Protecting the Dynamic Workforce: A New Approach to Cloud and SaaS Defense
2020 demonstrated that everything can change in an instant, but few areas have had to pivot as much as cyber security. As remote workforces have dispersed across the globe, organizations have rushed to implement long-term digital transformation projects, ripping up the rulebooks of standard cyber security practices.
Over the next year, security teams will have to adapt to further changes. Initial measures which bridged the abrupt move from office to home working are now being revised, with priorities shifting from operational continuity to protecting the dynamic workforce. The surge in the use of cloud and SaaS applications globally – whether as part of a longer-term project executed over time or forced overnight by the global pandemic – is a key area for security teams to reconsider. While these platforms have fueled efficiency and collaboration over the past year, empowering organizations to push the upper limits of innovation, they have widened the attack surface and come at the cost of a coherent and tractable security strategy.
One of the greatest areas of concern is the fact that employees have started storing sensitive files in locations and services organizations had not been aware of as recently as a few months ago, with poor visibility of employee activity meaning that account takeovers, data exfiltration, and misconfiguration errors in cloud and SaaS platforms often go unnoticed. Only 22% of organizations feel they have adequate visibility in the cloud, with a third failing to monitor abnormal behavior across these systems. The result? Threats are slipping through, with major business compromises occurring.
Why Traditional Security Tools Are No Longer Enough
Remote working has left security teams overwhelmed and overstretched. Workforces are now dispersed across a wide range of systems and services, with the agility and speed of cloud and SaaS applications, their breadth of coverage, and security teams’ unfamiliarity with these platforms making them difficult to protect.
While it has long been the case that yesterday’s attacks cannot predict tomorrow’s threats, the inability of a rules and signature-based approach to detect novel and sophisticated attacks in cloud and SaaS environments has become more apparent over the past year. Struggling security teams are faced with limited options for defense: use the native security controls provided in each platform – and risk a lack of security maturity – or go with a third-party security solution, often in the form of Cloud Access Security Brokers (CASBs). In the case of the former, these tools have been proven to be static, siloed, and incompatible, while CASBs fall short in terms of detecting new threats.
Securing cloud and SaaS platforms needs to be organizations’ top priority in 2021. Although often side-lined in favor of protections against ransomware and spear-phishing campaigns, cloud and SaaS attacks can have devastating consequences. As the Capital One data breach attests, their stealthy nature frequently allows them to go undetected for longer – leading to increasingly widespread and lasting damage, with teams only noticing the threat when it is too late.
Autonomously Detecting and Responding to Cyber-Threats
To deal with cloud and SaaS attacks, organizations need a fundamental shift in thinking, looking to an enterprise-wide approach to cyber defense. Today, thousands of cyber security professionals have turned to Cyber AI. Analogous to the human immune system, Cyber AI learns on the job to understand what ‘normal’ looks like for all users, devices, and cloud containers as they interact with IT systems and consume data. Leveraging unsupervised machine learning, the AI’s unique understanding of ‘self’ across the dynamic workforce enables the technology to autonomously identify and respond to the full range threats when they inevitably arise – from malicious insiders to misconfiguration errors.
Already, Cyber AI is fundamental to detecting the most sophisticated and novel attacks at machine-speed. In a recent example, Cyber AI identified a business email compromise after an attacker infiltrated an employee’s Microsoft 365 account. Their aim? Accessing sensitive financial documents hosted in SharePoint. While the indicators of threat were subtle, such as an unusual IP address, login time, and files accessed, Cyber AI’s nuanced and evolving understanding of ‘normal’ across the entire digital organization meant the AI was able to correlate these behaviors and identify them as malicious. The incident was immediately flagged to the company’s security team before the damage was done. Had Autonomous Response technology been activated in this organization, the threat would have been contained at the first stage of account compromise.
A New Era of Cloud and SaaS Defense
Ultimately, traditional detection approaches with hard and fast rules are not enough to ensure that cloud and SaaS applications remain secure. A more intricate and effective approach to cloud and SaaS security requires an understanding of the dynamic individual behind the account. These applications are fundamentally platforms for humans to communicate – allowing them to exchange and store ideas and information.
Abnormal, threatening behavior is therefore impossible to detect without a nuanced understanding of those unique individuals: where and when do they typically access their Microsoft 365 account, which files are they like to access in Dropbox, who do they typically connect with in Google Hangouts? As the attack outlined above serves to demonstrate, these are questions for Cyber AI to contend with – understanding the user across the entire digital business.
With attackers increasingly looking to capitalize on weaknesses in cloud and SaaS platforms, organizations need to turn to Cyber AI. In this new climate, artificial intelligence is no longer a ‘nice to have’, but a necessity for fighting back against the latest attacker innovations – and autonomously containing the threat.
For more on Cyber AI in action, read this blog on how a Mimecast miss led to wide scale email compromise.
24 March 2023