Why Insider Threats Are So Difficult to Detect in the Cloud - Ermetic
Just as in on-premises environments, insider threats in the cloud pose significant risks to your organization. Because insiders can move relatively unfettered within a cloud environment, credential theft by cyber-criminals and privilege misuse by insiders are among the leading organizational security weaknesses. It’s no wonder that “lateral movement” and “zero trust” have become such buzzwords.
In cloud environments, if an attacker comprises an identity through phishing or social engineering, or an insider abuses their privileges, they can compromise workloads and move between workloads using well-known lateral movement techniques. So, while cloud environments provide operational flexibility, agility, and the ability to scale operations, they also pose some unique challenges for detecting lateral movement…
The Cyber Hut Comment: This was a vendor article on the Solution Review site, that brought up an interesting perfect storm of potential threats: the insider and cloud infrastructure. Both in their own right can become large issues from a risk management perspective, but clearly combined, we either find greater number of issues, or an entirely new strain of problem.
The article brings up some main issues organisations need to face up to when leveraging cloud systems - namely visibility. Are you able to discover assets, observe behaviour and centrally see permissions and identities? A second area of concern is forensics - ie. the ability to retrospectively investigate via logs and other event collection systems. Can they be centralised? Can they be correlated and and analysed if located in distributed cloud based infrastructure? Thirdly can threat-hunting be handled in an agile and rapid manner?
Essentially Ermetic argue that three new capabilities are needed: the ability to detect threats, provide context during investigation and the ability to accelerate the remediation steps by removing access in real time.
It seems the more tools and infrastructure the large enterprise has, the more difficulty in firstly finding vulnerabilities and threat entry points and secondly being able to do anything about them. The distributed cloud ecosystem seems like it is here to stay, so new methods look like they are needed to help manage identities, permissions and event monitoring data sets.