the anatomy of a cloud data breach
TRANSCRIPT
Anatomy of a Cloud Data Breach
THE ANATOMY of a CLOUD DATA BREACH
80 million recordsAnthem
500KrecordsIRS
18 millionrecordsOPM
37 millionrecordsAshley Madison
4.5 millionrecordsUCLAMed Center
2
Some say we haveBreach Fatigue
Sources and per record cost of a data breach
Malicious or criminal attackHuman errorSystemglitchSource: 2015 Ponemon cost of a data breach
4
Most Data Breaches Involve Advanced Persistent Threats (APTs)An APT is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity. Usually targets organizations and/or nations for business or political motives. Processes require a high degree of covertness over a long period of time. From Wikipedia
APT lifecycle (Gartner)
APT lifecycle simplifiedInfiltration Attempt to gain a foothold in the environmentCommand and Control Injects a payload into the compromised system to direct malware on what to doExfiltration of Data -Unauthorized transfer of sensitive dataAPT
INSERT A CLOUD GRAPHIC
What role does the cloud play in data breaches?
7
If your organization had 100 cloud apps and added 25 more in a 12-month period, you would increase your probability (and expected economic impact) of a data breach by 75%*Increase use and increase probability*source: 2014 Ponemon report cost of a data breach
8
9
apps700+ cloud apps per enterprise90% are not enterprise-ready
usersMalicious or non- intentional15% of corporate users have had their account credentials compromised
9
10
THE HUMANFACTOR
11
apps700+ cloud apps per enterprise90% are not enterprise-ready
usersMalicious or non- intentional15% of corporate users have had their account credentials compromised
data18% of files in cloud apps constitute a policy violation22% of those files are shared publicly
activitiesCloud makes it easy to shareWhen is an activity an anomaly?
11
Cloud Usage and APT lifecycle
APT
12
Data Breach Study: Phase 1 - InfiltrationCLOUD APP USED FOR MALWARE DELIVERY
Step 1Upload your file to uploading.com
13
Data Breach Study: Phase 1 - InfiltrationCLOUD APP USED FOR MALWARE DELIVERY
Step 2Download your file
14
Data Breach Study: Phase 1 - InfiltrationCLOUD APP USED FOR MALWARE DELIVERYStep 3Check for Virus / Malware
15
Data Breach Study: Phase 2 Command & Control CLOUD APP USED FOR C&C SERVER
Initial Infection vector spear phishingMalware component crafted RTF filesExploits vulnerability CVE-2014-1761 (Microsoft Word RTF Object Confusion)Command & Control Server CloudMe.com (100 accts)Data ex-filtrated to cloud storage app CloudMe.comNew payloads & instructions downloadedData Retrieval network of compromised home routerssource: Blue Coat
16
Data Breach Study: Phase 2 Command & Control CLOUD APP USED FOR C&C SERVER
Initial Infection vector spear phishingMalware component crafted RTF filesExploits vulnerability CVE-2014-1761 (Microsoft Word RTF Object Confusion)Command & Control Server CloudMe.com (100 accts)Data ex-filtrated to cloud storage app CloudMe.comNew payloads & instructions downloadedData Retrieval network of compromised home routerssource: Blue Coat
17
Data Breach Study: Phase 3 Data Exfiltration CLOUD USED FOR DATA EXFILTRATION
Exfiltration of Data via Personal Cloud StorageEmployee Credentials Compromised80 million records compromised
18
Catch-22
19
Allow is the new block (allow is new block green light slide)
20
20
6 Steps to Mitigating Cloud Usage Risk(without blocking everything)
21
STEP 1:Discover the cloud apps running in your enterprise and assess risk
22
STEP 2:Understand cloud usage details
v vBob in accountingFrom his mobile phonevUploading customer data to DropboxvBobs credentials have been compromised
24
Traditional perimeter security is blind to cloud activityPerimeter SecurityCloud Security 2.0Number of cloud appsHundredsThousandsBytesBasic session InfoCloud app enterprise-readiness scoreActivity-level details for all cloud appsContent-level details for files tied to an activity or for files stored in a cloud app
2015 Netskope. All Rights Reserved.
25
2015 Netskope. All Rights Reserved.Perimeter security lacks activity and content visibility26Web session startLogin as: mary@acmeBrowser/OSFrom: IP addressTo: IP address
www.box.comURL Category: File Sharing/Storage
HTTP GET/POST/DELETE/CONNECT
HTTP headersGET and POST Body
IdentityAppActivityDataSummaryPerimeter SecurityCloud Security 2.0Web session endLogin: [email protected]: BoxCategory: File SharingUsing: Macbook, Safari 6.0From: IP addressTo: IP addressLogin as: mary@acmeBox ID: mary@gmailUsing: Macbook/SafariFrom: Mtn View, CADestination: App located in GermanyTo user: sharing a doc with John@NewcoApp: BoxCategory: Cloud StorageApp Instance: Corporate CCL: HighRisk: High
LoginUploadDownloadShareLogoutInviteEditViewPII/PCI/PHI dataOther sensitive classifications
Login: [email protected]: ID [email protected]: BoxInstance: CorporateUsing: Macbook, Safari 6.0From: Mountain View, CAActivities: Create Folder, Move Files (4), Share Folder w/ John@NewCoAnomalies: Downloaded a PII doc from SFDC, uploaded to box
26
STEP 3:Monitor activities, detect anomalies, and conduct forensics
27
28
STEP 4:Find sensitive data tied to an activity or stored in a cloud app
29
STEP 5:Use surgical precision in your policies, leveraging contextual data
31
2015 Netskope. All Rights Reserved.Examples of using context in your policies32Quarantine PII data uploaded to risky cloud storage appsAllow marketing and support teams to post to social media, but block finance teamDont allow data marked confidential to be shared outside of our companyAlert users using their personal Dropbox to use a sanctioned cloud app instead
STEP 6:Dont leave users in the dark. Coach them on safe usage.
33
5:Use surgical precision in your policies, leveraging contextual data
3:Monitor activities, detect anomalies, conduct forensics, and find sensitive data2:Understand cloud usage details4:Find sensitive data part associated with an activity or stored in a cloud app1:Discover the cloud apps running in your enterprise and assess risk6:Dont leave users in the dark. Coach them on safe usage.
34
Thank You!