With businesses getting ready to power down to a certain degree for the holidays, we sat down with Britive Head of Solutions Engineering John Morton to find out what actions they could be taking to stay well protected during this time.
Q1. Are enterprises worried about malicious activity during the holidays?
Yes, they are. Our customers and prospects are asking us about account hijacking – that’s when you assume someone else’s account identity. It’s a big problem at this time of year, even for companies with MFA (multi factor authentication). Even when they have data loss prevention, geo fencing and all kinds of perimeter defenses in place. We know the last thing the most-advanced attackers want to do is be disruptive. Their goal is to keep a low profile and move through your data in ways that look authentic. The best way to do that is to take over someone else’s privileged access during the holiday quiet time.
Q2. How can you spot this kind of malicious activity?
You need a way of identifying anomalous behaviour and then validating it. You need a system in place to deliver an alert whenever strange activity is taking place, And, to verify where that activity is coming from and why it’s happening. This is where machine learning comes into it. An intelligent access management platform that uses machine learning to understand how accounts are used over time against role-based permissions, it’s much easier to spot activity outside of normal behaviour. We’ve built this capability into the Britive Platform and gone further to ensure those permissions get right sized over time so that no-one ever has more privileges than they need. Right-sizing privileged access is a key part of a zero trust model, where no user or machine ID is trusted by default.
To give an example, let’s say someone publishes something to AWS at 3am. An access management solution monitoring thousands of access events across multiple public clouds and applications makes it possible for you to back track to when and how this security incident happened, as well as who is responsible.
Q3. Are businesses in general aware that they could have a granular level of visibility into who’s accessing what?
There’s certainly a degree of wilful ignorance. Sometimes we are aware of what we don’t know. But theoretically, if we don’t acknowledge that we’re ok. Everyone knows there are multiple ways to access the cloud. If we claim to not have visibility, we are simply doing the best we can and we can’t be held responsible in the event of an attack. That’s the mindset that leads to vulnerabilities within the enterprise environment.
Q4. Should all businesses be limiting access during the holidays?
That’s not necessarily the right thing to do. For example, if you are a large retail organization with every imaginable cloud security tool, including Britive, and the ability to pinpoint malicious activity fast, you might choose not to stop sales even when your environment is compromised. It depends on the nature of the compromise, of course. You might choose to tell your CEO and the board that you’re under attack and someone is syphoning off a few things, but customer data is not at risk so you can deal with it after the holidays. I certainly wouldn’t want to be the one to tell the CFO that we need to stop trading at the busiest revenue-making time of year.
Ultimately, risk isn’t black and white – it’s about finding the balance that’s best for your business. But you can’t make important decisions about risk unless you have complete visibility of access across your multi cloud environment.
Q5. Is internal abuse a big threat during the holiday season?
It can be. It all comes back to having appropriate visibility into who is accessing what. Privileged access is given when you trust certain employees with a master key to your most sensitive data. Trusting someone doesn’t mean you shouldn’t keep an eye on what they are doing.
If you provision someone with an account that has access to Azure, you shouldn’t trust them to the point that you never monitor what they are doing in there. They could spin up their own tenants, create their own environments, store their own content, all without you knowing. Yet, I’m hearing about instances where an employee with privileged access has been uploading torrents for pirating sites or using company resources for Bitcoin mining. The thing to remember is that your IAM (identity and access management) technology should allow you to verify even trusted internal employees.
Q6. Is there an element of ignorance around access privilege abuse?
There could be, but mostly it’s the easy button. When DevOps teams are letting you know your security measures are preventing them completing critical work on time, it’s easier to give them everything they want. But be aware that doing that means they have complete access to resources they could use for personal gain if they chose to.
The chances are they won’t. And, the odds were against FireEye and Solar Winds getting hacked– but they did. Giving yourself the opportunity to remain in control of access, especially during vacation time, means having visibility of even your most trusted employees to guard against the most unlikely outcomes. It only takes one major infosec breach to fell an enterprise.
Another common mistake people make with access is assuming malicious intent means data theft. It doesn’t have to be about stealing. With grand access privileges you can share corporate content peer to peer, create your own ecosystem, run your own website, without anyone ever finding out unless they are purposefully monitoring access.
Brand reputation is a huge casualty in this scenario, with revenue impacting consequences that are hard to quantify and long lasting. Dynamic access management can right–size grand privileges for you and minimize the risk of internal abuse.
Q7. What’s your advice for enterprises concerned with protecting themselves over the holidays?
Focus on discovery and visibility of cloud account access. It’s important to extend to non-human IDs as well as human users. This is absolutely the time for Just in Time (JIT) access, which lets you dynamically give users the access they need at the moment they need it, avoiding the speed bump organizations typically hit over the holidays where access requests take up to eight days to approve.
Just in Time access goes hand in hand with the concept of automatically expiring permissions, a feature of the Britive Dynamic Permissioning Platform which supports the principle of least privilege. Essentially, that means elevated privileged access expires on termination of the session.
Another important holiday consideration is integration of your IAM (identity and access management) solution into your security ecosystem. You should be able to seed pertinent identity and access related data to a SIEM (Security & Information Event Management) platform for a broader view of the threat landscape.
By associating data from more than one security tool, you identify threats faster and more accurately. If you are operating within a SOC (Security Operations Center) or as a security MSP (Managed Services Provider) and your job is to look at aggregated data for alerts, this functionality is invaluable.
Q8. Who gets to take a vacation, in this access-centric scenario for protecting cloud data holidays?
Security analysts, security engineers, security architects, the CISO, CIO, CTO, CEO, and the rest of board, all have infinitely greater peace of mind knowing the business is in complete control of who and what is accessing its data during the holidays.
When it comes to understanding the holistic attack surface, the identity aspects of it are integral to reducing the risk of cybersecurity threats during lean staffing times like holidays.
If you would like to experience dynamic privileged access management for your multi cloud business, you can request a no-obligation demo from Britive.