main

Cloud Security

Transforming Into a Multicloud Environment

June 26, 2019 — by Radware0

Multicloud-960x540.jpg

While C-suite executives are taking on larger roles in proactively discussing cybersecurity issues, they are also evaluating how to leverage advances in technology to improve business agility. But as network architectures get more complex, there is added pressure to secure new points of attack vulnerability.

Organizations continue to host applications and data in the public cloud, typically spread across multiple cloud providers. This multicloud approach enables enterprises to be nimbler with network operations, improve the customer experience and reduce costs.

[You may also like: Executives Are Turning Infosec into a Competitive Advantage]

Public Cloud Challenges

Every public cloud provider utilizes different hardware and software security policies, methods and mechanisms. This creates a challenge for enterprises to maintain standard policies and configurations across all infrastructures.

Furthermore, public cloud providers generally only meet basic security standards for their platform. And application security of workloads on public clouds is not included in the public cloud offering.

Even with concerns about the security of public clouds–almost three in five respondents expressed concern about vulnerabilities within their companies’ public cloud networks–organizations are moving applications and data to cloud service providers.

The Human Side of the Cloud

Sometimes the biggest threat to an organization’s digital assets are the people who are hired to protect them. Whether on purpose or through carelessness, people can compromise the permissions designed to create a security barrier.

[You may also like: Eliminating Excessive Permissions]

Of the almost three-fourths who indicated that they have experienced unauthorized access to their public cloud assets, the most common reasons were:

  • An employee neglected credentials in a development forum (41%);
  • A hacker made it through the provider’s security (37%) or the company’s security (31%); or
  • An insider left a way in (21%).

An insider?! Yes, indeed. Organizations may run into malicious insiders (legitimate users who exploit their privileges to cause harm) and/or negligent insiders (also legitimate users, such as Dev/DevOps engineers who make configuration mistakes, or other employees with access who practice low security hygiene and leave ways for hackers to get in).

[You may also like: Are Your DevOps Your Biggest Security Risks?]

To limit the human factor, senior-level executives should make sure that continuous hardening checks are applied to configurations in order to validate permissions and limit the possibility of attacks as much as possible.

The goals? To avoid public exposure of data from the cloud and reduce overly permissive access to resources by making sure that communication between entities within a cloud, as well as access to assets and APIs, are only allowed for valid reasons.

Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.

Download Now

Security

Cities Are Under Attack. Here’s Why.

June 25, 2019 — by Mark Taylor0

Ransomware-960x615.jpg

Greenville, North Carolina. Imperial County, California. Stuart, Florida. Cincinnati, Ohio. These are just a handful of cities and counties across the U.S. that have experienced crippling cyber attacks in recent months.

In 2019, local governments across the country have become the focus of attacks and face a growing threat of cyber attacks and escalating ransom demands. Indeed, ransomware is a pandemic in the United States, and hackers are increasingly going after larger targets instead of focusing on home computers, like most did five years ago.

[You may also like: Cities Paying Ransom: What Does It Mean for Taxpayers?]

The Vulnerabilities

Generally speaking, cities and municipalities are less prepared than companies to mitigate cyber attacks, due to limited resources and difficulty competing for cybersecurity talent. They are also increasingly reliant on technology to deliver city services. This, combined with aging computer systems, enlarges their attack surfaces.

And attackers are also getting more savvy. Per CSO Online, “There’s a constantly growing threat of exploitation either through investment from state-sponsored actors to the commoditization of very sophisticated attack techniques that are easy to use for inexperienced hackers. Ransomware isn’t new. It’s just how it’s been packaged up and how it’s being leveraged operationally by the hacker community.”

Why Cities and Municipalities?

Whether attacks on cities are increasing or merely just coming more to light now, it’s clear that they’re attractive targets for attackers.

This rationale is reinforced in Radware’s 2018-2019 Global Application & Network Security Report. According to the report, 52% of cyberattacks were motivated by financial or ransom purposes, far outpacing any other attack motivation. What’s more, government (cities and municipalities) are key targets, with 45% of government organizations being attacked on a daily or weekly basis.

[You may also like: How Cyberattacks Directly Impact Your Brand]

Simply put, the combination of constrained resources, data- and information-rich environments, countered by increasing automated attacks and attack types make cities and municipalities a high-value target for cyber criminals.

There’s no denying that in cities and municipalities, the pressure is on. Securing the constituent experience against cyberattacks is no longer just the responsibility of the IT department. Agencies need to implement security strategies–in every process and program–as if their very survival depends on them.

It only takes one data breach to compromise and expose constituent personal information or hobble critical services such as emergency response, public safety, air travel and more.

Recommendations

While it’s impossible to eliminate every risk or neutralize every threat, there are practical and minimal effort controls every city and municipality should consider. And tools alone don’t provide complete protection; a truly secure experience involves expert resources (threat intelligence), flexible deployment (cloud service), and agility or ease of use (fully managed).

[You may also like: Here’s How You Can Better Mitigate a Cyberattack]

When choosing the right security partner, which is critical for cities and municipalities, consider the following:

  • Evaluate protection for all web applications. Look for always-on and fully-managed services to protect both on-premise and cloud-based applications.
  • Evaluate risk from new DDoS attack types. Many organizations rely on their ISP and firewalls to detect and mitigate DDoS attacks. But DDoS attacks are growing and targeting applications, and application attacks are rarely detected by ISPs. 
  • Evaluate firewall DDoS protection. Attacks can fill state tables and bring down your firewall. 

The attack trends will persist in the foreseeable future, and all signs point to financial motivation gaining, thereby pushing attackers to try to profit from malicious malware. Of particular concern is the possibility of hackers investing their profits to leverage machine-learning capabilities to find ways to access and exploit resources in networks and applications.

Be prepared.

Download “Hackers Almanac” to learn more.

Download Now

Cloud Computing

Eliminating Excessive Permissions

June 11, 2019 — by Eyal Arazi0

excessivepermissionsblog-960x581.jpg

Excessive permissions are the #1 threat to workloads hosted on the public cloud. As organizations migrate their computing resources to public cloud environments, they lose visibility and control over their assets. In order to accelerate the speed of business, extensive permissions are frequently granted to users who shouldn’t have them, which creates a major security risk should any of these users ever become compromised by hackers.

Watch the video below to learn more about the importance of eliminating excessive permissions.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Attack Types & VectorsCloud SecuritySecurity

Anatomy of a Cloud-Native Data Breach

April 10, 2019 — by Radware1

cloudnativeattack-960x600.jpg

Migrating computing resources to cloud environments opens up new attack surfaces previously unknown in the world of premise-based data centers. As a result, cloud-native data breaches frequently have different characteristics and follow a different progression than physical data breaches. Here is a real-life example of a cloud-native data breach, how it evolved and how it possibly could have been avoided.

Target Profile: A Social Media/Mobile App Company

The company is a photo-sharing social media application, with over 20 million users. It stores over 1PB of user data within Amazon Web Services (AWS), and in 2018, it was the victim of a massive data breach that exposed nearly 20 million user records. This is how it happened.

[You may also like: Ensuring Data Privacy in Public Clouds]

Step 1: Compromising a legitimate user. Frequently, the first step in a data breach is that an attacker compromises the credentials of a legitimate user. In this incident, an attacker used a spear-phishing attack to obtain an administrative user’s credentials to the company’s environment.

Step 2: Fortifying access. After compromising a legitimate user, a hacker frequently takes steps to fortify access to the environment, independent of the compromised user. In this case, the attacker connected to the company’s cloud environment through an IP address registered in a foreign country and created API access keys with full administrative access.

Step 3: Reconnaissance. Once inside, an attacker then needs to map out what permissions are granted and what actions this role allows.

[You may also like: Embarking on a Cloud Journey: Expect More from Your Load Balancer]

Step 4: Exploitation. Once the available permissions in the account have been determined, the attacker can proceed to exploit them. Among other activities, the attacker duplicated the master user database and exposed it to the outside world with public permissions.

Step 5: Exfiltration. Finally, with customer information at hand, the attacker copied the data outside of the network, gaining access to over 20 million user records that contained personal user information.

Lessons Learned

Your Permissions Equal Your Threat Surface: Leveraging public cloud environments means that resources that used to be hosted inside your organization’s perimeter are now outside where they are no longer under the control of system administrators and can be accessed from anywhere in the world. Workload security, therefore, is defined by the people who can access those workloads and the permissions they have. In effect, your permissions equal your attack surface.

Excessive Permissions Are the No. 1 Threat: Cloud environments make it very easy to spin up new resources and grant wide-ranging permissions but very difficult to keep track of who has them. Such excessive permissions are frequently mischaracterized as misconfigurations but are actually the result of permission misuse or abuse. Therefore, protecting against those excessive permissions becomes the No. 1 priority for securing publicly hosted cloud workloads.

[You may also like: Excessive Permissions are Your #1 Cloud Threat]

Cloud Attacks Follow Typical Progression: Although each data breach incident may develop differently, a cloud-native attack breach frequently follows a typical progression of a legitimate user account compromise, account reconnaissance, privilege escalation, resource exploitation and data exfiltration.

What Could Have Been Done Differently?

Protect Your Access Credentials: Your next data breach is a password away. Securing your cloud account credentials — as much as possible — is critical to ensuring that they don’t fall into the wrong hands.

Limit Permissions: Frequently, cloud user accounts are granted many permissions that they don’t need or never use. Exploiting the gap between granted permissions and used permissions is a common move by hackers. In the aforementioned example, the attacker used the accounts’ permissions to create new administrative-access API keys, spin up new databases, reset the database master password and expose it to the outside world. Limiting permissions to only what the user needs helps ensure that, even if the account is compromised, the damage an attacker can do is limited.

[You may also like: Mitigating Cloud Attacks With Configuration Hardening]

Alert of Suspicious Activities: Since cloud-native data breaches frequently have a common progression, there are certain account activities — such as port scanning, invoking previously used APIs and granting public permissions — which can be identified. Alerting against such malicious behavior indicators (MBIs) can help prevent a data breach before it occurs.

Automate Response Procedures: Finally, once malicious activity has been identified, fast response is paramount. Automating response mechanisms can help block malicious activity the moment it is detected and stop the breach from reaching its end goal.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Cloud SecuritySecurityWeb Application Firewall

Using Application Analytics to Achieve Security at Scale

October 16, 2018 — by Eyal Arazi1

application_analytics_security_blog-960x584.jpg

Are you overwhelmed by the number of security events per day? If so, you are not alone.

Alert Fatigue is Leaving You Exposed

It is not uncommon for security administrators to receive tens of thousands of security alerts per day, leading to alert fatigue – and worse – security events going unattended.

Tellingly, a study conducted by the Cloud Security Alliance (CSA) found that over 40% of security professionals think alerts lack actionable intelligence that can help them resolve security events. More than 30% of security professionals ignore alerts altogether because so many of them are false positives. Similarly, a study by Fidelis Cybersecurity found that almost two-thirds of organizations review less than 25% of alerts every day and only 6% triage 75% or more of alerts per day that they receive.

As a result of this alert flood, many organizations leave the majority of their security alerts unchecked. This is particularly a problem in the world of application security, as customer-facing applications frequently generate massive amounts of security events, based on user activity. Although many of these events are benign, some are not—and it only takes one alert to open the doors to devastating security events, like a data breach.

Not examining these events in detail leaves applications (and the data they store) exposed to security vulnerabilities, false positives, and sub-optimal security policies, which go unnoticed.

Many Events, but Few Activities

The irony of this alert flood is that when examined in detail, many alerts are, in fact, recurring events with discernible patterns. Examples of such recurring patterns are accessed to a specific resource, multiple scanning attempts from the same origin IP, or execution of a known attack vector.

Traditionally, web application firewall (WAF) systems log each individual event, without taking into consideration the overall context of the alert. For example, a legitimate attempt by a large group of users to access a common resource (such as a specific file or page), and a (clearly illegitimate) repeated scanning attempts by the same source IP address, would all be logged the same way: each individual event would be logged once, and not cross-linked to similar events.

How to Achieve Security at Scale

Achieving security at scale requires being able to separate the wheat from the chaff when it comes to security events. That is, distinguishing between large amounts of routine user actions which has little implication for application security, and high-priority alerts which are indicative of malicious hacking attempts or may otherwise suggest a problem with security policy configuration (for example, such as a legitimate request being blocked).

In order to be able to make this separation, there are a number of questions that security administrators need to ask themselves:

  1. How frequently does this event occur? That is, does this behavior occur often, or is it a one-off event?
  2. What is the trend for this event? How does this type of behavior reflect over time? Does it constantly occur at a constant rate, or is there a sudden massive spike?
  3. What is the relevant header request data? What are the relevant request methods, destination URL, resource types, and source/destination details?
  4. Is this type of activity indicative of a known attack? Is there a legitimate explanation for this event, or does it usually signify an attempted attack?

Each of these questions can go either way in terms of explaining security events. However, administrators will do well to have all of this information readily available, in order to reach an informed assessment based on the overall context.

Having such tools – and taking the overall context into consideration – confers security professionals with a number of significant benefits:

  • Increased visibility of security events, to better understand application behavior and focus on high-priority alerts.
  • More intelligent decision making on which events should be blocked or allowed.
  • A more effective response in order to secure applications against attacks as much as possible, while also making sure that legitimate users are not impacted.

Radware’s Application Analytics

Radware developed Application Analytics – the latest feature in Radware’s Cloud WAF Service to address these customer needs.

Radware’s Cloud WAF Application Analytics works via a process of analysis based on machine-learning algorithms, which identify patterns and group similar application events into recurring user activities:

  1. Data mapping of the log data set, to identify all potential event types
  2. Cluster analysis using machine learning algorithms to identify similar events with common characteristics
  3. Activity grouping of recurring user activities with common identifiers
  4. Data enrichment of supplemental details on activities to provide further context on activities

Radware’s Cloud WAF Application Analytics takes large numbers of recurring log events and condensing them into a small number of recurring activities.

In several customer trials, this capability allowed Radware to reduce the number of Cloud WAF alerts from several thousand (or even tens of thousands) to a single-digit (or double digit) number of activities. This allows administrators to focus on the alerts that matter.

For example, one customer reduced over 8,000 log events on one of their applications into 12 activities (seen above), whereas another customer reduced more than 3,500 security events into 13 activities.

The benefits for security administrators are easy to see: rather than drown in massive amounts of log events with little (or no) context to explain them. Cloud WAF Application Analytics now provides a tool to reduce log overload into a manageable number of activities to analyze, which administrators can now handle.

Ultimately, there is no silver bullet when it comes to WAF and application security management: administrators will always need to balance being as secure as possible (and protect private user data), with the need to be as accessible as possible to those same users. Cloud WAF Application Analytics are Radware’s attempt to disentangle this challenge.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Cloud SecuritySecurity

9 Ways to Ensure Cloud Security

September 22, 2016 — by Radware0

cloud-security-2-960x508.png

Whether you’ve migrated some or all of your infrastructure to the cloud, or are still considering the move, you should be thinking about security. Too often, organizations assume a certain level of protection from a cloud service provider and don’t take steps to ensure applications and data are just as safe as those housed in the data center.

The sheer range of cloud technology has generated an array of new security challenges. From reconciling security policies across hybrid environments to keeping a wary eye on cloud co-tenants, there is no shortage of concerns. An increasingly complex attack landscape only complicates matters and requires security systems that are vigilant and able to adapt. Here are nine tips to consider before, during, and after a cloud migration to stay ahead of the curve when evaluating security solutions for your cloud service.

Cloud SecurityDDoSSecurity

Cloud-Based or Provider-Managed DDoS Mitigation: Which is Right for Your Organization?

July 12, 2016 — by Jordan Jacobs0

ddos-attack-mitigation-3-960x626.png

Two facts are changing how companies think about DDoS mitigation: DDoS attacks are more frequent than ever and are increasingly easier to initiate from anywhere in the world.

Simply put, the days when firewalls and a large enough pipe to the internet were enough to protect your network have long since passed. Any organization or website is a potential target, and with high odds of a given attack flooding homegrown defense tactics, most companies are moving their mitigation tools offsite. The cost of downtime – upwards of $9,000 per hour for small businesses and $690,000 for large companies – are just too great to risk going it alone.

Application DeliveryWPO

Cloud Load Balancing – Does your provider have what it takes?

June 14, 2016 — by Prakash Sinha0

cloud-load-balancing-3-960x705.png

Cloud computing brings cost efficiency and deployment flexibility to applications. These advantages are driving the demand for cloud-enabled applications. The move to the cloud raises concerns for service levels such as availability, security, and on-demand scalability for the applications.

For many years, application delivery controllers (ADCs) have been integral to addressing service level needs for enterprise applications deployed on premise. As data centers consolidate, end users connect remotely from a variety of locations with varied devices. Many enterprise applications are typically not designed out of the box to meet today’s quality of experience (QoE) needs.

Cloud SecuritySecurity

“POP” Goes the Vendor that Doesn’t Separate Scrubbing Centers from Always-On Platforms

June 1, 2016 — by Ben Desjardins0

cloud-scrubbing-3-960x524.png

It seems hardly a week can pass without some cloud-based security service provider announcing the latest expansion of their cloud infrastructure. The cadence has turned into something of an arms race mentality on the part of these providers, perhaps in response to a sense that’s what the market wants to see in a service provider. After all, X+1 number of Points of Presence (POPs) is better than X, right?

Well, the real answer is that most confounding of answers: it depends. In this case, the dependency is a question of what specific problem you’re trying to solve.