Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/25/2014
10:30 AM
Tal Klein
Tal Klein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How SaaS Adoption Is Changing Cloud Security

Sanctioning cloud-based services requires a new approach to security that "assumes breach" and accounts for the limitations of endpoint and perimeter defenses.

The momentum of software-as-a-service (SaaS) adoption speaks to the benefits it provides for enterprise workloads such as agility, productivity, and communication. But sanctioning cloud-based services requires a new approach to security -- one that “assumes breach“ -- and accounts for the limitations of endpoint and perimeter defenses.

To “assume breach” requires a shift in mindset from prevention alone to adaptation. One reason for this is that shared long-term secrets (for example, privileged account passwords) are frequently used to access anything from the guest WiFi SSID to the domain controller. This represents a risk that transcends any prevention technique or policy being currently used, because “turning the cloud off” is not an option.

Even the most tightly locked-down laptop user, for example, can still easily fall prey to an unsophisticated garden variety phishing attack, because traditional protection solutions can’t protect against human error (also known as mistakes). Simply put, if you are interacting with the web outside of your corporate network, and willingly give an attacker your credentials, how could any network or endpoint solution stop you?

Recent scenarios
Two recent examples of such a scenario are a
Dyer malware variant targeting Salesforce.com customers, and MS13-104, a token hijack compromise in Sharepoint and Onedrive that exploited a vulnerability in Microsoft Office 365. Both were propagated via phishing attacks targeting user sessions rather than credentials. Affected users unwittingly handed over complete application access rights to the attackers with no indication that anything malicious was happening because the attackers were accessing compromised services concurrently with authorized users.

Although malware signatures could be used detect the Dyer variant, its uncontrolled propagation is a telling indicator of the ineffectiveness of endpoint and perimeter protections. The Microsoft exploit, on the other hand, was utterly undetectable by any endpoint or perimeter protections.

The only way to mitigate such attacks is after the fact, not before, meaning that incremental efforts and resources spent on prevention are wasted and can result in greater risk by focusing on the perimeter—which is quickly dissipating in a mobile world of internet connected devices—rather than on what’s happening within the application and to the data there. That’s not to say companies shouldn’t deploy antivirus and firewalls, nor utilize two factor authentication. Instead, companies should not rely on those controls being successful in preventing attacks like the two under discussion.

How can adaptation mitigate these kinds of attacks when prevention fails?

In the case of the Microsoft Office 365 exploit, Adallom’s heuristic engine keeps track of 74 different variables on each user that traverses through the service, things as rudimentary as devices and browsers and as advanced as clickthrough rates and browsing patterns. These are used to establish a behavioral standard deviation for each user, which then assigns risk scores to activities that fall either outside of:

1. The behavioral standard deviation of the application in the context of the organization using it. 
For example in the Microsoft exploit, the alert generated by Adallom was due to the fact that several employees were opening documents from IP’s marked as “risky”. The fact that the organization had never opened Word documents from these risky IP’s before trigged a high alert, which led to the discovery of the compromise.

2. The realm of human capability.
It's impossible for a person to click on more than one hundred links in less than a minute. This kind of behavior indicates automation of some sort. In some cases, the cadence of such automated activity can indicate the difference between a user attempting to crawl and download their Salesforce contact list using a script like Wget (insider threat), and a malicious crawler built into certain malware packages like Zeus (external threat).

3. The unique behavioral fingerprint of a user.
An easy example is a user who traditionally accesses their SaaS applications using two devices, like an iPhone 5S with Safari and a Windows 8.1 desktop with Chrome, usually between the hours of 8am and 8pm in California, all of a sudden becoming very active in one of those SaaS applications on a Debian linux machine running Opera at 3:00 a.m. in Poland. It could be that they’re on vacation in Eastern Europe using a hotel Kiosk to get some work done, but worth looking into.

Augment preventative controls with an adaptive approach focuses on rapid identification of suspicious activity within the application, and isolating the associated account in order to mitigate the risk of a massive data breach and additional network compromise. In other words: assume breach.

In the Office 365 exploit case, Adallom contacted the Microsoft Security Response Team with a detailed description of the attack, which utilized a “pure cloud” attack vector: there were no signatures. “We nicknamed it ‘Ice Dagger’ because it left no trace,” said Noam Liran, Adallom Labs Principal Architect. Microsoft responded by issuing a patch for the vulnerability and adding Adallom to MAPP (Microsoft Active Protections Program), specifically focused on providing “assume breach” protection for Office 365.

“Incident responders, including response companies, CSIRTs, ISACs, and security vendors, represent the front lines in the fight to detect, respond, and remediate these attacks,” Jerry Briant, Senior Security Strategist for the Microsoft Trusted Computing Group, told us, noting that as “MAPP evolves, we are working to build new partnerships and community collaborations that will enable strategic knowledge exchange. Employing a ‘give to get’ model, the community will benefit when data they provide is enriched by aggregating it with data from others.”

Bottom line: The cloud is changing the way businesses operate and will continue to do so as SaaS and other as-a-service innovations evolve. As such, business must think in new ways about protecting the valuable data on which they rely, and that includes the unsettling fact that data breaches are inevitable. Accepting an “assumed breach” posture doesn’t mean surrendering; it means you’ve taken the first step toward mitigating risk to data integrity in the digital age.

 

  Tal Klein is Vice President of Strategy at Lakeside Software. Previously, he was vice president of marketing and strategy at Adallom, a leading Cloud Access Security Broker. He was also senior director of products at Bromium where he led product marketing and strategy ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Ninja
9/25/2014 | 6:47:58 PM
Security moving in from the perimeter
Good discussion, Tal, and another signpost that security has to come in from the perimeter and do more to keep an eye on what's actually going on with the application.
TalKlein
50%
50%
TalKlein,
User Rank: Author
9/25/2014 | 7:23:24 PM
Re: Security moving in from the perimeter
Thanks, Charlie! I know it's hard in an age of Shellshocks and Heartbleeds to actively think about adaptation rather than prevention - But hopefully security leaders out there are minding the gap.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
9/26/2014 | 11:23:03 AM
Re: Security moving in from the perimeter
There's been a lot of discussion about the end of the perimeter, but Tal did a really nice job breaking down why and how in the era of web services these attacks are so easily missed! The old saying "never assume" definitely does not apply in the cloud.    
TalKlein
50%
50%
TalKlein,
User Rank: Author
9/26/2014 | 4:53:29 PM
Re: Security moving in from the perimeter
Thanks, Marilyn - I'm glad to see these issues are rising to the forefront of security discussions.
Stratustician
100%
0%
Stratustician,
User Rank: Moderator
9/29/2014 | 1:39:12 PM
Re: Security moving in from the perimeter
It's nice to see a wider inclusion of other threat data such as social evidence included in security models. i think it's quite easy for people to get comfortable relying on traditional controls such as endpoint, authentication and encryption, but as more apps become SaaS based, it's going to come down to more heuristic information such as comparing how attacks are carried out versus as the author states, what is possible by a human.
TalKlein
100%
0%
TalKlein,
User Rank: Author
9/29/2014 | 2:43:09 PM
Re: Security moving in from the perimeter
Well put! I completely agree. In the article I laid out three mechanisms which we use today:

1. The behavioral standard deviation of the application in the context of the organization using it.  
This will continue to be useful because applications in the contexts of their organizations have unique behavioral fingerprints, we will continue to build on these in collaboration with the app vendors themselves. Ideally these would be metered via APIs, but today we supplement some of them through other vectors such as Identity and Access API's (provided by Okta or ADFS), and our SAML-based reverse proxy.  

2. The realm of human capability. 
This is the low hanging fruit that, as you astutely stated, will become largely commodotized over time and likely adopted by the SaaS vendors themselves as a value added component of their service, like 2FA and IP restrictions. Where we think we'll add value here is by having a broader dataset that encompasses users across several SaaS platforms.

3. The unique behavioral fingerprint of a user.
This is the big one, this is where we're investing 60% of our R&D, hiring the best machine learning engineers, and the brightest heuristic scientists. We believe this is where the competitive battle lines will be drawn. 

 

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.