Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/25/2014
10:30 AM
Tal Klein
Tal Klein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How SaaS Adoption Is Changing Cloud Security

Sanctioning cloud-based services requires a new approach to security that "assumes breach" and accounts for the limitations of endpoint and perimeter defenses.

The momentum of software-as-a-service (SaaS) adoption speaks to the benefits it provides for enterprise workloads such as agility, productivity, and communication. But sanctioning cloud-based services requires a new approach to security -- one that “assumes breach“ -- and accounts for the limitations of endpoint and perimeter defenses.

To “assume breach” requires a shift in mindset from prevention alone to adaptation. One reason for this is that shared long-term secrets (for example, privileged account passwords) are frequently used to access anything from the guest WiFi SSID to the domain controller. This represents a risk that transcends any prevention technique or policy being currently used, because “turning the cloud off” is not an option.

Even the most tightly locked-down laptop user, for example, can still easily fall prey to an unsophisticated garden variety phishing attack, because traditional protection solutions can’t protect against human error (also known as mistakes). Simply put, if you are interacting with the web outside of your corporate network, and willingly give an attacker your credentials, how could any network or endpoint solution stop you?

Recent scenarios
Two recent examples of such a scenario are a Dyer malware variant targeting Salesforce.com customers, and MS13-104, a token hijack compromise in Sharepoint and Onedrive that exploited a vulnerability in Microsoft Office 365. Both were propagated via phishing attacks targeting user sessions rather than credentials. Affected users unwittingly handed over complete application access rights to the attackers with no indication that anything malicious was happening because the attackers were accessing compromised services concurrently with authorized users.

Although malware signatures could be used detect the Dyer variant, its uncontrolled propagation is a telling indicator of the ineffectiveness of endpoint and perimeter protections. The Microsoft exploit, on the other hand, was utterly undetectable by any endpoint or perimeter protections.

The only way to mitigate such attacks is after the fact, not before, meaning that incremental efforts and resources spent on prevention are wasted and can result in greater risk by focusing on the perimeter—which is quickly dissipating in a mobile world of internet connected devices—rather than on what’s happening within the application and to the data there. That’s not to say companies shouldn’t deploy antivirus and firewalls, nor utilize two factor authentication. Instead, companies should not rely on those controls being successful in preventing attacks like the two under discussion.

How can adaptation mitigate these kinds of attacks when prevention fails?

In the case of the Microsoft Office 365 exploit, Adallom’s heuristic engine keeps track of 74 different variables on each user that traverses through the service, things as rudimentary as devices and browsers and as advanced as clickthrough rates and browsing patterns. These are used to establish a behavioral standard deviation for each user, which then assigns risk scores to activities that fall either outside of:

1. The behavioral standard deviation of the application in the context of the organization using it. 
For example in the Microsoft exploit, the alert generated by Adallom was due to the fact that several employees were opening documents from IP’s marked as “risky”. The fact that the organization had never opened Word documents from these risky IP’s before trigged a high alert, which led to the discovery of the compromise.

2. The realm of human capability.
It's impossible for a person to click on more than one hundred links in less than a minute. This kind of behavior indicates automation of some sort. In some cases, the cadence of such automated activity can indicate the difference between a user attempting to crawl and download their Salesforce contact list using a script like Wget (insider threat), and a malicious crawler built into certain malware packages like Zeus (external threat).

3. The unique behavioral fingerprint of a user.
An easy example is a user who traditionally accesses their SaaS applications using two devices, like an iPhone 5S with Safari and a Windows 8.1 desktop with Chrome, usually between the hours of 8am and 8pm in California, all of a sudden becoming very active in one of those SaaS applications on a Debian linux machine running Opera at 3:00 a.m. in Poland. It could be that they’re on vacation in Eastern Europe using a hotel Kiosk to get some work done, but worth looking into.

Augment preventative controls with an adaptive approach focuses on rapid identification of suspicious activity within the application, and isolating the associated account in order to mitigate the risk of a massive data breach and additional network compromise. In other words: assume breach.

In the Office 365 exploit case, Adallom contacted the Microsoft Security Response Team with a detailed description of the attack, which utilized a “pure cloud” attack vector: there were no signatures. “We nicknamed it ‘Ice Dagger’ because it left no trace,” said Noam Liran, Adallom Labs Principal Architect. Microsoft responded by issuing a patch for the vulnerability and adding Adallom to MAPP (Microsoft Active Protections Program), specifically focused on providing “assume breach” protection for Office 365.

“Incident responders, including response companies, CSIRTs, ISACs, and security vendors, represent the front lines in the fight to detect, respond, and remediate these attacks,” Jerry Briant, Senior Security Strategist for the Microsoft Trusted Computing Group, told us, noting that as “MAPP evolves, we are working to build new partnerships and community collaborations that will enable strategic knowledge exchange. Employing a ‘give to get’ model, the community will benefit when data they provide is enriched by aggregating it with data from others.”

Bottom line: The cloud is changing the way businesses operate and will continue to do so as SaaS and other as-a-service innovations evolve. As such, business must think in new ways about protecting the valuable data on which they rely, and that includes the unsettling fact that data breaches are inevitable. Accepting an “assumed breach” posture doesn’t mean surrendering; it means you’ve taken the first step toward mitigating risk to data integrity in the digital age.

 

  Tal Klein is Vice President of Strategy at Lakeside Software. Previously, he was vice president of marketing and strategy at Adallom, a leading Cloud Access Security Broker. He was also senior director of products at Bromium where he led product marketing and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TalKlein
100%
0%
TalKlein,
User Rank: Author
9/29/2014 | 2:43:09 PM
Re: Security moving in from the perimeter
Well put! I completely agree. In the article I laid out three mechanisms which we use today:

1. The behavioral standard deviation of the application in the context of the organization using it.  
This will continue to be useful because applications in the contexts of their organizations have unique behavioral fingerprints, we will continue to build on these in collaboration with the app vendors themselves. Ideally these would be metered via APIs, but today we supplement some of them through other vectors such as Identity and Access API's (provided by Okta or ADFS), and our SAML-based reverse proxy.  

2. The realm of human capability. 
This is the low hanging fruit that, as you astutely stated, will become largely commodotized over time and likely adopted by the SaaS vendors themselves as a value added component of their service, like 2FA and IP restrictions. Where we think we'll add value here is by having a broader dataset that encompasses users across several SaaS platforms.

3. The unique behavioral fingerprint of a user.
This is the big one, this is where we're investing 60% of our R&D, hiring the best machine learning engineers, and the brightest heuristic scientists. We believe this is where the competitive battle lines will be drawn. 

 

 
Stratustician
100%
0%
Stratustician,
User Rank: Moderator
9/29/2014 | 1:39:12 PM
Re: Security moving in from the perimeter
It's nice to see a wider inclusion of other threat data such as social evidence included in security models. i think it's quite easy for people to get comfortable relying on traditional controls such as endpoint, authentication and encryption, but as more apps become SaaS based, it's going to come down to more heuristic information such as comparing how attacks are carried out versus as the author states, what is possible by a human.
TalKlein
50%
50%
TalKlein,
User Rank: Author
9/26/2014 | 4:53:29 PM
Re: Security moving in from the perimeter
Thanks, Marilyn - I'm glad to see these issues are rising to the forefront of security discussions.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
9/26/2014 | 11:23:03 AM
Re: Security moving in from the perimeter
There's been a lot of discussion about the end of the perimeter, but Tal did a really nice job breaking down why and how in the era of web services these attacks are so easily missed! The old saying "never assume" definitely does not apply in the cloud.    
TalKlein
50%
50%
TalKlein,
User Rank: Author
9/25/2014 | 7:23:24 PM
Re: Security moving in from the perimeter
Thanks, Charlie! I know it's hard in an age of Shellshocks and Heartbleeds to actively think about adaptation rather than prevention - But hopefully security leaders out there are minding the gap.
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Ninja
9/25/2014 | 6:47:58 PM
Security moving in from the perimeter
Good discussion, Tal, and another signpost that security has to come in from the perimeter and do more to keep an eye on what's actually going on with the application.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.