Top 5 Areas to Consider when Evaluating Cloud Infrastructure Security Approach

Is your current cloud security approach leading you to drown in an exceeding sea of false alerts? In this article discover 5 areas the cloud security approach can be burning cash.

Top 5 Areas to Consider when Evaluating Cloud Infrastructure Security Approach
Top 5 Areas to Consider when Evaluating Cloud Infrastructure Security Approach. Photo by Sharon McCutcheon on Unsplash

Table of contents

Mismanaging AWS CloudTrail Data
Drowning in a sea of worthless alerts
Writing alert suppression rules to quiet noisy systems
Buying multiple security tools to address cloud and container visibility gaps
Relying on CSP native tooling and open source tools for security and compliance needs
The rewards of securing enterprise cloud infrastructure

Mismanaging AWS CloudTrail Data

Ignoring your logs or placing the raw data into a SIEM are two costly approaches to handling AWS CloudTrail data.

CloudTrail logs can be exceptionally noisy with some experts estimating that the signal to noise ratio is 1:25,000. Organizations must quickly sift through CloudTrail data and understand what’s useful and actionable information and disregard the excess noise. Ignoring your logs or placing the raw data into a SIEM are two costly approaches to handling AWS CloudTrail data.

Pre-filtering CloudTrail logs before importing them over to a SIEM or other analysis tool can significantly reduce storage and analysis costs. Organizations report reducing log size by 90% or more. Reviewing CloudTrail log data is important to protect your cloud because early warning signs of an attack are often present in logs.

“Through 2020, 95% of cloud security failures are going to be the customer’s fault.” – Top Predictions for IT Organizations and Users for 2016 and Beyond, Gartner

Critical IOC data hidden in your CloudTrail logs can provide an early warning of an attack:

  • New regions or services enabled?
  • New user changing security group policies?
  • New IAM users or keys?
  • Modifications to route table or new VPNs?
  • Changes to S3 Buckets?
  • Use of non-MFA accounts?

Drowning in an exceeding sea of worthless alerts

During an average month, the average enterprise cloud generates around 2 billion transactions. And these transactions add to the alert volumes that security teams must review and assess.

According to a recent survey among IT security professionals, 40 percent cite a lack of actionable intelligence regarding a given alert that creates them difficult to analyze. And nearly 1/3 of the respondents report that they ignore their alerts because numerous of them are false positives.

As reported in CSOMagazine Online, a survey of huge enterprise security executives found that 37 percent of respondents received over 10,000 alerts monthly. Of those, 52 percent were false positives, and 64 percent were redundant alerts.

False positives and alerts without sufficient context are costly for organizations in several ways: They create a drain on staff time, managing them implies that higher-value activities like a proactive security approach are deferred, and can lead to poor security practices such as writing unnecessary suppression rules.

Organizations report that every low-context alert takes an experienced investigator about 15 minutes for every assessment. Accounting for time and staff costs alone, that’s about $25 for every alert a security team must investigate.

10 False alerts/day requiring investigation.

Cost to the organization $91,250/year.

Writing alert suppression rules to quiet noisy systems

Creating blind spots with suppression rules increases your breach risk.

One common measure across many high-profile breaches is that early indicators are present within the company’s logs and those indicators have triggered alarms within the target systems. During the run-up to the Equifax breach of 2017 that affected more than 145 million Americans, five different warnings about the Apache Struts exploit had been published by various organizations including NIST, MITRE, and even Apache. The Apache RCE vulnerability was assigned a 10 of 10 within the CVSS vulnerability severity rankings. Reports of active exploits were even profiled within the media before the breach.

Given the combination of legacy technologies within the Equifax environment, notably IBM WebSphere, Apache Struts, and Java, researchers report that the environment must have been extremely noisy and cite that as an element in how Equifax might have missed such strong warning signs. Equifax was likely using suppression rules in an attempt to quiet their systems which may help explain how such a severe vulnerability slipped under the radar.

Suppressing alerts creates blind spots and those blind spots may be costly if exploited by an attacker. While there are legitimate reasons suppress alerts, more often than not alerts are suppressed due to alert fatigue. Monitoring activity within the cloud, only makes the alert volume problem worse. The average enterprise generates around 2 billion cloud-related events a month.

According to IBM, the price of a data breach has risen 12 percent over the past 5 years and now costs $3.92M on the average globally. For organizations with fewer than 500 employees, the typical cost is over $2.5M but those cost estimates are often highly variable. Costs within the US tended to be higher, more than 2x the worldwide figure.

Average cost of a breach globally?

More than 500 employees? $3.92M

Fewer than 500 employees? $2.5M

Calculating your breach risk

For a fast estimate of your breach risk, we recommend viewing 3-5 percent of your annual revenue over 3 years to account for the long-tail costs like increased scrutiny from auditors, loss of consumers, and an inability to do business with certain accounts. Approximately two-thirds of data breach costs are incurred during the first year, with the entire cost picture extending into years 2 and 3. Costs are generally higher for highly regulated industries or for companies that need a SOC II certification to sell their services.

Other insights we gained the 2019 Cost of a Data Breach report include: Inadvertent breaches resulting from a human error like misconfigurations and system glitches accounted for 49 percent of the data breaches within the report.

The malicious activity was an element in 51 percent of the breaches that the report team examined. Attacks that resulted from malicious activity tended to be more damaging and more costly. Coming in at an average cost of $4.45M, breaches attributed to malicious activity cost$1M over accidental exposures.

Malicious activity has increased 21 percent over the past 6 years and continues to get on the increase.

Quick breach risk calculation? 3-5 % of annual revenue x3 years

Buying multiple security tools to address cloud and container visibility gaps

Experts estimate that modern CISO uses somewhere between 55 and 75 discrete security products. A report released by ReliaQuest in December 2019, exposed the consequences of buying individual, stand-alone tools to solve newly discovered security issues or to shut gaps in areas like visibility. The report surfaced that respondents felt less secure as a result of having too many tools.

Pin an environment where staff and budgets are strained, organizations often find they have more tools than they can reasonably manage. Among the businesses surveyed, 71 percent felt they had more tools than the capacity to use them which the burden of maintaining those tools hampered the security team’s ability to defend against attackers.

Organizations battling with cloud visibility may have gaps in their security view and will not be able to see what’s happening across their multiple clouds, in their containers, and across their workloads. For these challenges, experts encourage security leaders to think about transitioning to a platform that may consolidate multiple areas of functionality into one view.

When working with our customers, we discover that we are able to eliminate an average of 2-3 tools in an environment, saving organizations the value of the redundant tool and the care and feeding burden related to it.

53% of security professionals said the excessive number of security tools in place at their organization adversely impacted their security posture

As cloud security has evolved, organizations can shed older solutions and methods to avoid wasting time and money, often equaling tens or even hundreds of thousands of dollars annually.

Relying on CSP native tooling and open source tools for security and compliance needs

Organizations seeking to manage complex cloud environments often think about using CSP native tooling and open source tools to handle their compliance and security needs. While there’s a myriad of CSP tools are available, security leaders have to consider the hidden costs of this approach. When using CSP native tools, organizations can build a solution with the customization and a unique design, but that flexibility will be a double-edged sword. The cloud-native and open source toll approach can leave underfunded security teams overwhelmed.

“For organizations struggling to fulfill the needs of their security program with their existing staff, creating a comprehensive cloud security approach that works across multiple clouds, containers, and workloads are often difficult. Organizations often underestimate the time it takes to plan, build, and run these systems by 2 or 3x,” said Christine Meyers, Director of Product Marketing at Lacework.

For companies who are considering this approach, keep these three hidden costs in mind:

  • The lock-in issue. Using cloud-native tooling means you give up some portability.
  • Native benefits are not always there. Using native services can generate a benefit but not always. Be sure to understand what you want to achieve and measure it.
  • Features come and go. With frequent updates, constant innovation can surprise you and often requires refactoring.

–Excerpt from ‘When being cloud-native is a bad idea’, David Linthicum, Infoworld

When considering a native tool or open-source approach, account for these costs:

  • Time to production MINIMALLY 6 MONTHS
  • Time to proficiency ESTIMATE 6-12 MONTHS
  • Time to stay up with vendor change 2 MONTHS PER YEAR

The rewards of securing enterprise cloud infrastructure

The positive outcomes benefit the entire enterprise The cloud has emerged as the operational backbone of modern enterprises. The advantages of securing your cloud infrastructure lead to enterprisewide positive business outcomes:

  • Accelerate feature velocity
  • Reduce the price of compliance
  • Reduce remediation cycles
  • Reduce the danger of a security incident
  • Lower your security budget as you improve outcomes

Source: Lacework