Phishing attacks, unpatched systems, and unauthorized cloud applications are creating unrelenting risk for enterprise security teams. Automation of threat monitoring and patching of software vulnerabilities is often the best way—and increasingly the only effective way—to tackle those challenges.
That’s one of the key conclusions from a research project jointly conducted by Oracle and KPMG. The Oracle and KPMG Cloud Threat Report 2019, released in February, examines many threats facing organizations. The data comes from 450 cybersecurity and IT professionals from private- and public-sector organizations in the United States, Canada, United Kingdom, Australia, and Singapore.
Key findings from the Oracle and KPMG study include:
• 23% of respondents say their organizations don’t have the resources to manually patch all their systems. This calls out the need for automation in rolling out patches.
• 50% say that use of unsanctioned cloud applications resulted in unauthorized access to data; 48% say that unauthorized access introduced malware, and 47% say that data was lost. This points to the need to set policies to limit the use of unapproved cloud applications—and perhaps to introduce technology to automatically detect or block such uses.
• 92% are concerned that individuals, departments, or lines of business within the organization are violating security policies when it comes to the use of cloud applications. This may mean using unsanctioned cloud applications, or in using sanctioned cloud applications in a way that’s not sanctioned.
• 69% of organizations stated that they are aware of a moderate or significant amount of unapproved cloud applications, with another 15% stating they are aware of a few such apps in use. The appeal of cloud applications is tremendous, and employees aren’t going to let security policies or approval processes slow their adoption of them.
The big picture conclusion: It’s more important than ever that businesses use automation tools, in addition to human security analysts, to protect the business. The study also showed that it’s essential for CISOs to become more aware of the uses of cloud computing within their organizations, and that all parties in the business—including IT teams—need a better understanding of the shared security model for cloud computing.
Phishing Attacks Are Top Risk
The single most common cyberattack vector: Phishing emails, either generic ones that flooded employees’ inboxes, or personally targeted “spearphishing” messages aimed at, say, a CFO or IT technician. In the Oracle-KPMG study, 27% of organizations were attacked with email phishing with malicious attachments or links in the past year.
The next most common attack vectors: malware that moved laterally through the organization and infected a server (cited by 23% of respondents); misuse of privileged accounts by an employee (19%); and “zero day” exploits that exploited previously unknown vulnerabilities in operating systems or applications (18%).
When employees open a phishing email and click on a link, or open an attachment, many bad things can happen, but one of the nastiest is when the hacker installs malware or sends the employee to a faked-up web page to steal login credentials.
“Email is the number-one attack vector,” says Greg Jensen, senior director of cloud security at Oracle and coauthor of the Oracle and KPMG Cloud Threat Report 2019. “Employees have these human tendencies where they are drawn to look at an email, like moths to a flame, if it says ‘important’ or if it appears to originate from a known executive, I’m going to click it.” Or if it appears to be formatted to be from a trusted partner with a request to provide information.
As the report explains, these techniques, and other more sophisticated phishing attacks, can let the attacker gain access to cloud infrastructure services, or software-as-a-service. For example, perhaps the phished employee is a software developer, cloud administrator, or application release engineer. Armed with that employee’s credentials, “hackers can access cloud infrastructure management consoles, provision new services such as compute instances, and begin to move laterally across the affected company’s cloud infrastructure,” the report says.
The best way to stop phishing is to prevent the malicious message from getting to the recipient. Security software can help in this regard, such as by using advanced email security solutions that use artificial intelligence and machine learning to inspect email content—including addresses, message text, links, and attachments—to detect malware, links to malicious web sites, and business email compromises. So can machine-learning powered monitoring software that looks for out-of-the-ordinary behavior. If your US-based CFO logs onto your procurement system from the Ukraine in the middle of the night, your system can flag that as an anomaly that might point to a stolen credential.
Not Knowing the Shared Security Model
In an organization’s data center, the IT and security teams are responsible for all aspects of security. In the cloud, however, there’s a shared responsibility security model (SRSM) that includes both the cloud service provider and the enterprise customer.
Unfortunately, sometimes business units that implement cloud applications and infrastructure aren’t aware that the enterprise shares responsibility for securing those cloud applications, such as vetting the vendor, monitoring security alerts, patching the portions of the cloud they are responsible for, and ensuring that user authentication is strong and synchronized with existing on-premises credentials-management systems. This leads to situations where the CISO team isn’t involved with vendor selection, third-party security audits, and other activities that normally take place when onboarding a cloud service provider.
The shared responsibility security model for any particular cloud service explains the division of labor between the cloud service provider and the customer. For example, says the report, while some cloud service providers offer specific cloud security options such as data masking, it may be the responsibility of the customer to determine if it’s appropriate to apply and manage those controls. Ultimately, it’s the consumer of cloud service’s responsibility to ensure their organization is protected.
“Organizations are being compromised because someone signed up for an unsanctioned cloud service, and they falsely believe that the cloud service provider will address of all the security requirements,” says KPMG risk-management consultant and report coauthor Brian Jensen (no relation to Oracle’s Jensen).
Automation Can Make a Difference
The number of alerts and incidents coming into a typical enterprise security team is too much to handle—and when alerts of anomalous end-user behavior are included (as they should be), the problem is likely to grow quickly.
A typical large enterprise deals with 3.3 billion events per month, “yet only 31 of those events are actually real security events or threats,” KPMG’s Jensen says. “That’s truly a needle in a haystack—or worse.”
An enterprise can’t hire its way out of this mess, because it’s not feasible to find, recruit, hire, train, and retain so many security analysts. “The challenge will not be addressed with manpower alone, what is needed is intelligent automation and trained skilled staff to architect a scalable solution that addresses the unique cloud risk use cases,” KPMG’s Jensen says.
Another looming risk comes from unpatched systems. When vulnerabilities are found in operating systems, applications, or device firmware (such as in Internet of Things implementations), it can take too long for IT staff, working with the security team, to install and test the required patches or configuration changes.
The answer is to let software do the tedious, repetitive grunt-work while human IT and security analysts focus on solving more difficult problems. Patching vulnerable hardware or software is among the most high-impact steps a cybersecurity team can take. Automated patching is used by 43% of organizations, the report finds, with 50% of larger organizations (1,000 or more employees) using it. A further 46% of all organizations plan to implement automated patching over the next 12 to 24 months.
The research shows a clear strategic intent to leverage automation for database patching. About one-quarter (24%) of respondents have fully or mostly automated patching their database servers, and another 18% have somewhat automated their database patching. However, what the report details are clear differentiators in the levels of automation that have been used over the years, and what truly impactful forms of automation.
The Imperative for Cloud Security
How can organizations protect the increasing number of business-critical cloud services? Make sure that employees are trained about various forms of social engineering attacks, such as phishing—and because the hackers keep getting trickier, realize that training isn’t enough. So, it’s important to implement solutions to block phishing and spearphishing emails from reaching employees, and continually monitor systems for signs of out-of-the-ordinary behavior that might signal an email compromise.
Organizations also need to enforce policies about the use of third-party cloud services without the full engagement and approval of IT and/or the security teams. Everyone needs to understand the specific shared responsibility security model for each cloud service, and as much as possible, use automation to handle tedious, repetitive tasks such as doing triage on security alerts, and applying patches and fixes to address vulnerabilities.
The 2019 threat report offers additional research information, as well as prescriptive ideas for addressing these and other enterprise security challenges as you transition to the business-critical cloud.