Why Insider Threats Are So Difficult to Detect in the Cloud

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Arick Goomanovsky of Ermetic breaks down the challenges and strategy of confronting insider threats in the cloud.

Just as in on-premises environments, insider threats in the cloud pose significant risks to your organization. Because insiders can move relatively unfettered within a cloud environment, credential theft by cyber-criminals and privilege misuse by insiders are among the leading organizational security weaknesses. It’s no wonder that “lateral movement” and “zero trust” have become such buzzwords.

In cloud environments, if an attacker comprises an identity through phishing or social engineering, or an insider abuses their privileges, they can compromise workloads and move between workloads using well-known lateral movement techniques. So, while cloud environments provide operational flexibility, agility, and the ability to scale operations, they also pose some unique challenges for detecting lateral movement.

Widget not in any sidebars

Challenging Insider Threats in the Cloud

Lateral movement in the cloud is harder to detect than in on-premises environments due to the following challenges:

• Visibility: Cloud servers are their own ecosystems, maintained by cloud service providers, often using their proprietary software and access tools to manage access and secure connections. Organizations need to be able to see clearly into anomalous behavior, including lateral movement, but most native cloud tools do not provide this kind of visibility. It is not unusual for cloud security teams to lack the visibility to, for example, pull together a list of all activities by a particular user within a specific time period in response to a request from the Incident Response team.
• Forensic: Event logs are vital, but not all cloud service vendors are as thorough in their recording. Organizations need insight for after-the-fact investigation: evidence of the lateral movement, including which identity attempted access, what actions it executed, and how long it accessed the environment. This attribution is the backbone of any forensic investigation, to trace attacks back to their source and prevent further breaches.
• Threat-hunting: CrowdStrike has estimated it takes just under 2 hours for an attacker to move from initial access to achieving lateral movement across the network, a limited reaction time to prevent an attacker from doing damage. Organizations need to be able to hunt for threats proactively, to prevent attacks from happening in the first place, rather than just reacting to alerts after the fact. Given the visibility and forensic challenges listed above, and how quickly fraudsters pivot to new attack tactics, proactive threat-hunting has to be a key support to any effective security infrastructure.

New Risks, New Tools

These challenges require organizations to acquire a new set of capabilities, one more suited to detect and protect against lateral movement in the cloud by using behavioral analytics to spot anomalies and suspicious activity on all cloud platforms. This will allow defenders to identify and respond quickly to any possible threats, regardless of which vendor manages the cloud servers.

The ideal toolkit should combine behavioral analytics with strong threat detection and response capabilities built to suit the need for proactive monitoring and quick reaction in cloud environments. These include:

• Threat Detection: The ability to continuously monitor activity and automatically alert security on anomalous or suspicious behavior against resources that have been identified as critical assets. For example, flagging anomalies such as a user accessing resources from an unexpected location, accessing resources that don’t match their job description, or multiple failed access attempts can tip off an attack in progress before it has a chance to succeed.
• Contextual Investigation: Rich, contextual activity logs and visualization dashboards can help power queries to expand incident response and investigation efforts. This includes the ability to analyze and compare cloud provider logs with threat intelligence to understand the factors associated with each risk. By correlating information from the network, identities, workloads, and data access, it’s possible to uncover threats that would otherwise go undetected if these data points are evaluated in isolation.
• Accelerated Remediation: Detecting and responding to attacks in progress, and reducing risk by limiting access to sensitive data using the principle of least privilege can go a long way to containing the blast radius of a breach. To speed up response times, empower incident response and the security operations teams to address any potential risks through the integration of security information and event management (SIEM) solutions with ticketing and notification systems.

A more holistic and comprehensive approach to cloud security enables organizations to implement a proactive stance against threats and improve security hygiene by maintaining continuous validation, monitoring, and risk analysis. It also helps ensure that insiders moving across the network are whom they say they are and are only doing what they’re supposed to be doing.

Widget not in any sidebars