How to protect against costly data breaches

April 1, 2015 By Andrew Roberts

Details matter when it comes to protecting confidential data against the numerous threats that stalk the connected world. It is this detail oriented approach that will ultimately matter when it comes to the crunch against an adversary. In our last article we discussed the adoption of the NIST cybersecurity framework. We are extending upon that article to give organizations some concrete reasoning behind serious security weaknesses and provide constructive solutions to the cloud application security puzzle.

cloud security puzzle

Protecting cloud applications is a puzzle. The puzzle is complicated by all the moving pieces that expose yet another point of exploitation.

Key pieces of the cloud security puzzle:

1 - Visibility 2 - User Access Interrogation 3 - Securing data before it reaches the Cloud* 4 - Automated Threat Response


One of the great challenges with cloud and indeed web/SaaS deployed applications is the lack of visibility. Often Security Information and Event Management (SIEM) infrastructure has no access to logs of software provided as a service. This creates what is known as the SIEM blind spot.

Without visibility of how users are accessing end systems, organizations are at the mercy of third parties to determine their security outcomes, which is an unacceptable risk. Fortunately, there are solutions for uncloaking these SIEM blind spots.

Generally, the most effective way to gain insight and complete visibility is to lock cloud deployed applications to a security gateway. Users then transit through the gateway on their way to the cloud application. This can take the form of a proxy server. As users transit through the gateway, significant security insight can be gained which can be added to the overall security picture for your applications.

User Access Interrogation

Often overlooked, User Access Interrogation is critically important for securing access to information. This is the leading reason why spear phishing and user credential theft is such an effective attack vector. Organizations are simply not doing enough to adequately interrogate users logging into their systems.

Non-hostile user interrogation (performed by technical analysis on the back-end) is key to securing access to confidential information. Currently, applications ask for a user's credentials (think drivers license) without ever looking at their face to confirm the identity. In many ways this is a result of the maturity cycle of the web. Threat actors have caught onto this lack of identity verification but unfortunately the vast majority of infrastructure is still lagging behind.

It is possible to defeat user credential theft based attacks with appropriate technology, yet they remain a major cause of data breaches. Solutions to this security vulnerability can range from taking machine fingerprints, geographical interrogation, second factor authentication and right through to detailed behavioural analysis.

Each of the front-door interrogation techniques can be defeated by a determined adversary. It is important that organizations understand that these techniques knock-off the vast majority of attacks. Determined attackers require some more rigor.

Adding rigour to User Access Interrogation extends beyond the front door. Real-time user behaviour analysis combined with a threat response is key to defeating determined attackers. Using machine learning to understand how users work on a daily basis is crucial. For an attacker to succeed they must then become the user. A very difficult task without obvious means to extract significant volumes of confidential data.

Securing Data before it reaches the Cloud*

Securing data means different things to different people. In the realm of cloud deployed applications, it means protecting the confidential data used within the application. It is increasingly rare to hear about attacks on physical databases. It is not rare however to hear about attacks on applications exposing data stored in databases.

Securing your data at rest requires much more than database encryption. Database encryption is wonderful for securing the physical database. Unfortunately database encryption (by design) does not secure data when it is passed to the application for user consumption.

The security issue comes via the way that applications interact with databases. Applications are trusted users. Databases give up the data to applications without the mandate to understand how this data is being consumed or indeed exposed.

Encrypting data before it reaches the application resolves this security weakness in system architecture. Having the data pass back through a separate gateway that decrypts the data and makes it human readable is important to securing the data against application attacks that subvert security gateways.

Responding to threats

There is questionable benefit of having the ability to see attacks whilst lacking the tools to thwart them. Threat response is one of the toughest pieces of InfoSec. There has to be a careful balance in all responses to ensure that legitimate users are not treated with an iron fist whilst going about their job.

Automating threat response is crucial to ensuring that threats are stopped without delay. Delays in threat mitigation results in data breaches. Ignoring the warning signs whilst administrators sleep can lead to catastrophic data breaches.

Alert fatigue causes administrators to ignore the warning signs. Every administrator receives countless automated notifications from their security appliances. There are well known data breaches that have resulted in part due to alert fatigue. The potential catastrophic consequences of alert fatigue is a good reason to automate threat response.

Measured approaches to threats may be blocking requests, suspending user accounts or simply locking access for a pre-determined period may be all that it takes to defeat threats whilst limiting the potential for business interruption.

How we can help: Without turning this post into a commercial plug, StratoKey is a security product designed to put all 4 crucial security pieces together in one platform.

* It would be neglectful to not mention that data needs to be protected whilst in transit. This in transit protection can come in the form Transport Layer Security (TLS). TLS encrypts the data in transit between users and the end cloud applications (SaaS and Web included). This is network level encryption and provides no security once the data reaches the end application.