Getting Visibility of High-Risk Activity Across Your Cloud Applications
What does the new normal look like for you?
I’m guessing that as #WFH started trending your focus was simply to keep the lights on, rapidly provisioning employees with laptops and VPN connection, granting access to cloud applications to facilitate communications and collaboration, and like many of your peers security took a backseat.
By now your employees are accustomed to working remotely, using cloud applications like Microsoft Teams, Zoom or Google Meet to collaborate with their colleagues, customers and partners, no matter their location. It’s unlikely that access to these applications will be rolled back once restrictions are eased and employees start returning to the office. In fact, enterprise organizations are already reviewing what their workspaces will look like in the medium to long term.
“There is no doubt our working lives will be changed forever as a result of this virus. I think it was happening gradually and naturally anyway.” – Alexis George, Deputy CEO, ANZ Bank
There’s no question that software-as-a-service (SaaS) or more commonly, cloud applications help organizations move faster with infinite scalability and lower cost. But at the same time, cloud applications present additional risk which needs to be monitored.
This post discusses the deployment of cloud applications to support remote workers and the importance of collecting log data from those applications to support investigations in your UEBA for real-time analysis.
Start with the basics
According to Verizon’s “Data Breach Investigations Report”, 70% of employees reuse their password across applications. To emphasize that point, a Dropbox employee’s password reuse led to the theft of 60M+ user credentials; with that sobering thought in mind, ideally you already have an access management solution with single sign on (SSO) in place for secure cloud application management.
Access management solutions like Okta are a good first step, at the very least your employees can securely use their corporate credentials to access all the applications they need via a single pane of glass. We use Okta here at Exabeam, the efficiencies from having central access to our project management applications and applications for expenses, travel (ok so I’m not using that during lockdown), Salesforce, LinkedIn Learning, Zoom and more, are immensely beneficial.
But do you have visibility of employee activity across all your cloud applications and are you confident in your ability to detect threats across those applications?
Those are the key challenges organizations face when leveraging cloud applications.
- The ability to get visibility of employee activity within cloud applications; being able to retrieve a user’s access, permissions changes, security changes, files management and ingest that into your central log or event management system.
- The ability to detect threats; being able to detect threats as data exfiltration, compromised accounts and more, from both insider and external attackers; detect unapproved or risky security changes; be able to detect security changes that are either done by unapproved people or violate the organization policy.
Let’s look at a scenario to put these into perspective.
Is it normal? Is it a rogue insider? Has an identity been compromised?
Your organization is leveraging Zoom to meet your video conferencing requirements. A member of the IT team has been granted admin privileges to support the wider employee needs; as an administrator they can control when a meeting is recorded, and they can also disable the announcement that plays before an ad hoc recording is started. Now perhaps you have a rogue admin who likes to eavesdrop on meetings or it could be an attacker moving laterally on your network who has covertly compromised the administrator’s credentials, either could conceivably identify a meeting of importance (think M&A meetings, board meetings, HR/exec meetings) and activate a recording, then later accessing those recordings at a time convenient to them.
Of course, there are more common threat vectors, an employee downloading customer lists from Salesforce and attempting to upload to their personal cloud drive is one example.
Whether certain actions represent a threat or not is unknown until you have context. Context comes by analyzing the logs from your cloud applications in your UEBA. It’s here that you can begin to build an understanding of what is risky behavior for a user and what is deemed normal.
Exabeam Cloud Connectors enable your team to monitor events across different cloud services and apps, including Azure, AWS, Salesforce, Office 365, Zoom and more and send them to your SIEM or UEBA in an actionable format.
How it works
Using the cloud service APIs, Exabeam Cloud Connectors retrieve the events from the different cloud services events sources as log files and send the events to your SIEM using Syslog. No network security changes are needed, and Cloud Connectors can be deployed on any VM whether in the cloud or on-premises.
Cloud Connectors ensure that each of your cloud applications has a dedicated connector accessing the proprietary interfaces to get you visibility of important activities, potential threats and risks that is only possible when combined with the correlation and event context your SIEM and UEBA provides.
Exabeam Cloud Connectors eliminate the need for you or your team to develop and maintain ad-hoc cloud services connectors and when coupled with Exabeam Advanced Analytics your team can automatically detect risky behaviors by employees and eliminate those threats before they cause harm to your business.
Depending on your current cloud application security posture, I’d recommend one or all of the following as your next steps:
- Map the applications you are using
- Understand the risk those applications represent
- Leverage an access management and SSO solution
- Collect the logs from each of your critical applications
- Ingest that data into your UEBA or SIEM to detect anomalous behavior
For reference, these are the cloud applications supported by Exabeam as of June 2020.
|CB (Carbon Black) Defense|
|Cisco AMP for endpoints|
|Google Cloud Platform|
|Microsoft Office 365|
|Palo Alto Aperture|
|SkyFormation Custom Connector|
|Slack Enterprise Grid|
|Symantec Web Security Service (WSS)|
|Symantec Email Security.cloud|
|Symantec Endpoint Protection (SEP) Mobile|