Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/27/2016
10:30 AM
Saryu Nayyar
Saryu Nayyar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Blind Spot Between The Cloud & The Data Center

Ask most enterprise security analysts responsible for detection and response about their visibility into identity access risks and you're likely to get some confused looks. Here's why.

Account compromise and misuse have emerged as the root cause of most of today’s data breaches. Using basic phishing and social engineering techniques, attackers can easily acquire the credentials they need to hijack identities and walk undetected through the digital front door of a victim organization. To make matters worse, hybrid environments that span both on-premises and cloud apps create a significant blind spot that makes it even more difficult to detect account compromise threats.

One of the reasons for that is because "identity" is a plane with two sides. One side is loaded with access risks created by legacy identity management rules and processes. The other side is a threat plane open to compromise, data exfiltration, and malicious insiders.

Access risks result from excess accounts, privileges, group and role volume proliferation, orphan accounts, dormant accounts, and shared high privilege access accounts. Their sheer numbers make them virtually impossible to manage using manual processes and legacy identity management rules. Providing access for revolving employees, contractors, partners, and even customers, just makes matters worse.

Identity-based threats including malicious insiders, account compromise or hijacking, access abuse, cyber fraud, and data exfiltration are difficult to detect with declarative defenses, human analysis, or traditional software. Time-to-infection is often measured in minutes, while dwell time (before detection) can be weeks or months.

Needed: A Holistic Approach

Since both sides of the identity plane are linked, a holistic approach is required to eliminate the security blind spot between cloud and on-premises infrastructures. For example, it’s necessary to identify and eliminate excess access risks to reduce the identity attack surface area open to phishing and social attacks. Meanwhile, monitoring access and activity associated with legitimate identities will expose compromise and unknown threats.

However, ask most enterprise security analysts responsible for detection and response about their visibility into identity access risks and you are likely to get some confused looks. Identity access is often managed in a different part of the organization than security operations. 

Let’s consider some examples to illustrate the scope of these challenges.

We’ll start with the access side of the identity plane. Let’s say a manager has 100 employees reporting to them. To keep things simple, we will assume each employee has 10 user accounts and each account has 10 privileges, which equals 10,000 entitlements. These could be on-premise and/or cloud accounts -- and likely are. Every 90 days, for compliance purposes, the manager must review these entitlements, then approve or revoke those that are or aren’t necessary for each employee to perform their job functions. Meanwhile, some managers may have high privilege access accounts shared using a simple password.

On the threat side of the identity plane, IT security teams must monitor access and activity associated with “legitimate” accounts (both on-premises and cloud) for signs of anomalous behavior by insiders or account hijacking by external attackers. This is difficult to accomplish, since most of this activity looks “normal” at first blush. 

User Accounts: The New Security Perimeter

In addition to these challenges, cloud and mobility continue to erode any last remnants of a traditional security perimeter. This leaves enterprises with a borderless environment to defend where identity provides the keys to the kingdom. 

So how can enterprises eliminate this blind spot? While log event managers or SIEM products can monitor on-premises activity, they have very limited visibility into cloud apps. This functionality is provided by another solution, cloud access security brokers (or CASB). It’s important to note that an API-based CASB can provide visibility into enterprise-sanctioned cloud apps accessed via mobile devices without compromising ease of access for users. However, private or consumer data-sharing apps will require a forward or reverse proxy to detect this type of shadow IT activity.

Addressing the cloud and data center security gap requires a mix of data sources. Gathering on-premises and cloud app data access and activity can be achieved with log event management or SIEM plus CASB API or proxy solutions as data sources.  Meanwhile, identity, account and privilege data can be extracted from identity access management platforms and directories.

Since the volume of access and activity outputs generated by employees, partners, and customers is beyond large and growing, a big data infrastructure is required to harness it. Making sense of these huge data volumes and analyzing the context to identify excess access risks and behavior anomalies is a data science challenge that the industry is addressing with machine learning.

Solving it is imperative to address the blind spots created between cloud and on-premise apps, now that user accounts have become the new security perimeter in a borderless environment

Related Content:

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/19/2016 | 3:49:47 PM
Identity management in hybrid environments
Entreprises are not moving away from on-premises, but they are adopting more and more cloud applications.  This means that identity management platforms need to embrace both on-prem and cloud applications.  Managing the two separately can only add complexity and waste scarce IT resources. As hybrid environments become larger and more widespread, enterprises will have to turn towards solutions that manage centrally any access to any systems - on-prem, cloud or even mainframe - and data - structured, in applications and systems or unstructured, in files and emails -.
dosdosanjh
50%
50%
dosdosanjh,
User Rank: Apprentice
6/28/2016 | 3:54:56 PM
Holistic Approach
Saryu, you raise some good points with regard to the number of technologies that will be required to address the blind spot between the cloud and data centers.  The combination of on-premise and multi-cloud applications are disrupting the traditional security models whereby identity and intent are shaping the latest security solutions.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.