sb-as logo
Story image

Why accelerated cloud adoption exposes organisations to security risk

11 Dec 2020

Article by Vectra AI director of security engineering for APJ, Chris Fisher.
 

As our reliance on technology grows exponentially, so does the need for robust cybersecurity to protect users and keep data and business operations safe from hackers.

But growth in cybercriminal activity has become a catch-22 – the more organisations invest in data protection technologies, the more adept cybercriminals become. They change their attack methods and behaviours to blend in with normal traffic to bypass traditional network controls, infiltrate infrastructure and steal credentials.

Because of this constant edging forward by both sides, network detection and response (NDR) is now an essential line item for every leadership team. Attacks that target software-as-a-service (SaaS) user accounts are now one of the fastest-growing and most prevalent security issues encountered today. This trend began well before COVID-19 and has accelerated as more organisations make their transformation to the cloud.

The trade-offs of working remotely

When the labour force transitioned to working from home during the first wave of lockdowns, the move to online collaboration and productivity tools was fast but largely smooth. A by-product of this shift is an increased volume of considerably more sensitive data being shared across multiple devices. In many instances, that information is now vulnerable.

This is because current security approaches can lose visibility as environments expand to the cloud, which is increasingly where users are storing multiple accounts and accessing resources from both sanctioned and unsanctioned devices. When the lines become blurred between work and personal online interaction, exposure to cyber-risks increase dramatically. 

Beefing up patchy defences

Traditionally, organisations have relied on tightly controlled on-premises servers where network security solutions were mostly able to protect data. With many more new devices accessing corporate and cloud networks, traditional solutions have become susceptible to greater risk activity and abuse of data in cloud applications.

Today’s reality is that private and trusted networks can no longer be fully protected by legacy security that focuses on using signatures and detecting anomalies alone. Industry analysts and experts agree that NDR is better suited to identifying and stopping attacks across the modern data centre infrastructure. 

The adoption of NDR has gained massive momentum by correlating attacker behaviours and the progression of threats between cloud, hybrid and on-premise networks.

We know that cybercriminals are exploiting a larger attack surface and getting more advanced. As a result, merely fortifying network perimeter security no longer works, especially when it comes stopping astute attackers and speeding up detection. In fact, the notion of a network perimeter no longer exists because users can connect from anywhere.

For many organisations, security technology focuses on user behaviours when the focus should be on attacker behaviours. This requires knowledge about what attackers can do on your platforms rather than monitoring approved users and what they’re sharing while looking out for malicious insiders.

It is time to flip the narrative and look at the more significant threat – attacker behaviours.

Take a lesson from Office 365

Observing Microsoft Office 365 users shows how easy it is for hackers to gain entry into an organisation’s network. The recent Spotlight Report on Office 365 from Vectra collected opt-in data from 4 million Office 365 users worldwide and found that 96% of customers exhibited malicious lateral movement behaviours.

This means that once a hacker gets access to an Office 365 account, the backdoor entrance to an enterprise network opens, making it vulnerable to attack. Take Microsoft Power Automate as an example. Formerly Microsoft Flow, it is designed to automate user tasks and save time. Power Automate is enabled by default in Office 365.

Unfortunately, Power Automate is a blind spot that creates hazardous security vulnerabilities in Office 365. Research from the Spotlight Report on Office 365 shows that 71% of customers exhibited suspicious Office 365 Power Automate behaviours.

Right now, you can set up a Power Automate script to automatically take all attachments in an email and store them in OneDrive. An attacker could then compromise an account, and use Power Automate to take these documents and exfiltrate them to a Dropbox account.

Attackers have been leveraging this feature to assume an account identity and pivot from Office 365 to a device or on-premises. They then can log in as a specific user within Office 365 and start damaging or exfiltrating data or move laterally to find high-value assets to steal.

Adapt network security for changing tactics

With NDR, organisations can identify what attackers are doing, where they are in their network, and quickly stop attacks before they become data breaches. 

NDR leverages AI-derived machine learning algorithms to identify early threat behaviours across hybrid, on-premise and cloud. It also automatically detects and prioritises attacks that pose the highest risk to your organisation and triggers a real-time response to mitigate threats quickly.

To protect data and reduce cyber-risk, it is vital for organisations to adopt a proactive rather than reactive approach to cybersecurity. It can result in a costly mistake to rely on legacy network perimeter security alone. Today, NDR is an essential cornerstone of cybersecurity best practices.

As we start to think more about strategic security investments in 2021, it’s time to consider where the best value and the best line of defence will come from and how organisations can better ensure they are protected. 

This is especially true as organisations rely increasingly on hybrid, on-premises and cloud platforms for a range of different devices, in what it’s expected to be a complex and critical year.