Controlling the Risks of Cloud-Enabled End-Point Security Products
Cloud Connectivity for End-point Security Products
A relatively new feature in Antivirus products has led to an evolution of most traditional Antivirus products: Cloud connectivity.
Many vendors such as CrowdStrike, Symantec, and Palo Alto use their cloud platforms to enable end-point security agents, servers, and devices to obtain real-time threat intelligence data. This connectivity allows its users to make an informed decision on suspicious file or network activity and if possible, to automatically contain a compromised system in its earliest stages.
Without the benefits of a distributed cloud platform, such a service was previously hard to maintain for vendors. Before cloud connectivity, threat intelligence lists would need to be downloaded by every customer individually, and the delay between scheduled updates would mean the data in production was always at least slightly behind the data the vendor had made available.
Real-time Cloud-based Analysis
Imagine a suspicious, outgoing network connection over Telnet to an IP address in a country, which cannot be explained by normal business operations. A Next Generation firewall or a host-based IDS agent could quickly look up the IP or domain in a cloud-based database for any background information. If the vendor has marked the IP as suspicious or even malicious, the connection can be dropped straight away.
The next step in cloud-based threat intelligence is to share sanitized findings of suspicious activity with the vendor, to the benefit of other customers using the same platform.
The latest trend in this area is the addition of Sandboxing. No longer are only certain artifacts such as IP addresses and domains sent to the cloud for analysis, now entire suspicious files can be uploaded. When such a sample file is uploaded, it can be detonated inside the vendor’s isolated cloud platform, or if needed, it can be manually analyzed by a team of malware specialists. This means an informed decision can be made whether the file is malicious or benign based on its behavior, not just on its file characteristics. Although this service has incredible potential, care needs to be taken, because it opens the users of such a cloud-based analysis platform, to some interesting new security risks.
Risks around Security vendors
Anyone following Information Security News would have picked up on the Kaspersky vs. US Government case. Put simply, the US government, like many other governments around the world are claiming Kaspersky’s ties to the Russian government are a risk to the security of its customers. Without going into the politics of this specific case, such a risk could technically exist, because of the significant access anti-virus products have to the systems they are monitoring. To be effective at detection and removal of deeply nested malware, the security agents have rootkit access, which gives the product full access to any file on the system including the file system itself. They also operate by utilizing regularly updated, vendor controlled proprietary (usually closed) signatures to trigger on specific artifacts of these files. It is easy for a vendor to create a signature that would, for instance, scan a file for certain (confidential) keywords such as the term “SECRET.” Recently, cloud features have increased the risk of data exfiltration. Depending on the configuration of the security product, it is often possible to upload matching files to an online environment, controlled by the vendor and their often-unknown partners. This is meant to be for analysis purposes, but who controls the access to the uploaded files and in which jurisdiction do they fall?
Although the above is a hypothetical risk until proven, it is a real risk to consider while deciding on which Antivirus vendor to select and which features on their products to enable. Any organization should always try to control their data flow, especially when it concerns private or confidential data.
Risks around 3rd parties
Some applications use 3rd party Sandboxing or Threat Intelligence lookup tools such as VirusTotal. VirusTotal, these days owned by Google, is basically an enormous database of analyzed malware, often also containing the sample files itself, offered as a downloadable zip file. Although the sheer size of the gathered data has no real competition and remains a treasure-trove of malware information, some risks are commonly known.
A well-documented risk is that actual Malware Authors monitor these analysis platforms to see the effectiveness of their malware, to see which affected targets uploaded it for analysis and to assess the need to modify their malware files and infrastructure.
Another risk, greatly enlarged due to recent progress in automation is that very targeted or simply benign files can contain confidential company data, such as infrastructure information or even login credentials. Manually or automatically uploading these files to a public forum and sharing them with the many VirusTotal partners and basically with the entire public internet, could create a significant risk.
In 2017 Brian Krebs reported on a security breach by Carbon Black. Their security agent would, if the feature was enabled, submit files to VirusTotal automatically which in this situation uploaded benign files containing for instance passwords, for analysis. VirusTotal, in turn, shared the findings and the files itself on their publicly accessible platform for anyone to download. Carbon Black stated that the upload function was not enabled by default. If this is correct, some of the blame falls on the affected companies as well.
Many companies have a policy not to manually upload any files to online services, some even with the threat of instant dismissal. Of course, this policy should also cover automated anti-virus products and the team responsible for their configuration. Automation does allow for thorough large-scale analysis, but it also creates large-scale incidents when anything goes wrong.
When deploying, updating and auditing antivirus products, it is critical to check any cloud functionality and to make sure the enabled features fall within the broader company security policy. If there are any concerns, it is trivial to ensure compliance by creating firewall or proxy rules that block access to certain destinations such as virus total or the vendor’s upload servers.
Cloud features significantly enhance the capability of the entire range of IT security products. Cybersecurity is such a dynamic, and fast-changing environment and malware changes shaped so often that real-time intelligence is needed. It is essential however to control the associated risks, so these great new security features do not create a data breach themselves.