How to detect threats in the cloud

Cloud-based systems are being adopted by a greater number of businesses and individuals alike — and that’s hardly surprising. After all, the list of benefits that cloud-based workflows can bring is both long and far-reaching.

Using the cloud can:

• Reduce the need for additional hardware, minimizing your running costs.
• Promote collaboration across your personal/work circles.
• Remove your dependency on internal storage, freeing up memory for other tasks.
• Lower the workload of your computer, as data processing tasks are carried out by external servers.
• Mean that software updates happen automatically, keeping your machines up to speed, and staying on top of bug fixes, anti-virus programs, and patches.
• Help your business scale more easily.

However, here’s where the irony comes in. The exact same characteristics that are beneficial in cloud systems are also potential vulnerabilities — so we’ve created this blog post to help you navigate these weaknesses and equip you with ways to detect threats in the cloud.

Understanding cloud-based systems

Before we get into the details, it’s worth defining what cloud-based systems actually are.

Cloud is:

• Resilient and available — while cloud is still subject to threats, because of its scale, cloud providers invest a lot in security and are able to retain the skills required to build strong security capability. The challenge here is that with the shared responsibility model, customers have to use the security features properly.
• Multi-tenanted — this is a key characteristic of the cloud. It makes a lot of the other characteristics of cloud possible, such as scale (by bringing lots of customers together) and elasticity (when your consumption drops, the resources you were using can be sold to somebody else). The downsides of multi-tenancy can be compared to sharing roads with other drivers - e.g. resource contention (if there is not enough capacity). Outages also often tend to affect lots of customers at once.
• Global — with multiple providers that span continents with data centers in a multitude of countries. This means that services are available throughout the world, with minimal restrictions.
• Powered by APIs (Application Programming Interfaces) — APIs allow for smooth and continuous communication between different programs when carrying out tasks. These are especially useful for carrying out automated operations. This makes it possible to automate creation, destruction and changes to cloud-based systems. This makes changes very seamless. This can be both good and bad - if not used carefully, destructive changes can also be made very quickly. However, generally speaking, APIs can help streamline user or customer experience by minimizing friction and making navigation more effortless.
• Elastic - Scalable to your needs, providing you with a flexible model that can adapt to your requirements. Cloud offers the ability to add or remove resources to your setup with ease. There are many database providers that can handle transitions to match demand and deliver this fluidity with consistency. Cloud monitoring gives you the ability to make data-led decisions that are based on real-time performance, so you can stay on top of the situation. Ultimately, the elastic characteristic of cloud means that you only buy what you need, rather than always having spare capacity to deal with peaks in demand.
• User and provider share responsibility - while providers usually create threat detection tools, the alerts are mainly handled by the service user or partner. In a nutshell, the user is responsible for tool deployment, and they can manage this at their discretion. The shared responsibility model is key to understanding many areas of cloud - especially security. There is always a boundary of responsibility. On one side, responsibility rests with the provider, on the other, responsibility rests with the customer. For instance, with IaaS (infrastructure as a service), this boundary rests at the hypervisor - everything below the hypervisor is a provider responsibility, everything above it is a customer responsibility. As a result, security of the guest OS is a customer responsibility. As a user of cloud services you need to understand this boundary clearly so that you understand what you are responsible for.

Cloud computing has changed the threat detection paradigm

A new landscape has emerged from the cloud revolution. As users switch to a cloud system, they are leaving their previous environment — one that was secured with firewalls and other safeguards. While there was once a well-defined perimeter, that has effectively dissolved as systems are migrated into the cloud and users become more mobile. This means that the attack surface of the typical organization has changed, usually becoming larger. Consequently, this surge in mobile networks and working has created a demand for a more dynamic cybersecurity solution.

It also means that on top of network monitoring that was done in-house, there is now a need to manage the security of mobile workers as well.

Initially, you’ll need to look into the telemetry of your cloud system and usually it’s multiple systems. This makes things more complicated because there is no “one source” of telemetry. But generally, this is where you’ll find the data on performance and be able to detect any issues.

With regards to PaaS (platform as a service) and SaaS (software as a service) formats of threat detection, this process involves combing through audits and data logs to locate the telemetry data.

The IaaS (infrastructure as a service) format varies slightly, in that the key information comes from the activity within your cloud as well as the access data. Providers such as Microsoft Azure and AWS EC2 will do this for you.

Cloud raises issues around online identity too

The elephant in the room when it comes to online identity protection has to be passwords and their shortcomings. It’s all too apparent that unique passwords for every venture mixed with the enigmatic human mind is not a particularly reliable combination.

Many users use the same password for everything, some try a variation on a theme, while others make passwords so random that they’re nearly impossible to remember.

In light of this, there’s been a high uptake in identity platforms such as Azure Active Directory (AAD). Programs such as this enable the user to implement a single identity across numerous services, removing the need for a unique password for a specific service.

One challenge with respect to identity providers is that the market is really still in flux and has not matured yet. Despite that, players like Microsoft are emerging ahead of the crowd.

While the use of identity providers like AAD solves the problem of multiple passwords, it adds a new dimension of making the identity provider itself into a target for attack - this is addressed below.

The next step

So, you’ve probably guessed where the next focus on cybersecurity will be?

Identity platforms.

These are now a tempting target for threat actors, as they effectively hold all the cards for online identity. Therefore, it’s imperative to include these platforms in telemetry gathering activities in order to secure a water-tight approach.

Finally, we also need to understand that cloud services create a situation where organizations have to deal with a host of new telemetry sources which need to be analyzed and correlated. This is where XDR comes into the picture, with its ability to combine multiple diverse sources of telemetry under a single pane of glass.