The "Cloud Attack Fan-Out" Effect: Breaches in Today's Enterprise Environment
Enterprise cloud adoption is rapidly accelerating, not only in terms of migrating workloads to the cloud but also the volume of data originated, shared, and stored via cloud apps. Businesses now use an average of 935 cloud apps, the vast majority of which IT is unaware. In fact, organizations underestimate the scope of cloud app adoption by a factor of 10, creating a huge problem when it comes to securing and controlling the ever-growing volume of cloud apps in enterprises.
There has also been a considerable rise in malware that specifically targets cloud apps, which has greatly exacerbated IT’s visibility and control challenge. These threats run the spectrum from spear phishing attacks, where attackers seek unauthorized access to specific data, to more sophisticated attacks that target entire organizations, such as ransomware. With 11 percent of enterprises having sanctioned cloud apps known to be laced with malware, these attacks are putting employees and sensitive data at greater risk than ever before.
The Fan Out Effect
The cloud now plays a critical role in the spread of ransomware. Ransomware, for those unfamiliar, is a targeted attack in which malware infects a user’s device and all of the data stored on it (often delivered via malicious code stored in a given cloud app) and then locks the user out of it until the user (or the user’s organization) pays a ransom to the attackers. In an enterprise environment where employees use a growing number of connected devices that have capabilities like sync and share, data is constantly in transit. While syncing and sharing in the cloud may be easy for employees, it can come at a high price. Cloud apps can inadvertently spread ransomware to other users and endpoints that are connected to that cloud synchronization service. This effect is called the “cloud attack fan out.”
With an increase in both the attack surface and data velocity in the cloud, the propensity and severity of breaches have risen immensely
If malicious files or code infect a single user’s client device, they can spread exponentially to infect an entire organization. When a user becomes infected, ransomware encrypts the infected files. Upon syncing to the cloud, these encrypted files replace the normal files. Employees with whom the infected user has shared the files then sync their desktop folders with the cloud, thereby bringing the encrypted files onto their desktop. The ransomware has now spread across the enterprise.
With an increase in both the attack surface and data velocity in the cloud, the propensity and severity of breaches have risen immensely. In 2015 alone, the number of tracked data breaches totaled 781. What’s more, because many cloud apps are not approved by IT, it lacks the visibility into a large majority of its organizations’ cloud app environment and isn’t alerted to suspicious activity and potential threats. Considering the speed at which malware can spread, it has become increasingly important for IT to adopt policies to gain better visibility into the cloud.
So, what does this mean for IT?
Anomaly Detection and Remediation
Put simply, it is crucial for businesses to shape their data protection policies before corporate information gets into dangerous hands. This requires being able to scale to the billions of app events occurring per day in an enterprise’s cloud app environment, as well as better understanding and reaction to employees’ cloud app behavior to quickly detect any anomalies.
In today’s cloud environment, where there exist hundreds of cloud apps that are not approved by IT, IT must have visibility into sanctioned and unsanctioned apps at all times. In order to do so, they must adopt policies that will immediately flag anomalous behavior, allowing them to quickly recognize and remediate threats and mitigate any potential damage.
IT can also take preventative steps toward mitigating the risk of a cloud fan out attack by specifically monitoring cloud sync and share data. This allows IT to detect anomalies such as unusual file upload activity, repeated log in attempts, or other, out-of-the-norm behavior. This can help narrow down the type of malware communicating with a cloud-based command and control server, allowing IT to quickly take steps toward remediation. Additionally, when malware threats are detected, IT should remediate them by moving the affected files into a quarantine folder so that users’ endpoints don’t get infected.
Finally, IT must educate employees on best practices in cloud. Too often, so-called “shadow IT” is viewed as solely a technology problem, when in reality it’s as much about better understanding people and processes. Employees are often unaware that they are exposing sensitive data to threats, nor do they know how to take measures toward better protecting sensitive data. With proper education that outlines best practices for working with sensitive data (i.e., who has access to what, and limiting permissions for larger audiences), employees can take proper measures toward acting as the first barrier against attacks.
While the cloud offers unprecedented benefits in terms of cost and efficiency, cloud environments can easily expose sensitive information to threats without taking proper precautions. If IT cannot confidently say that it has a comprehensive understanding of employee behavior across the entirety of its cloud app environment, odds are a business is at serious risk of a cloud app-based malware attack and/or compliance failure. The cloud fan out effect only heightens this phenomenon. It has become critical for IT to adopt the right policies and procedures to prevent exposing an entire organization to threats in a matter of minutes.