Posture management tools have drastically improved the way security teams can secure workloads in the cloud.
Cloud security posture management (CSPM) vendors put guardrails in place that help ensure their resources are deployed and configured in a compliant manner. Historically, compliance quickly becomes the primary driver as the first wave of security priorities in an environment. However, cloud infrastructure security has largely been looked at through the lens of posture — detecting drift as resources become misconfigured. While it’s helpful, these “point in time” solutions haven't adapted well to the tactics, techniques, and procedures (TTPs) of modern threat actors.
Think about protecting the cloud like protecting a home with an alarm and security system. The system gets designed to protect the primary entry paths into the home. It will warn the homeowner if a door is unlocked, if the garage door has been moved up, or if a window has been opened. In many cases it’s enough to adequately deter a burglar from trying to break in. If someone does try to access the inside of the house, an alarm goes off and police are automatically called.
But what if the burglar had a key to the front door? They can walk up to the porch, put the key in the lock, open the door and come right in. They open the door, and the system gives them a welcoming ring. The home security system does not only let that burglar into the house, but it's likely going to have no idea what rooms they went into, what they stole or what they broke.
CSPMs offer similar security guarantees for cloud environments. They’re going to ensure the organization doesn’t expose S3 buckets to the public and corporate resources aren’t misconfigured. But these point in time snapshots of the environment simply aren’t enough to prevent threat actors from gaining access to an environment. Run-time visibility and detection in the cloud continues to evade most security teams, and the tools and tricks that worked in the on-prem world aren’t as effective in the cloud.
So, what’s changed? Why isn’t posture enough?
Crowdstrike’s recent threat hunting report cited that 80% of breaches use compromised identities, and they have observed a 160% increase in attempts to gather secret keys and other credential materials, as well as a similar increase in access broker advertisements in dark web communities. They can harvest credentials and then move laterally through an environment, where they often go undetected for weeks or months. Threat actors also have a plethora of underground markets at their disposal where they can purchase credentials. The increase in both attempts to harvest credentials and those that are selling them reflects the growing demand among threat actors to use these keys to get in the front door of their target’s network.
How attackers move across authentication boundaries
When moving laterally in an environment, threat actors often can navigate across authentication boundaries with ease as they move from Okta to AWS, to GitHub and Slack. Unfortunately, these authentication boundaries present a significant blind spot for the tools that security teams use to protect each individual layer of their environment. If an attacker moves from Okta, to AWS, to GitHub and then to Slack, this potentially requires pulling log data from each of these to try and piece together how the attacker gained access to the environment, and what they did while they were in the environments.
Going back to the home security system analogy, imagine if the security camera in a home only covers one room of the house — the living room. If the house gets broken into, we can go back and watch the surveillance video to see that the burglar entered the living room, grabbed the television, then headed out of the room. But we don’t know what they did before they got to the living room, or what they did after – we only have a small piece of the criminal’s activity in the home that doesn’t tell the whole story of how the crime was orchestrated.
Three ways to lock down security
There are a few steps organizations can take today that will help to better secure their environment and detect potential suspicious and malicious activity in their environment:
- Keep a continuous and comprehensive inventory of identities and categorize the risk based on blast radius.
- Monitor privileges used versus granted for all users (human/machine/vendor) to have a clear delineation between which identities are overprivileged and which are compliant with least privilege.
- Baseline the activity for identities in the environment. Once the team understands normal behavior, it becomes easier to detect abnormalities when user behavior deviates from that baseline.
By focusing on continuous monitoring of identities, organizations can achieve the visibility they’ll need to better secure their networks. Think of CSPM as a good first step, but organizations need a much more comprehensive approach to stay secure.
Paul Nguyen, co-founder, co-CEO, Permiso