Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/25/2014
10:30 AM
Tal Klein
Tal Klein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How SaaS Adoption Is Changing Cloud Security

Sanctioning cloud-based services requires a new approach to security that "assumes breach" and accounts for the limitations of endpoint and perimeter defenses.

The momentum of software-as-a-service (SaaS) adoption speaks to the benefits it provides for enterprise workloads such as agility, productivity, and communication. But sanctioning cloud-based services requires a new approach to security -- one that “assumes breach“ -- and accounts for the limitations of endpoint and perimeter defenses.

To “assume breach” requires a shift in mindset from prevention alone to adaptation. One reason for this is that shared long-term secrets (for example, privileged account passwords) are frequently used to access anything from the guest WiFi SSID to the domain controller. This represents a risk that transcends any prevention technique or policy being currently used, because “turning the cloud off” is not an option.

Even the most tightly locked-down laptop user, for example, can still easily fall prey to an unsophisticated garden variety phishing attack, because traditional protection solutions can’t protect against human error (also known as mistakes). Simply put, if you are interacting with the web outside of your corporate network, and willingly give an attacker your credentials, how could any network or endpoint solution stop you?

Recent scenarios
Two recent examples of such a scenario are a
Dyer malware variant targeting Salesforce.com customers, and MS13-104, a token hijack compromise in Sharepoint and Onedrive that exploited a vulnerability in Microsoft Office 365. Both were propagated via phishing attacks targeting user sessions rather than credentials. Affected users unwittingly handed over complete application access rights to the attackers with no indication that anything malicious was happening because the attackers were accessing compromised services concurrently with authorized users.

Although malware signatures could be used detect the Dyer variant, its uncontrolled propagation is a telling indicator of the ineffectiveness of endpoint and perimeter protections. The Microsoft exploit, on the other hand, was utterly undetectable by any endpoint or perimeter protections.

The only way to mitigate such attacks is after the fact, not before, meaning that incremental efforts and resources spent on prevention are wasted and can result in greater risk by focusing on the perimeter—which is quickly dissipating in a mobile world of internet connected devices—rather than on what’s happening within the application and to the data there. That’s not to say companies shouldn’t deploy antivirus and firewalls, nor utilize two factor authentication. Instead, companies should not rely on those controls being successful in preventing attacks like the two under discussion.

How can adaptation mitigate these kinds of attacks when prevention fails?

In the case of the Microsoft Office 365 exploit, Adallom’s heuristic engine keeps track of 74 different variables on each user that traverses through the service, things as rudimentary as devices and browsers and as advanced as clickthrough rates and browsing patterns. These are used to establish a behavioral standard deviation for each user, which then assigns risk scores to activities that fall either outside of:

1. The behavioral standard deviation of the application in the context of the organization using it. 
For example in the Microsoft exploit, the alert generated by Adallom was due to the fact that several employees were opening documents from IP’s marked as “risky”. The fact that the organization had never opened Word documents from these risky IP’s before trigged a high alert, which led to the discovery of the compromise.

2. The realm of human capability.
It's impossible for a person to click on more than one hundred links in less than a minute. This kind of behavior indicates automation of some sort. In some cases, the cadence of such automated activity can indicate the difference between a user attempting to crawl and download their Salesforce contact list using a script like Wget (insider threat), and a malicious crawler built into certain malware packages like Zeus (external threat).

3. The unique behavioral fingerprint of a user.
An easy example is a user who traditionally accesses their SaaS applications using two devices, like an iPhone 5S with Safari and a Windows 8.1 desktop with Chrome, usually between the hours of 8am and 8pm in California, all of a sudden becoming very active in one of those SaaS applications on a Debian linux machine running Opera at 3:00 a.m. in Poland. It could be that they’re on vacation in Eastern Europe using a hotel Kiosk to get some work done, but worth looking into.

Augment preventative controls with an adaptive approach focuses on rapid identification of suspicious activity within the application, and isolating the associated account in order to mitigate the risk of a massive data breach and additional network compromise. In other words: assume breach.

In the Office 365 exploit case, Adallom contacted the Microsoft Security Response Team with a detailed description of the attack, which utilized a “pure cloud” attack vector: there were no signatures. “We nicknamed it ‘Ice Dagger’ because it left no trace,” said Noam Liran, Adallom Labs Principal Architect. Microsoft responded by issuing a patch for the vulnerability and adding Adallom to MAPP (Microsoft Active Protections Program), specifically focused on providing “assume breach” protection for Office 365.

“Incident responders, including response companies, CSIRTs, ISACs, and security vendors, represent the front lines in the fight to detect, respond, and remediate these attacks,” Jerry Briant, Senior Security Strategist for the Microsoft Trusted Computing Group, told us, noting that as “MAPP evolves, we are working to build new partnerships and community collaborations that will enable strategic knowledge exchange. Employing a ‘give to get’ model, the community will benefit when data they provide is enriched by aggregating it with data from others.”

Bottom line: The cloud is changing the way businesses operate and will continue to do so as SaaS and other as-a-service innovations evolve. As such, business must think in new ways about protecting the valuable data on which they rely, and that includes the unsettling fact that data breaches are inevitable. Accepting an “assumed breach” posture doesn’t mean surrendering; it means you’ve taken the first step toward mitigating risk to data integrity in the digital age.

 

  Tal Klein is Vice President of Strategy at Lakeside Software. Previously, he was vice president of marketing and strategy at Adallom, a leading Cloud Access Security Broker. He was also senior director of products at Bromium where he led product marketing and strategy ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TalKlein
100%
0%
TalKlein,
User Rank: Author
9/29/2014 | 2:43:09 PM
Re: Security moving in from the perimeter
Well put! I completely agree. In the article I laid out three mechanisms which we use today:

1. The behavioral standard deviation of the application in the context of the organization using it.  
This will continue to be useful because applications in the contexts of their organizations have unique behavioral fingerprints, we will continue to build on these in collaboration with the app vendors themselves. Ideally these would be metered via APIs, but today we supplement some of them through other vectors such as Identity and Access API's (provided by Okta or ADFS), and our SAML-based reverse proxy.  

2. The realm of human capability. 
This is the low hanging fruit that, as you astutely stated, will become largely commodotized over time and likely adopted by the SaaS vendors themselves as a value added component of their service, like 2FA and IP restrictions. Where we think we'll add value here is by having a broader dataset that encompasses users across several SaaS platforms.

3. The unique behavioral fingerprint of a user.
This is the big one, this is where we're investing 60% of our R&D, hiring the best machine learning engineers, and the brightest heuristic scientists. We believe this is where the competitive battle lines will be drawn. 

 

 
Stratustician
100%
0%
Stratustician,
User Rank: Moderator
9/29/2014 | 1:39:12 PM
Re: Security moving in from the perimeter
It's nice to see a wider inclusion of other threat data such as social evidence included in security models. i think it's quite easy for people to get comfortable relying on traditional controls such as endpoint, authentication and encryption, but as more apps become SaaS based, it's going to come down to more heuristic information such as comparing how attacks are carried out versus as the author states, what is possible by a human.
TalKlein
50%
50%
TalKlein,
User Rank: Author
9/26/2014 | 4:53:29 PM
Re: Security moving in from the perimeter
Thanks, Marilyn - I'm glad to see these issues are rising to the forefront of security discussions.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
9/26/2014 | 11:23:03 AM
Re: Security moving in from the perimeter
There's been a lot of discussion about the end of the perimeter, but Tal did a really nice job breaking down why and how in the era of web services these attacks are so easily missed! The old saying "never assume" definitely does not apply in the cloud.    
TalKlein
50%
50%
TalKlein,
User Rank: Author
9/25/2014 | 7:23:24 PM
Re: Security moving in from the perimeter
Thanks, Charlie! I know it's hard in an age of Shellshocks and Heartbleeds to actively think about adaptation rather than prevention - But hopefully security leaders out there are minding the gap.
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Ninja
9/25/2014 | 6:47:58 PM
Security moving in from the perimeter
Good discussion, Tal, and another signpost that security has to come in from the perimeter and do more to keep an eye on what's actually going on with the application.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15037
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
CVE-2019-4323
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
CVE-2019-4324
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
CVE-2020-15036
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
CVE-2020-15577
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).