Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/27/2016
10:30 AM
Saryu Nayyar
Saryu Nayyar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Blind Spot Between The Cloud & The Data Center

Ask most enterprise security analysts responsible for detection and response about their visibility into identity access risks and you're likely to get some confused looks. Here's why.

Account compromise and misuse have emerged as the root cause of most of today’s data breaches. Using basic phishing and social engineering techniques, attackers can easily acquire the credentials they need to hijack identities and walk undetected through the digital front door of a victim organization. To make matters worse, hybrid environments that span both on-premises and cloud apps create a significant blind spot that makes it even more difficult to detect account compromise threats.

One of the reasons for that is because "identity" is a plane with two sides. One side is loaded with access risks created by legacy identity management rules and processes. The other side is a threat plane open to compromise, data exfiltration, and malicious insiders.

Access risks result from excess accounts, privileges, group and role volume proliferation, orphan accounts, dormant accounts, and shared high privilege access accounts. Their sheer numbers make them virtually impossible to manage using manual processes and legacy identity management rules. Providing access for revolving employees, contractors, partners, and even customers, just makes matters worse.

Identity-based threats including malicious insiders, account compromise or hijacking, access abuse, cyber fraud, and data exfiltration are difficult to detect with declarative defenses, human analysis, or traditional software. Time-to-infection is often measured in minutes, while dwell time (before detection) can be weeks or months.

Needed: A Holistic Approach

Since both sides of the identity plane are linked, a holistic approach is required to eliminate the security blind spot between cloud and on-premises infrastructures. For example, it’s necessary to identify and eliminate excess access risks to reduce the identity attack surface area open to phishing and social attacks. Meanwhile, monitoring access and activity associated with legitimate identities will expose compromise and unknown threats.

However, ask most enterprise security analysts responsible for detection and response about their visibility into identity access risks and you are likely to get some confused looks. Identity access is often managed in a different part of the organization than security operations. 

Let’s consider some examples to illustrate the scope of these challenges.

We’ll start with the access side of the identity plane. Let’s say a manager has 100 employees reporting to them. To keep things simple, we will assume each employee has 10 user accounts and each account has 10 privileges, which equals 10,000 entitlements. These could be on-premise and/or cloud accounts -- and likely are. Every 90 days, for compliance purposes, the manager must review these entitlements, then approve or revoke those that are or aren’t necessary for each employee to perform their job functions. Meanwhile, some managers may have high privilege access accounts shared using a simple password.

On the threat side of the identity plane, IT security teams must monitor access and activity associated with “legitimate” accounts (both on-premises and cloud) for signs of anomalous behavior by insiders or account hijacking by external attackers. This is difficult to accomplish, since most of this activity looks “normal” at first blush. 

User Accounts: The New Security Perimeter

In addition to these challenges, cloud and mobility continue to erode any last remnants of a traditional security perimeter. This leaves enterprises with a borderless environment to defend where identity provides the keys to the kingdom. 

So how can enterprises eliminate this blind spot? While log event managers or SIEM products can monitor on-premises activity, they have very limited visibility into cloud apps. This functionality is provided by another solution, cloud access security brokers (or CASB). It’s important to note that an API-based CASB can provide visibility into enterprise-sanctioned cloud apps accessed via mobile devices without compromising ease of access for users. However, private or consumer data-sharing apps will require a forward or reverse proxy to detect this type of shadow IT activity.

Addressing the cloud and data center security gap requires a mix of data sources. Gathering on-premises and cloud app data access and activity can be achieved with log event management or SIEM plus CASB API or proxy solutions as data sources.  Meanwhile, identity, account and privilege data can be extracted from identity access management platforms and directories.

Since the volume of access and activity outputs generated by employees, partners, and customers is beyond large and growing, a big data infrastructure is required to harness it. Making sense of these huge data volumes and analyzing the context to identify excess access risks and behavior anomalies is a data science challenge that the industry is addressing with machine learning.

Solving it is imperative to address the blind spots created between cloud and on-premise apps, now that user accounts have become the new security perimeter in a borderless environment

Related Content:

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/19/2016 | 3:49:47 PM
Identity management in hybrid environments
Entreprises are not moving away from on-premises, but they are adopting more and more cloud applications.  This means that identity management platforms need to embrace both on-prem and cloud applications.  Managing the two separately can only add complexity and waste scarce IT resources. As hybrid environments become larger and more widespread, enterprises will have to turn towards solutions that manage centrally any access to any systems - on-prem, cloud or even mainframe - and data - structured, in applications and systems or unstructured, in files and emails -.
dosdosanjh
50%
50%
dosdosanjh,
User Rank: Apprentice
6/28/2016 | 3:54:56 PM
Holistic Approach
Saryu, you raise some good points with regard to the number of technologies that will be required to address the blind spot between the cloud and data centers.  The combination of on-premise and multi-cloud applications are disrupting the traditional security models whereby identity and intent are shaping the latest security solutions.  
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.