The importance of cloud security took center stage at this year’s annual RSA Conference.
RSA chose resilience as a theme for this year’s conference. Security professionals proved resiliency in the past year as they dealt with unique challenges, namely an increase in major cyberattacks such as SolarWinds and of course, COVID-19.
During the pandemic, many organizations quickly transitioned to a remote work environment and adopted cloud services without realizing the security implications.
“When you move to the cloud, there is a reduced level of visibility by default,” said Matthew Chiodi, CSO, Public Cloud at Palo Alto Networks in a session titled Blind Spots: Two Cloud Threats You Didn’t Even Know You Had.
“You can’t get in there and wrap your arms around that server like you could in the past,” he added.
“People are used to securing on-premises environments, but when they move to cloud environments, sometimes people are not so well-adapted,” said Anchises Moraes, Cyber Evangelist, C6 Bank in a session titled A Case Study of the Capital One Breach.
Cloud Misconfigurations and Human Error
Cloud misconfigurations were cited as a prevalent issue when it comes to cloud security.
In his session, Chiodi outlined identity and access management (IAM) as a major blind spot for cloud-based organizations. He went on to describe a Red Team exercise that Palo Alto Networks’ Unit 42 conducted for one customer that revealed misconfigurations within “thousands of EC2 snapshots and hundreds of S3 buckets.”
Similarly, the Capital One breach was a result of a misconfigured WAF, which Moraes detailed in a session with his colleague Nelson Novaes Neto, CTO at C6 Bank.
In a paper that the Novaes Neto and Moraes co-authored, they mapped each step in the Capital One attack to a MITRE ATT&CK framework and uncovered 61 potential NIST CSF controls that would have prevented the attack had they been in place.
These failed CSF controls included monitoring for unauthorized personnel; collecting and correlating event data from multiple sources and sensors; and determining and documenting audit and log records.
Gain Cloud Visibility With Monitoring, Threat Detection
Multiple session speakers pointed to threat detection and monitoring as a solution to improve cloud visibility.
In his session, Chiodi cited a problematic statistic: 60% of cloud storage has logging disabled.
Storing cloud logs can get expensive — especially in AWS, said Brandon Evans, Senior Security Engineer at Zoom in his session Multi-Cloud Anomaly Detection: Finding Threats Among Us in the Big 3 Clouds. Additionally, none of the logging features in the ‘big three’ cloud providers (AWS, GCP and Azure) are enabled by default.
“Logs are valuable, but only if they are monitored,” Evans siad. “It is expensive to have human beings analyze all of your logs at all times — and potentially impossible, depending on the size of your organization and the amount of data that you have.”
The first step is gaining visibility with threat detection, according to Chiodi.
In the medium term, Evans recommended to use both third-party and native cloud monitoring tools to provide insight that you wouldn’t get otherwise.
“Combine your tools to maximize your chances that you’ll find indicators of compromise,” he added.
How Blumira Can Help
Blumira’s new AWS security monitoring integration can offer a plethora of insights into your cloud environment and can detect cloud misconfigurations, including those from S3 buckets. This new feature monitors logs from GuardDuty, CloudTrail, CloudWatch and VPC Flow Logs to maximize visibility, enable your team to respond quickly and provide automated reports for deeper investigation.
Like Evans mentioned, it is costly, manual and time-consuming to constantly analyze logs, so Blumira pares down billions of events down to just a few prioritized alerts, sent in near real-time to your team.