Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/25/2014
10:30 AM
Tal Klein
Tal Klein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How SaaS Adoption Is Changing Cloud Security

Sanctioning cloud-based services requires a new approach to security that "assumes breach" and accounts for the limitations of endpoint and perimeter defenses.

The momentum of software-as-a-service (SaaS) adoption speaks to the benefits it provides for enterprise workloads such as agility, productivity, and communication. But sanctioning cloud-based services requires a new approach to security -- one that “assumes breach“ -- and accounts for the limitations of endpoint and perimeter defenses.

To “assume breach” requires a shift in mindset from prevention alone to adaptation. One reason for this is that shared long-term secrets (for example, privileged account passwords) are frequently used to access anything from the guest WiFi SSID to the domain controller. This represents a risk that transcends any prevention technique or policy being currently used, because “turning the cloud off” is not an option.

Even the most tightly locked-down laptop user, for example, can still easily fall prey to an unsophisticated garden variety phishing attack, because traditional protection solutions can’t protect against human error (also known as mistakes). Simply put, if you are interacting with the web outside of your corporate network, and willingly give an attacker your credentials, how could any network or endpoint solution stop you?

Recent scenarios
Two recent examples of such a scenario are a
Dyer malware variant targeting Salesforce.com customers, and MS13-104, a token hijack compromise in Sharepoint and Onedrive that exploited a vulnerability in Microsoft Office 365. Both were propagated via phishing attacks targeting user sessions rather than credentials. Affected users unwittingly handed over complete application access rights to the attackers with no indication that anything malicious was happening because the attackers were accessing compromised services concurrently with authorized users.

Although malware signatures could be used detect the Dyer variant, its uncontrolled propagation is a telling indicator of the ineffectiveness of endpoint and perimeter protections. The Microsoft exploit, on the other hand, was utterly undetectable by any endpoint or perimeter protections.

The only way to mitigate such attacks is after the fact, not before, meaning that incremental efforts and resources spent on prevention are wasted and can result in greater risk by focusing on the perimeter—which is quickly dissipating in a mobile world of internet connected devices—rather than on what’s happening within the application and to the data there. That’s not to say companies shouldn’t deploy antivirus and firewalls, nor utilize two factor authentication. Instead, companies should not rely on those controls being successful in preventing attacks like the two under discussion.

How can adaptation mitigate these kinds of attacks when prevention fails?

In the case of the Microsoft Office 365 exploit, Adallom’s heuristic engine keeps track of 74 different variables on each user that traverses through the service, things as rudimentary as devices and browsers and as advanced as clickthrough rates and browsing patterns. These are used to establish a behavioral standard deviation for each user, which then assigns risk scores to activities that fall either outside of:

1. The behavioral standard deviation of the application in the context of the organization using it. 
For example in the Microsoft exploit, the alert generated by Adallom was due to the fact that several employees were opening documents from IP’s marked as “risky”. The fact that the organization had never opened Word documents from these risky IP’s before trigged a high alert, which led to the discovery of the compromise.

2. The realm of human capability.
It's impossible for a person to click on more than one hundred links in less than a minute. This kind of behavior indicates automation of some sort. In some cases, the cadence of such automated activity can indicate the difference between a user attempting to crawl and download their Salesforce contact list using a script like Wget (insider threat), and a malicious crawler built into certain malware packages like Zeus (external threat).

3. The unique behavioral fingerprint of a user.
An easy example is a user who traditionally accesses their SaaS applications using two devices, like an iPhone 5S with Safari and a Windows 8.1 desktop with Chrome, usually between the hours of 8am and 8pm in California, all of a sudden becoming very active in one of those SaaS applications on a Debian linux machine running Opera at 3:00 a.m. in Poland. It could be that they’re on vacation in Eastern Europe using a hotel Kiosk to get some work done, but worth looking into.

Augment preventative controls with an adaptive approach focuses on rapid identification of suspicious activity within the application, and isolating the associated account in order to mitigate the risk of a massive data breach and additional network compromise. In other words: assume breach.

In the Office 365 exploit case, Adallom contacted the Microsoft Security Response Team with a detailed description of the attack, which utilized a “pure cloud” attack vector: there were no signatures. “We nicknamed it ‘Ice Dagger’ because it left no trace,” said Noam Liran, Adallom Labs Principal Architect. Microsoft responded by issuing a patch for the vulnerability and adding Adallom to MAPP (Microsoft Active Protections Program), specifically focused on providing “assume breach” protection for Office 365.

“Incident responders, including response companies, CSIRTs, ISACs, and security vendors, represent the front lines in the fight to detect, respond, and remediate these attacks,” Jerry Briant, Senior Security Strategist for the Microsoft Trusted Computing Group, told us, noting that as “MAPP evolves, we are working to build new partnerships and community collaborations that will enable strategic knowledge exchange. Employing a ‘give to get’ model, the community will benefit when data they provide is enriched by aggregating it with data from others.”

Bottom line: The cloud is changing the way businesses operate and will continue to do so as SaaS and other as-a-service innovations evolve. As such, business must think in new ways about protecting the valuable data on which they rely, and that includes the unsettling fact that data breaches are inevitable. Accepting an “assumed breach” posture doesn’t mean surrendering; it means you’ve taken the first step toward mitigating risk to data integrity in the digital age.

 

  Tal Klein is Vice President of Strategy at Lakeside Software. Previously, he was vice president of marketing and strategy at Adallom, a leading Cloud Access Security Broker. He was also senior director of products at Bromium where he led product marketing and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TalKlein
100%
0%
TalKlein,
User Rank: Author
9/29/2014 | 2:43:09 PM
Re: Security moving in from the perimeter
Well put! I completely agree. In the article I laid out three mechanisms which we use today:

1. The behavioral standard deviation of the application in the context of the organization using it.  
This will continue to be useful because applications in the contexts of their organizations have unique behavioral fingerprints, we will continue to build on these in collaboration with the app vendors themselves. Ideally these would be metered via APIs, but today we supplement some of them through other vectors such as Identity and Access API's (provided by Okta or ADFS), and our SAML-based reverse proxy.  

2. The realm of human capability. 
This is the low hanging fruit that, as you astutely stated, will become largely commodotized over time and likely adopted by the SaaS vendors themselves as a value added component of their service, like 2FA and IP restrictions. Where we think we'll add value here is by having a broader dataset that encompasses users across several SaaS platforms.

3. The unique behavioral fingerprint of a user.
This is the big one, this is where we're investing 60% of our R&D, hiring the best machine learning engineers, and the brightest heuristic scientists. We believe this is where the competitive battle lines will be drawn. 

 

 
Stratustician
100%
0%
Stratustician,
User Rank: Moderator
9/29/2014 | 1:39:12 PM
Re: Security moving in from the perimeter
It's nice to see a wider inclusion of other threat data such as social evidence included in security models. i think it's quite easy for people to get comfortable relying on traditional controls such as endpoint, authentication and encryption, but as more apps become SaaS based, it's going to come down to more heuristic information such as comparing how attacks are carried out versus as the author states, what is possible by a human.
TalKlein
50%
50%
TalKlein,
User Rank: Author
9/26/2014 | 4:53:29 PM
Re: Security moving in from the perimeter
Thanks, Marilyn - I'm glad to see these issues are rising to the forefront of security discussions.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
9/26/2014 | 11:23:03 AM
Re: Security moving in from the perimeter
There's been a lot of discussion about the end of the perimeter, but Tal did a really nice job breaking down why and how in the era of web services these attacks are so easily missed! The old saying "never assume" definitely does not apply in the cloud.    
TalKlein
50%
50%
TalKlein,
User Rank: Author
9/25/2014 | 7:23:24 PM
Re: Security moving in from the perimeter
Thanks, Charlie! I know it's hard in an age of Shellshocks and Heartbleeds to actively think about adaptation rather than prevention - But hopefully security leaders out there are minding the gap.
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Ninja
9/25/2014 | 6:47:58 PM
Security moving in from the perimeter
Good discussion, Tal, and another signpost that security has to come in from the perimeter and do more to keep an eye on what's actually going on with the application.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.