Controlling the Risks of Cloud-Enabled End-Point Security Products
Cloud Connectivity for End-point Security Products
A relatively new feature in Antivirus products has led to an evolution of most traditional Antivirus products: Cloud connectivity.
Many vendors such as CrowdStrike, Symantec, and Palo Alto use their cloud platforms to enable end-point security agents, servers, and devices to obtain real-time threat intelligence data. This connectivity allows its users to make an informed decision on suspicious file or network activity and if possible, to automatically contain a compromised system in its earliest stages.
Learn Cloud Security
Without the benefits of a distributed cloud platform, such a service was previously hard to maintain for vendors. Before cloud connectivity, threat intelligence lists would need to be downloaded by every customer individually, and the delay between scheduled updates would mean the data in production was always at least slightly behind the data the vendor had made available.
Real-time Cloud-based Analysis
Imagine a suspicious, outgoing network connection over Telnet to an IP address in a country, which cannot be explained by normal business operations. A Next Generation firewall or a host-based IDS agent could quickly look up the IP or domain in a cloud-based database for any background information. If the vendor has marked the IP as suspicious or even malicious, the connection can be dropped straight away.
The next step in cloud-based threat intelligence is to share sanitized findings of suspicious activity with the vendor, to the benefit of other customers using the same platform.
The latest trend in this area is the addition of Sandboxing. No longer are only certain artifacts such as IP addresses and domains sent to the cloud for analysis, now entire suspicious files can be uploaded. When such a sample file is uploaded, it can be detonated inside the vendor's isolated cloud platform, or if needed, it can be manually analyzed by a team of malware specialists. This means an informed decision can be made whether the file is malicious or benign based on its behavior, not just on its file characteristics. Although this service has incredible potential, care needs to be taken, because it opens the users of such a cloud-based analysis platform, to some interesting new security risks.
Risks around Security vendors
Anyone following Information Security News would have picked up on the Kaspersky vs. US Government case. Put simply, the US government, like many other governments around the world are claiming Kaspersky's ties to the Russian government are a risk to the security of its customers. Without going into the politics of this specific case, such a risk could technically exist, because of the significant access anti-virus products have to the systems they are monitoring. To be effective at detection and removal of deeply nested malware, the security agents have rootkit access, which gives the product full access to any file on the system including the file system itself. They also operate by utilizing regularly updated, vendor controlled proprietary (usually closed) signatures to trigger on specific artifacts of these files. It is easy for a vendor to create a signature that would, for instance, scan a file for certain (confidential) keywords such as the term "SECRET." Recently, cloud features have increased the risk of data exfiltration. Depending on the configuration of the security product, it is often possible to upload matching files to an online environment, controlled by the vendor and their often-unknown partners. This is meant to be for analysis purposes, but who controls the access to the uploaded files and in which jurisdiction do they fall?
Although the above is a hypothetical risk until proven, it is a real risk to consider while deciding on which Antivirus vendor to select and which features on their products to enable. Any organization should always try to control their data flow, especially when it concerns private or confidential data.
Risks around 3rd parties
Some applications use 3rd party Sandboxing or Threat Intelligence lookup tools such as VirusTotal. VirusTotal, these days owned by Google, is basically an enormous database of analyzed malware, often also containing the sample files itself, offered as a downloadable zip file. Although the sheer size of the gathered data has no real competition and remains a treasure-trove of malware information, some risks are commonly known.
A well-documented risk is that actual Malware Authors monitor these analysis platforms to see the effectiveness of their malware, to see which affected targets uploaded it for analysis and to assess the need to modify their malware files and infrastructure.
Another risk, greatly enlarged due to recent progress in automation is that very targeted or simply benign files can contain confidential company data, such as infrastructure information or even login credentials. Manually or automatically uploading these files to a public forum and sharing them with the many VirusTotal partners and basically with the entire public internet, could create a significant risk.
In 2017 Brian Krebs reported on a security breach by Carbon Black. Their security agent would, if the feature was enabled, submit files to VirusTotal automatically which in this situation uploaded benign files containing for instance passwords, for analysis. VirusTotal, in turn, shared the findings and the files itself on their publicly accessible platform for anyone to download. Carbon Black stated that the upload function was not enabled by default. If this is correct, some of the blame falls on the affected companies as well.
Many companies have a policy not to manually upload any files to online services, some even with the threat of instant dismissal. Of course, this policy should also cover automated anti-virus products and the team responsible for their configuration. Automation does allow for thorough large-scale analysis, but it also creates large-scale incidents when anything goes wrong.
When deploying, updating and auditing antivirus products, it is critical to check any cloud functionality and to make sure the enabled features fall within the broader company security policy. If there are any concerns, it is trivial to ensure compliance by creating firewall or proxy rules that block access to certain destinations such as virus total or the vendor's upload servers.
Learn Cloud Security
Conclusion
Cloud features significantly enhance the capability of the entire range of IT security products. Cybersecurity is such a dynamic, and fast-changing environment and malware changes shaped so often that real-time intelligence is needed. It is essential however to control the associated risks, so these great new security features do not create a data breach themselves.
In this Series
- Controlling the Risks of Cloud-Enabled End-Point Security Products
- The rise of cloud computing: Trends and predictions
- Understanding the basics of cloud infrastructure: What you need to know
- How cloud security, data privacy, and cybersecurity convergence drives successful careers
- Secure cloud computing: What you need to know
- Working across multiple cloud service providers: CSP security learning path
- Securing cloud-based applications training: What you need to know
- Security risks of cloud migration
- DevSecOps in the Azure Cloud
- Amazon Athena Security: 6 essential tips
- Securing cloud endpoints: What you should know
- AWS security and compliance overview
- CloudGoat walkthrough series: IAM privilege escalation by attachment
- CloudGoat walkthrough series: EC2 server-side request forgery (SSRF)
- CloudGoat walkthrough series: Remote code execution
- CloudGoat walkthrough series: Lambda Privilege Escalation
- Information security strategy for the hybrid and multi-cloud
- CloudGoat walkthrough series: Cloud Breach S3
- CloudGoat walkthrough series: IAM privilege escalation by rollback
- Working with CloudGoat: The “vulnerable by design” AWS environment
- Malicious Amazon Machine Images (AMIs)
- Key findings from Ponemon’s State of Vulnerability Management in the Cloud and On-Premises report
- Cloud Pentesting Certification Boot Camp: The ultimate guide
- Cloud Based IDS and IPS Solutions [Updated 2019]
- AWS Security Monitoring Checklist [Updated 2019]
- Amazon Inspector: A cloud-based vulnerability assessment tool
- System administrator vs. cloud administrator
- 5 key cloud security use cases
- Deep Packet Inspection in the Cloud
- Honeypots in the Cloud
- Biometrics in the Cloud
- Open-Source Intelligence Collection in Cloud Platforms
- How to Safeguard Against the Privacy Implications of Cloud Computing
- AWS Cloud Security for Beginners — Part 2
- AWS Cloud Security for Beginners — Part 1
- AWS Security Monitoring Checklist — Part 2
- Rise of the Rogue Cloud: The Fundamental Security Mistake Enterprises Make and How to Correct It
- The Ultimate Guide to CCSP Certification
- Five Reasons Why Security Professionals Need the Cloud
- Amazon S3 Buckets-Hardening
- Cloud Service Reconnaissance
- Cloud Computing Security: Be Secure Before Moving to Cloud
- Cloud Technology Bringing New Possibilities in Threat Management
- Attacking the Cloud
- Man in the Cloud Attacks: Prevention and Containment
- Cloud originated DDoS attacks
- Where Is Your Data Safer? In the Cloud Or On Premise?
- DDOS Protection for Public Cloud Customers
- Security Barriers in the Adaptation of Cloud Technology
- SIEM as a Service
- Cloud Security Incident Compensation
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Cloud security
Cloud security