Skip to main content
If adversaries were attacking the Microsoft Exchange servers at your company, could your team detect and block it? Today’s columnist, Tim Wade of Vectra AI, offers strategies for improving visibility so you can. DaveMalkoff CreativeCommons CC BY-NC-SA 2.0

Cloud adoption has risen to an all-time high as organizations have largely accepted the risks associated with the journey from their traditional data centers and to the cloud. Given the immense rewards on the other side of this transformation, it’s obvious what motivated this choice. Still, for all of the cloud’s potential benefits, many organizations have accepted more risk than they may fully realize in part because even as their business and technology portfolios have evolved, their security practices have remained mired in the past.

At some level, we expected this to happen—when companies encounter unfamiliar territory, they often reach for the familiar and with cloud security this involves carrying forward the same “protect and prevent” mindset that’s failed for decades. With organizations losing more direct control over their data, services and infrastructure, the stakes are high. That’s why it’s not enough to focus just on prevention, and why effective detection and response capabilities must remain a top investment for any organization that wants both effective visibility and risk mitigation for the road ahead.

Detections tell the story 

Building effective detection and response requires having a plan for both known and unknown threats. The known threats are the simplest to tackle because detections are easy to find when adversaries take actions that are obviously malicious. Today, adversaries increasingly find that such overt action is unnecessary when they can simply co-opt, misuse and abuse existing services and access. And it’s particularly true in the context of the cloud, where direct access to the control plane and administrative APIs provide adversaries with a well-defined, scalable, scriptable set of options to progress from initial access to their ultimate objectives.

This makes it critical that modern and legacy network defenders understand the intersection between the types of actions an adversary would need to take to progress towards their objectives and the behaviors routinely taken by authorized users across the enterprise. These constitute the unknown threats, as adversaries attempt to blend into the background noise of the enterprise. In cases where these behaviors intersect, the important factors in distinguishing the adversary and insider threat from a benign user are intent, context and authorization. 

Conceptually, this comes down to an organization having both vision and visibility. Organizations need to have a vision to define authorized use, the risk it presents and the resources necessary to sustain and enable authorized use, while managing that risk. Organizations also need to have the visibility necessary to monitor and measure deviations from that vision, and opportunities to convert that visibility into action when necessary.

Vision

Without a clear expectation of the boundaries of what’s authorized and expected, security defenders will have difficultly doing anything but solving for the tip of the iceberg—the obvious threats. That’s why organizations need to have a vision for what authorized use looks like when it comes to the cloud services they adopt. Low-sophistication organizations achieve this with documented policy that may not get much more than a periodic audit and an annual review from general staff and security teams alike, while high-sophistication organizations build on these measures to create a robust security culture that empowers the workforce as an extension of the security team.

The company’s vision for authorized use of cloud services should consider:

  • Which internal services and behaviors are authorized, and under which context should they be used? Are there special cases that do or do not require policy exceptions to be maintained?
  • What sorts of expectations exist around the use, storage, sharing and retrieval of data?  When are cloud storage solutions acceptable for use cases ranging from individual end-users to application architecture?
  • What expectations for risk have been established for external services that strike an acceptable balance between managing the sprawl of shadow IT vs. enabling agility and productivity? What operational parameters and safeguards are expected to accompany behaviors involving these external services?

Visibility

Even with a clear vision, organizations quickly get into trouble when there’s insufficient visibility to monitor and measure deviations from their vision. Solving for this challenge requires understanding the behaviors adversaries are motivated to take, and intentionally collecting and aggregating the data that uncovers these behaviors in a way that the security team can operationalize.

Take visibility to the next level

Here’s a checklist of what security teams need to ensure visibility:

  • Services: Are defenders able to detect malicious attacks that progress into, through or out of enterprise cloud services? Are powerful tools like Microsoft 365 (O365) PowerAutomate open to abuse for command and control (C2) outside of the observation of the security team? Can attackers co-opt or abuse eDiscovery tools without detection?
  • Management: Is there sufficient visibility into the misuse and abuse of administrative and management functions?  For example, if adversaries or insiders perform risky operations within O365 Exchange to collect or exfiltrate sensitive information, can the security team detect it?
  • Supply Chain: Do defenders have a blindspot when trusted suppliers or service providers have been compromised? If an adversary can gain a beachhead into an environment through the supply chain, is that game-over or game-on?

Visibility requires a combination of breadth and depth of coverage, and the fidelity of the signal generated—the capacity to zero-in on security relevant events to create the information for an organization to take the actions to mitigate risks. Once the team achieves that focus, they can stitch together those events to tell the whole story—converting that data into information and intelligence. 

Too often effective visibility has been conflated with excessive data, which has turned visibility objectives into exercises of over-collection. Security teams require an effective data-collection strategy, but if visibility were strictly a data collection problem, organizations would probably tend to feel more positively about the costly drain imposed on their resources by their legacy Security Information and Event Management (SIEM) investment. These investments are reasonable for compliance use cases, but ones that struggle to deliver actionable and cost-effective threat detection. 

Even a focused data set can require the velocity, variety, and volume of data at scale, which means achieving this objective requires understanding how to make the most of both machine and human capabilities.

Operationalizing this intelligence against all but the least sophisticated adversaries will almost certainly require some level of machine intelligence to tame the deluge of activities to something manageable by a human security staff. Fortunately, SOCs now have access to machine intelligence. The organizations with the best outcomes here understand how to deploy machines to do what machines do best—namely sift through large amounts of data—while reserving humans to do what humans to best, which often involves intuition, reasoning, contextualization and judgment.

Confidence in the journey ahead

In the end, organizations want the confidence that they have achieveable goals within acceptable boundaries given the perceived benefits. Visibility will unlock this confidence as it lets an organization’s security program move forward knowing that risks are effectively managed. They’re known, measurable quantities for which an organization may monitor and detect, then target for action.

As organizations move toward realizing the transformative effects of the cloud, they’ll do well to modernize their security philosophies and portfolios towards prioritizing visibility as strategic pillar for that journey. By updating our mindset and the actions we take to protect this new territory, we’ll no longer have to accept the risks—but we can regain clarity for the road ahead.

Tim Wade, technical director, office of the CTO Vectra AI

Original article source was posted here

All rights reserved Jenson Knight.