Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Achieving PCI compliance in Amazon Web Services (AWS) involves determining where AWS compliance efforts intersect with your own compliance efforts. Who is responsible for documentation? And do the same concepts of network segmentation and separation apply within AWS, and if so how? These and many other questions arise when you combine PCI compliance with AWS.
To hear the answers to these and many other questions regarding PCI compliance on AWS with the VM-Series virtualized next generation firewall , please join Palo Alto Networks and Warren Rogers for a webinar on Tuesday May 3 at 10 a.m. PDT.
This is an interesting customer case study. First off, Warren Rogers chose to pursue PCI compliance not because it was a requirement, but because they wanted to improve their security posture and enhance their customer value proposition. Second, if you remove the notion of cloud and virtualization, all of the same questions, considerations and processes Warren Rogers addressed are applicable to PCI compliance on a physical network.
About Warren Rogers: Warren Rogers is a 37-year-old, privately held company that provides the leading fuel system monitoring solution in the industry. Its entire IT infrastructure is housed in AWS, and the Warren Rogers All-Point Monitoring System provides the most accurate and complete information of the fueling operation including every tank and every line. Their customers include companies like QuikTrip, Wilco/Hess, CircleK and many more.
A Customer Case Study: Achieving PCI Compliance in AWS When: Tuesday, May 3, 2016 Time: 10am PDT, 12pm CDT, 1pm EDT Speakers: Matthew R. McLimans, Computer Engineer at Warren Rogers Register Now.
Having joined Palo Alto Networks following a 35-year career in the U.S. military, the past decade of which I served in a variety of leadership positions in cyber operations, strategy and policy, I have found that many of the cybersecurity challenges we face from a national security perspective are the same in the broader international business world.
This blog post series describes what I consider to be four major imperatives for cybersecurity success in the digital age, regardless of whether your organization is a part of the public or private sector.
Imperative #1 – We must flip the scales (February 16, 2016)
Imperative #2 – We must broaden our focus to sharpen our actions (March 12, 2016)
Imperative #3 – We must change our approach (March 30, 2016)
Imperative #4 – We must work together
IMPERATIVE #4 – WE MUST WORK TOGETHER
Before I get to the details, allow me to review some background and context, and then provide an executive summary of Imperative #4 in case you are pressed for time.
As a reminder from my previous three blogs, I use the factors in Figure 1 to explain the concept behind Imperative #4 in a comprehensive way.
Figure 1
Threat: This factor describes how the cyberthreat is evolving and how we are responding to those changes.
Policy and Strategy: Given our assessment of the overall environment, this factor describes what we should be doing and our strategy to align means (resources and capabilities – or the what) and ways (methods, priorities and concepts of operations – or the how) to achieveends (goals and objectives – or the why).
Structure: This factor includes both organizational (human dimension) and architectural (technical dimension) aspects.
Tactics, Techniques and Procedures (TTP): This factor represents the tactical aspects of how we actually implement change where the rubber meets the road.
In this final blog of the series, I’d like to take you through Imperative #4 using the concept model outlined above, and step through the implications.
Figure 2
EXECUTIVE SUMMARY
For this last imperative in the series, I want to focus on something that I believe is absolutely vital to success. I’m leveraging my previous national security experience, as well as my current private industry role, in emphasizing the critical importance of this imperative.
In my view, no single organization, public or private, has all of the talent, skills, resources, capabilities, capacity, or authority to act effectively when doing so in isolation. It truly takes teamwork and effective partnerships to act effectively with cybersecurity in the modern digital age. Therefore, we must work together if we want to be successful as a community.
There is already a significant shift going on regarding cyberthreat information sharing. What was once the sole purview of governments is now increasingly being done by industry, and this is a much-needed shift.
It’s very important to distinguish cyberthreat information sharing from the more contentious terrorist threat information sharing and associated surveillance issues that flood today’s international headlines.
Cyberthreat information is focused on indicators of compromise and not commercial proprietary information, personally identifiable information, personal health information or the personal content of individual communications.
Indicators of cyberthreat compromise include:
Malicious code
Information infrastructure transmission
Connection and collection points
Compromised systems and networks
Cyberthreat organizations and individuals
The general categories of entities that these threat organizations and individuals target for their malicious activities
The techniques that these cyberthreats employ to conduct their actions across the threat lifecycle
From a policy perspective, an increase in cyberthreat information sharing across private sector organizations has led to a change in the views of a growing number of industry leaders. Rather than hoarding cyberthreat information as a commercial commodity, many leaders are now seeing a growing need to share the information as a public good. The greater overall good achieved by sharing this specific type of intelligence vastly outweighs the parochial interests of individual commercial entities, and the focus shifts to what commercial competitorsdo with the information once it is shared.
Effective information sharing requires an accompanying organizational structure shift from working in isolated silos to building effective partnerships and an environment of strong teamwork. Some organizations find this shift difficult to achieve, which is why it must be driven by the organization’s leadership to be effective.
The final set of implications resulting from Imperative #4 deals with making it actually work at the tactical level with the required speed and scale. This requires a shift from manual toautomated TTP regarding two distinct activities. The first activity is the automatedsharing of cyberthreat indicators of compromise, themselves. Equally important is the need to shift from the manual, human-based efforts to prevent further threat success as a result of the shared intelligence to an automated defensive posture adjustment procedure in near-real time.
Scaling the distribution of threat intelligence to the scope that partnership growth demands also requires the use of standardized formats and procedures that enable automated sharinginstead of legacy TTPs that use slow, adhoc and often manual approaches that usually result in confusion and complexity.
DETAILED DESCRIPTION OF IMPERATIVE #4
THREAT
I have 35 years of experience in the U.S. government and, more specifically, the U.S. military. During the vast portion of that experience, I had a close association with the national intelligence community, as well as the intelligence communities of many partner nations.
Now that I’ve been in the private sector for some time, I can tell you with confidence that what used to be the sole purview of governmental intelligence communities in terms of access and visibility into the cyberthreat landscape is now changing very, very dramatically. I believe this change is appropriate, as well as inevitable.
The private sector is awakening – in no small measure due to the alarm bell that the national and international security communities have been ringing for the past several years – to the growing size, sophistication and increasingly sinister intent of cyberthreats across the world.
In my view, there is a significant shift from governments being the sole dispensers of cyberthreat intelligence towards industry being more and more powerful as a producer of not just vulnerabilities and cyberthreat information but also real cyberthreat intelligence.
It’s very important to distinguish what I’m calling cyberthreat intelligence from other types of intelligence, especially terrorist threat intelligence and the contentious surveillance issues associated with it. I’m NOTtalking about proprietary commercial information (intellectual property or financial data), personally identifiable information, personal health information or the personal content of individual communications.
If you recall the key points I made in each of my last three blogs in this series about how we must change our view of the cyberthreat, I’m talking about indicators of compromise (IOCs)based on the cyberthreat lifecycle.
Indicators of cyberthreat compromise include: malicious code; information infrastructure transmission connection and collection points; compromised systems and networks; cyberthreat organizations and individuals; the general categories of entities that these threat organizations and individuals target for their malicious activities; and the techniques that these cyberthreats employ to conduct their actions across the cyberthreat lifecycle. This kind of intelligence CANbe shared.
This is a good thing. Because if those in industry are expecting the government (whichever country you are from) to show up with all the intelligence needed to defend against the threat, that is not a realistic expectation.
Having come from government, one of my biggest frustrations as a network defender was the inevitable intelligence / gain-loss equity assessment that played out when there was valuable cyberthreat intelligence that the defense community needed. Sharing it usually represented too much of an intelligence risk to sources and methods, so there was always tension.
Sometimes, the tension surrounding sharing also came as a result of our own ability to take advantage of the same thing against one of our adversaries. Nobody on that side of the argument wanted to give away such an advantage by sharing the information with the cybersecurity community; and therefore, our adversaries then would have known as well.
In my opinion, this situation is improving slowly because the intelligence gain/loss balance is now tempered by a real sense of an equally strong and competing operational gain/loss equity at play. In my opinion, the more that the Internet of Things phenomenon plays out, the greater the overall risk will be to our ability to provide more and more vital security, as well as business operations, if we do NOT share cyberthreat intelligence widely and rapidly between public and private organizations.
However, these gain/loss dynamics still represent a challenge and government is biased not to share, or at least not to share rapidly. So, it’s a GOOD THING that industry is increasingly doing this on its own.
Believe me when I say that there will always be plenty of challenges left for governments to tackle, so this shift only helps the overall team effort, and that’s why it’s an imperative for future cybersecurity success.
POLICY AND STRATEGY
Given that we have a greater and greater industry role in cyberthreat intelligence, what shouldwe be doing about this?
At Palo Alto Networks, as in a growing number of other like-minded (yet competitor) companies, we believe we must share this intelligence as a public good, rather than hoard it as a commercial commodity. THIS IS A HUGE SHIFT!
I remember when I was in the special operations and information warfare communities during military operations in both Afghanistan and Iraq. In the early days, you may recall that we had a similar dynamic going on across the multi-agency and coalition efforts. We all knew bits and pieces, but we all had trouble “connecting the dots,” which was one of the key reasons that the 9/11 attacks happened in the United States.
Over time, we made a deliberate decision that we needed to move from a “need to know”basis for terrorist threat information-sharing toward a “need to share” basis so that, collectively, we could work in a more effective, integrated fashion.
It was very painful making this adjustment, and many organizations resisted due to both real and perceived risks (some still do today). However, this shift in mindset and policy began to show promise, and the gains turned out to be worth the risks in terms of success against terrorists on the battlefields of Iraq, Afghanistan and other key locations around the globe.
This is the same strategic dynamic for cyberthreat intelligence, though I must make the key distinction that we are NOT talking about surveillance-related intelligence about terrorists, but rather cyberthreat IOCs. There’s a huge distinction between the two that many tend to conflate in today’s “security versus privacy” debates.
Now, let me tell you the story of the Cyber Threat Alliance.
ORGANIZATION AND ARCHITECTURE
The Cyber Threat Alliance (CTA) is an example of shifting organizational structure from silos to partnerships. This is a story about eight companies – several of which compete with one or more of the others, including my own – that have put their money where their mouths are and actually organized to share cyberthreat intelligence.
To illustrate the example, I’ll use a recent Cyber Threat Alliance pilot project to show how the notion of organizing to share cyber threat intelligence can work.
First, some background: CryptoWall Version 3 is a form of ransomware, and has been recently used by a cyberthreat criminal entity to steal and encrypt an organization’s or individual’s sensitive information to hold it for ransom (usually through Bitcoin or other digital currency). If the ransom is not paid in accordance with the criminal entity’s demands, the information stolen and held for ransom is then destroyed.
The Cyber Threat Alliance utilized the collective intelligence and analytic resources from the four founding members (Palo Alto Networks, Intel® Security, Symantec™, and Fortinet®) and four other contributing members (Barracuda Networks, ReversingLabs, Telefonica, and zScaler) to publicly publish a report on October 29, 2015, titled “Lucrative Ransomware Attacks: Analysis of the CryptoWall Version 3 Threat.”
This was the first published report using combined threat research and intelligence from the founding and contributing members of the Cyber Threat Alliance. The report provided organizations worldwide with valuable insight into the attack lifecycle of this lucrative ransomware family. The Cyber Threat Alliance further discovered:
The $325 million in revenue that went to the attackers included ransoms paid by victims to decrypt and access their files.
406,887 attempted CryptoWall infections.
4,046 malware samples.
839 command-and-control URLs for servers used by cybercriminals to send commands and receive data.
The hundreds of millions of dollars in damages span hundreds of thousands of victims across the globe. North America was a particular target for most campaigns.
Although this example of an effective partnership for cyberthreat intelligence-sharing was just a pilot project to prove that competitor cybersecurity organizations could actually work together to bring down a single threat, it was also a powerful endorsement of the concept and demonstrated the organizational structure required for success. In fact, the quote below, from Rick Howard, Palo Alto Networks CSO, sums it up nicely:
“This type of collaborative research by security vendors reflects the power of effective threat information-sharing and the positive effect it can have on helping maintain trust in our digital world. As a founding CTA member, we are committed to the idea that this new way of working together – of combining intelligence on a common adversary and sharing cyberthreat information as a public good – is to the benefit of all organizations in the battle against cybercrime.”
There will be more research published this year from the CTA. This represents an imperative to move from our traditional, legacy approach of working in isolation toward real teamwork and effective partnerships.
This surely won’t be easy, and if the CEOs from the partner companies in the CTA had not personally been involved, this partnership would not be effective today. With leadership commitment, this demonstrates an organizational approach to a more successful cybersecurity future – one where various entities determine that there is an overall common objective, the achievement of which provides more overall good on balance than individual efforts that work against one another for a single organizational advantage.
TTP
In the Cyber Threat Alliance example that I just used, there were two tactical, more procedural issues that we learned were key to success.
First, let me remind you of the problem I covered in my first blog of the series about the lopsided advantage that the attacker currently has over the defender. Taking a page from our cyber adversaries, in terms of one of the key reasons for this imbalance, we need to take slow, human decision-making out of the equation, and automate everything we can to determine known bad IOCs in near-real time from unknown activity/techniques/signatures.
Cloud capabilities are key to success in automating this process, and the only real way to wipe away an estimated 80–90 percent of more routine cyberthreat activity so that we can use the human processes for the really sophisticated stuff.
Using the Cyber Threat Alliance again as an example, in order to join the Alliance, each company must contribute a minimum of one thousand unique malware signatures every dayand must agree to automatically consume rapidly discovered known bad signatures from any of the other Alliance partners. They must also ingest the resulting protections into their own company’s defensive capabilities, systems and platforms.
This TTP produces a rapid self-learning capability. It also produces a self-healing fabric that stretches across all of the partner organizations’ information technology enterprises, and limits the cyberthreat level of success dramatically.
One of the other important TTP lessons coming from the Cyber Threat Alliance experience is that in order to become self-learning and self-healing at scale, you have to get away from ad hoc information transmission methods and move to a standardized format. Doing so enables the automation of information-sharing and cybersecurity platform adjustment at the same time and on a much broader scope and scale.
The standardized methods for automated cyberthreat information-sharing being explored by the U.S. government and other international organizations called STIX/TAXII may prove successful, but both public and private organizations, including the Cyber Threat Alliance, are working through which techniques and procedures help to best scale for success.
CONCLUSION
Cybersecurity success in the digital age requires that we leverage teamwork and partnerships in powerful new ways that we are only beginning to understand and implement.
Private industry has a growing, increasingly important and entirely appropriate role in cyberthreat analysis and intelligence. Governments simply cannot, and should not, be the only ones to cover the entire cyberthreat landscape. However, we must be clear and precise about what cyberthreat intelligence means in order to avoid the confusion between security and privacy. When it comes to cyberthreats, security IS privacy.
The need to share cyberthreat information is rapidly becoming rightfully viewed as a greater societal good, where the risks associated with arguments not to share widely and rapidly are becoming eclipsed by an overall growing threat to the trust we place in our digital way of life.
On balance, this imperative to share information about both cyberthreats and the associated protection mechanisms against them requires that we think differently about the way we organize so that we are optimized for a “need to share” culture. This will require strong leadership by example.
The imperative that we work together also requires using standardized, automated TTP for both sharing the critical information and for loading it into the defensive posture of our information technology enterprise in near-real time.
Taken together, these shifts regarding the role of industry in cyberthreat intelligence, in the policies that guide a culture of sharing threat information as a public good, in the way we organize to facilitate a “need to share” culture, and in the TTP we employ to standardize and automate information-sharing and mitigations all reinforce the imperative that we must work together. More importantly, they also contribute to our collective cybersecurity success in the digital age.
My COBIT journey began in 1995 when the draft executive summary of COBIT 1st Edition was published in the ISACA Journal. I had passed the CISA exam and had decided to focus on IT audit as my new career. My first reading of the summary made me realize that this was the one-stop shop reference guide for me. After two decades, I can still say with a firm conviction that COBIT has empowered me to remain relevant and add value in all my assignments. Back to the story…
As I used and adapted COBIT’s control objectives, for multiple assignments and clients (small, medium or large), COBIT became the best collection of practices and approaches to use to remain ahead of the technology curve. The next release of COBIT, with the management guidelines, provided a new perspective for managing performance of IT through the key goal indicators and key performance indicators.
The release of COBIT Control Practices added the next layer of best practice and expanded the scope of application to a more detailed level. The fourth edition of COBIT included an IT governance framework. This became immensely popular, as it met both management and regulatory requirements. It aligned IT with business goals. As technology became all-pervasive, there was a compelling need for a holistic approach to implement controls, not just from management but also from a governance perspective.COBIT 5 met this need as the umbrella framework with its tightly knit governance and management framework. The goals cascade linked enterprise goals with IT goals with relevant processes, procedures and practices.
COBIT can be complex or simple, depending on the perspective from which it is read, understood and implemented. The best approach is to consider COBIT as codified common sense that is presented in a structured, systematic way. COBIT can be customized and adapted to enterprise requirements, as it is a framework and not a standard.
The value of COBIT is in what it brings through its effective implementation. Over the years I have realized the key challenge is not whether COBIT is relevant and useful but whether the enterprise has the right skill-sets to customize COBIT to derive value from implementation. The key to successful implementation is the skills of COBIT-trained professionals who can adapt it as required based on their domain expertise.
For a new user, COBIT initially looks quite vast in its coverage and intimidating in its complexity. However, as the reader understands the core principles, uniform structure in which contents are presented and the systematic approach for implementation, the philosophy and practical relevance of COBIT gets demystified. Further, as they start implementing COBIT, COBIT becomes easier to understand.
COBIT’s contents are quite dense and the extent to which they can be expanded by integrating with other frameworks depends on the skill-sets of the user. COBIT can be used only to the extent required. It is not necessary to understand every word of COBIT to implement it. The more one reads and applies COBIT, the easier it becomes.
In the past two decades, COBIT has evolved to become an effective enabler that harnesses and leverages the power of technology to meet enterprise goals. We have witnessed the information revolution aided by the transformation ushered by technology. COBIT has always kept ahead of this technology race by transforming from an audit-oriented framework to a governance-oriented framework. This has helped COBIT maintain its relevance.
The COBIT mantra is “IT is complicated; IT governance doesn’t have to be.” COBIT is the de facto framework of choice for both professionals and enterprises to remain relevant and add value. The knowledge repository of best practices of COBIT 5, coupled with its holistic approach to governance and management of enterprise IT, provide the right blend of processes and practices to seamlessly integrate technology infrastructure into the business process fabric.
Even after being a student of COBIT for two decades, the COBIT journey is still unfolding for me, leading to new discoveries of how I can leverage my skill-sets using the knowledge repository of COBIT. I invite readers who have not read COBIT to drop apprehensions and start the journey. And for those who think they know COBIT, I suggest that they read it again to get new meaning, insights and practical perspectives of application. Please begin or restart your journey of understanding and implementing COBIT. There are definitely exciting times ahead. COBIT helps enterprises and professionals to be better prepared to meet dynamic challenges of digital age!
Abdul Rafeq, CISA, CGEIT, Managing Director, WINCER Infotech Limited
Recently, Spanning – an EMC company and provider of backup and recovery for SaaS applications –announced the results of a survey* of over 1,000 IT professionals across the U.S. and the U.K. about trends in SaaS data protection. It turns out that IT pros across the pond have the same concerns as here in the U.S., as the survey found that security is the top concern when moving critical applications to cloud. Specifically, 44 percent of U.S. and U.K. IT pros cited external hacking/data breaches as their top concerns, ahead of insider attacks and user error.
But that’s not the most interesting finding, as the survey found that perceived concerns differ from reality when it comes to actual data loss. In total, nearly 80 percent of respondents have experienced data loss in their organizations’ SaaS deployments. Accidental deletion of information was the leading cause of data loss from SaaS applications (43 percent in U.S., 41 percent in U.K.), ahead of data loss caused by malicious insiders and hackers.
While organizations in both the U.S. and U.K. have experienced data loss due to accidental deletions, migration errors (33 percent in U.S., 31 percent in U.K.), and accidental overwrites (27 percent in U.S., 26 percent in U.K.) also led external and insider attacks as top causes of data loss.
How SaaS Backup and Recovery Helps As a case in point, consider one serious user error – clicking a malicious link or file and triggering a ransomware attack. If an organization uses cloud-based collaboration tools like Office 365 One Drive for Business or Google Drive, the impact from a ransomware attack is multiplied at compute speed. How? An infected laptop contains files that automatically sync to the cloud (via Google Drive, or OneDrive for Business). Those newly-infected files sync, then infect and encrypt other files in every connected system – including those of business partners or customers, whose files and collaboration tools will be similarly compromised.
This is where backup and recovery enters the picture. Nearly half of respondents in the U.S. not already using a cloud-to-cloud backup and recovery solution said that they trust their SaaS providers with managing backup, while the other half rely on manual solutions. In most cases, SaaS providers are not in a position to recover lost or deleted data due to user error, and cannot blunt the impact of a ransomware attack on their customers. Further, with many organizations relying both on manual backups and an assumption that none of the admins in charge are malicious, the opportunity for accidental neglect or oversight is too big to ignore. The industry would seem to agree. Roughly a third of organizations in the U.S. (37 percent) are already using or plan to use a cloud-to-cloud backup provider for backup and recovery of their SaaS applications within the next 12 months.
Since the survey included U.K. respondents, it also gauged sentiment around the rapidly changing data privacy regulations in the EU, specifically in regards to the “E.U.-U.S. Privacy Shield.” The vast majority of IT professionals surveyed agree (66 percent in the U.K., 72 percent in the U.S.) that storing data in a primary cloud provider’s EU data center will ensure 100 percent compliance with data and privacy regulations.
These results paint a picture of an industry that is as unsure as they are underprepared; while security is a top concern when moving critical applications to the cloud, most organizations trust the inherent protection of their SaaS applications to keep their data safe, even though the leading cause of data loss is user error, which is not normally covered under native SaaS application backup. The results also show that the concerns influencing cloud adoption have little to do with the real cause of everyday data loss and more with a fear of data breaches or hackers.
The takeaway from these survey results: more IT pros need an increased awareness and understanding about where, when, and how critical data can be lost to reduce their cloud adoption concerns; and, more IT pros need to learn how to minimize the true sources of SaaS data loss risk. To learn more, download the full survey report, or view an infographic outlining the major findings of the survey.
*Survey Methodology Spanning by EMC commissioned the online survey, which was completed by 1,037 respondents in December 2015. Of the respondents, 537 (52 percent) were based in the United Kingdom, and 500 in the United States (48 percent). A full 100 percent of the respondents “have influence or decision making authority on spending in the IT department” of their organization.
Respondents were asked to select between two specific roles: “IT Function with Oversight for SaaS Applications” (75 percent U.S., 78 percent U.K., 77 percent overall); “Line of Business/SaaS application owner” (39 percent U.S., 43 percent U.K., 41 percent overall); the remaining identified as “other.”
Melanie Sommer, Director of Marketing, Spanning by EMC
Many frequently asked questions related to cloud security have included concerns about compliance and insider threats. But lately, a primary question is whether cloud services are falling victim to the same level of external attack as the data center. With Software as a Service (SaaS) becoming the new normal for the corporate workforce, and Infrastructure as a Service (IaaS) on the rise, cloud services now hold mission-critical enterprise data, intellectual property, and other valuable assets. As a result, the cloud is coming under attack, and it’s happening from both inside and outside the organization.
On February 29, the CSA Top Threats Working Group clarified the nature of cloud service attacks in areport titled, “The Treacherous 12: Cloud Computing Top Threats in 2016.” In this report the CSA concludes that although cloud services deliver business-supporting technology more efficiently than ever before, they also bring significant risk.
The CSA suggests that these risks occur in part because enterprise business units often acquire cloud services independently of the IT department, and often without regard for security. In addition, regardless of whether the IT department sanctions new cloud services, the door is wide open for the Treacherous 12.
Because all cloud services (sanctioned or not) present risks, the CSA points out that businesses need to take security policies, processes, and best practices into account. That makes sense, but is it enough?
Gartner predicts that through 2020, 95 percent of cloud security failures will be the customer’s fault. This does not necessarily mean that customers lack security expertise. What it does mean, though, is that it’s no longer sufficient to know how to make decisions about risk mitigation in the cloud. To reliably address cloud security, automation will be key.
Cloud security automation is where Cloud Access Security Brokers (CASBs) come into play. A CASB can help automate visibility, compliance, data security, and threat protection for cloud services. We thought it would be interesting to take a look at how well CASBs in general would fare at helping enterprises survive the treacherous 12.
The good news is that CASBs clearly address nine of the treacherous 12 (along with many other risks not mentioned in the report). These include:
#1 Data breach
#2 Weak ID, credential, and access management
#3 Insecure APIs
#4 System and application vulnerabilities
#5 Account hijacking
#6 Malicious insiders
#7 Advanced persistent threats
#10 Abuse and nefarious use of cloud services
#12 Shared technology issues
There are countless examples of why being protected against the treacherous 12 is important. Some of the more high profile ones:
Data breach: In the 2015 Anthem breach, hackers used a third-party cloud service to steal over 80M customer credentials.
Insecure APIs: The mid-2015 IRS breach exposed over 300K records. While that’s a big number, the more interesting one is that it only took 1 vulnerable API to allow the breach to happen.
Malicious Insiders: Uber reported that their main database was improperly accessed. The unauthorized individual downloaded 50K names and numbers to a cloud service. Was it their former employee, the current Lyft CTO? That was Uber’s opinion. The DOJ disagreed and a lawsuit ensued.
In each of these cases a CASB could have helped. A CASB can help detect data breaches by monitoring privileged users, encryption policies, and movement of sensitive data. A CASB can also detect unusual activity within cloud services that originate from API calls, and support risk scoring of external APIs and applications based on the activity. And a CASB can spot malicious insiders by monitoring for overly-privileged user accounts as well as user profiles, roles, and privileges that drift from compliant baselines. Finally, a CASB can detect malicious user activity through user behavior analytics.
What about the three threats that aren’t covered by a CASB? Those include:
#8 Data loss
#9 Insufficient due diligence
#11 Denial of services
The cost of data loss (#8, above) is huge. A now-defunct company named Code Spaces had to close down when their corporate assets were destroyed, because it did not follow best practices for business continuity and disaster recovery. Data loss prevention is a primary corporate responsibility, and a CASB can’t detect whether it is in place. Insufficient due diligence (#9) is the responsibility of the organization leveraging the cloud service, not the service provider. Executives need a good roadmap and checklist for due diligence. A CASB can provide advice, but they don’t automate the process. Finally, denial of service (DoS, #11, above) attacks are intended to take the provider down. It is the provider’s responsibility to take precautions to mitigate DoS attacks.
For a quick reference guide to the question, “Can a CASB protect you from the 2016 treacherous 12?,” download this infographic.
To learn more, join Palerra CTO Ganesh Kirti and CSA Executive VP of Research J.R. Santos as they discuss “CASBs and the Treacherous 12 Top Cloud Threats” on April 25, 2-3pm EDT. Register for the webinar now.