce.com customers, and MS13-104, a token hijack compromise in Sharepoint and Onedrive that exploited a vulnerability in Microsoft Office 365. Both were propagated via phishing attacks targeting user sessions rather than credentials. Affected users unwittingly handed over complete application access rights to the attackers with no indication that anything malicious was happening because the attackers were accessing compromised services concurrently with authorized users.
Although malware signatures could be used detect the Dyer variant, its uncontrolled propagation is a telling indicator of the ineffectiveness of endpoint and perimeter protections. The Microsoft exploit, on the other hand, was utterly undetectable by any endpoint or perimeter protections.
The only way to mitigate such attacks is after the fact, not before, meaning that incremental efforts and resources spent on prevention are wasted and can result in greater risk by focusing on the perimeter—which is quickly dissipating in a mobile world of internet connected devices—rather than on what’s happening within the application and to the data there. That’s not to say companies shouldn’t deploy antivirus and firewalls, nor utilize two factor authentication. Instead, companies should not rely on those controls being successful in preventing attacks like the two under discussion.
How can adaptation mitigate these kinds of attacks when prevention fails?
In the case of the Microsoft Office 365 exploit, Adallom’s heuristic engine keeps track of 74 different variables on each user that traverses through the service, things as rudimentary as devices and browsers and as advanced as clickthrough rates and browsing patterns. These are used to establish a behavioral standard deviation for each user, which then assigns risk scores to activities that fall either outside of:
1. The behavioral standard deviation of the application in the context of the organization using it.
For example in the Microsoft exploit, the alert generated by Adallom was due to the fact that several employees were opening documents from IP’s marked as “risky”. The fact that the organization had never opened Word documents from these risky IP’s before trigged a high alert, which led to the discovery of the compromise.
2. The realm of human capability.
It's impossible for a person to click on more than one hundred links in less than a minute. This kind of behavior indicates automation of some sort. In some cases, the cadence of such automated activity can indicate the difference between a user attempting to crawl and download their Salesforce contact list using a script like Wget (insider threat), and a malicious crawler built into certain malware packages like Zeus (external threat).
3. The unique behavioral fingerprint of a user.
An easy example is a user who traditionally accesses their SaaS applications using two devices, like an iPhone 5S with Safari and a Windows 8.1 desktop with Chrome, usually between the hours of 8am and 8pm in California, all of a sudden becoming very active in one of those SaaS applications on a Debian linux machine running Opera at 3:00 a.m. in Poland. It could be that they’re on vacation in Eastern Europe using a hotel Kiosk to get some work done, but worth looking into.
Augment preventative controls with an adaptive approach focuses on rapid identification of suspicious activity within the application, and isolating the associated account in order to mitigate the risk of a massive data breach and additional network compromise. In other words: assume breach.
In the Office 365 exploit case, Adallom contacted the Microsoft Security Response Team with a detailed description of the attack, which utilized a “pure cloud” attack vector: there were no signatures. “We nicknamed it ‘Ice Dagger’ because it left no trace,” said Noam Liran, Adallom Labs Principal Architect. Microsoft responded by issuing a patch for the vulnerability and adding Adallom to MAPP (Microsoft Active Protections Program), specifically focused on providing “assume breach” protection for Office 365.
“Incident responders, including response companies, CSIRTs, ISACs, and security vendors, represent the front lines in the fight to detect, respond, and remediate these attacks,” Jerry Briant, Senior Security Strategist for the Microsoft Trusted Computing Group, told us, noting that as “MAPP evolves, we are working to build new partnerships and community collaborations that will enable strategic knowledge exchange. Employing a ‘give to get’ model, the community will benefit when data they provide is enriched by aggregating it with data from others.”
Bottom line: The cloud is changing the way businesses operate and will continue to do so as SaaS and other as-a-service innovations evolve. As such, business must think in new ways about protecting the valuable data on which they rely, and that includes the unsettling fact that data breaches are inevitable. Accepting an “assumed breach” posture doesn’t mean surrendering; it means you’ve taken the first step toward mitigating risk to data integrity in the digital age.