Is your organization looking to achieve cloud security and compliance assurance across your Amazon Web Services, Microsoft Azure, and/or Google Cloud environments? If so, access key anomaly detection and contextual network monitoring are vital to quickly identify and neutralize threats in public cloud environments. But how can you predict, and calculate, these risks without first creating a baseline of what activity is "normal"? (I'll give you a hint...you can't.) Event Driven Security Automation and AI-based Threat Detection are the new standard when building out a successful security program. Recent breach reports such as Uber, DXC, and OneLogin validate the need for an automated, AI-driven approach.
In RedLock’s October 2017 Cloud Security Trends, our Cloud Security Intelligence (CSI) team found 250 organizations (including large multi-national corporations) leaking access keys and secrets to their cloud computing environments on Internet-facing web servers. The practice of ensuring your development team adheres to your security best practices is important. However, it is more important to prepare for when this policy fails, in order to understand when and how your keys were compromised, as well as investigating and neutralizing any suspected threats. Consider the following recent examples.
The Uber Incident
As has been widely published, attackers obtained data on 57 million people across the globe. This compromised information included names, email addresses, as well as mobile numbers of customers and drivers. The attack was carried out by two individuals who found a private Github repo being used by Uber Software Engineers. They found aws access keys and secrets to a company-owned AWS account and subsequently compromised the records of millions of people without getting noticed. This failure to disclose brought lawsuits as well as quite a bit of speculation around the company's security practices.
The DXC Incident
In another case of stolen keys, The Register reported “a techie accidentally uploaded (an) outsourced firm's private AWS access keys to a public GitHub repo”. In this case, the time to discovery was four days. During that time, the attackers used the stolen keys to start 244 compute resources and pile up a $64,000 AWS bill on DXC’s behalf. At this point, you understand why it's so important to ensure you have visibility of anomalous user behavior, especially regarding your API access keys to various cloud environments.
There is a Solution
When it comes to public cloud security, you share the security of your deployment with your cloud service provider. The provider is responsible for the infrastructure and for managing the security of the cloud. You are responsible for securing everything in the cloud. This is where RedLock comes in.
RedLock is an AI Driven Cloud Threat Defense platform for public cloud environments. RedLock is focused on eliminating your blind spots by giving you a holistic view of your multi cloud architecture from a single pane of glass. With RedLock, you will have an intelligent platform that creates a baseline for user activities, alerting you based on the type of anomaly detected. Activity based anomalies occur when a user performs an action they usually do not perform, or they access resources they should not. On top of this, we layer in Location based anomalies, which gives you insight into the geo locations your keys are being used from, and what actions were taken. Combine these, and you have painted a clear picture for early detection in the “I lost my keys” scenario.
If you would like to learn more about how RedLock can help you gain deeper visibility into multi-cloud security and compliance risks, request a demo.