Office 365 and Box are some of the most common places where organizations store most of their sensitive cloud data. Where do you store your data in the cloud? McAfee dives into 5 use cases of malicious cloud data theft.
Content Summary
Threat Case 1: Insider Accidental Policy Violation
Threat Case 2: Data Exfiltration Through Database Access
Threat Case 3: Data Exfiltration with Malware and SSL
Threat Case 4: Data Exfiltration via Unknown Application
Threat Case 5: Malicious Insider Data Theft
Conclusion and Recommendations
To be maximally effective, data protection has to be everywhere, from the server to the endpoint, at the office and at home, throughout the cloud and across the web. This data protection must be able to detect threats from any vector, automatically prevent as many attacks as possible, and provide actionable information to facilitate prioritization and response.
At the same time, organizations need centralized visibility and control over their data wherever it may be. They need control that enables granular categorization and policy application depending on a variety of attributes, not just user credentials. Consideration must be given to the user’s location, the application in use, the actions relative to the category of data, and the possibility of malicious code, among others.
With the typical collection of discrete point products operating in isolation, this combination of pervasive protection and centralized control may be possible, but it is difficult to manage consistent policies across all environments. Even if they are “best of breed,” there are too many manual interactions required—from attack to detection to response—for the overall result to be timely and effective. As a result, security defenses tend to be locked down too tightly and negatively impact business workflows, or they may be too open and consume too many resources remediating attacks and compromised systems. These types of security operations are often driven by regulatory compliance or operate in a continual fire-fighting mode in reaction to the latest breach.
The more effective alternative is an integrated security solution that delivers interoperable data protection across all endpoint, network, and cloud environments. Orchestrated management provides centralized visibility of all data storage locations and appropriate policy control of sensitive data. Together, integrated security reduces the risk of data loss and helps improve the maturity of security processes. Reactive operations are the lower end of the security maturity model and cannot keep up with the volume, speed, and sophistication of today’s threats. Only an optimized proactive security process that is aligned with the needs and objectives of the business can effectively manage these risks.
This article reviews five use cases, ranging from accidental policy violations by an insider to malicious thefts by unknown applications or stolen credentials, and presents the measurable benefits of an integrated security solution and the capabilities of pervasive data protection.
Security maturity model
Threat Case 1: Insider Accidental Policy Violation
This initial example is a foundational one, which can happen at any organization at any time. In this case, a user with privileged access to sensitive data tries to move some files outside of the organization’s trusted environment, perhaps to share with a partner or to work on from a home computer. While the intent is not malicious, the data should still not be allowed out.
The user’s first attempt is to send an email to an external address with sensitive data in the attachments. The email is blocked in 0:34 seconds by McAfee DLP Endpoint system and the first alert is sent to security operations.
The user’s second try is to copy the sensitive files to a USB drive. McAfee DLP Endpoint blocks the attempted file copy within 0:22 seconds, and the second alert is sent to security operations.
The user’s third effort is to move the sensitive files to a cloud drive by copying them to a synchronized directory on the local machine. McAfee DLP Endpoint is not fooled by this trick, blocks the attempted copy within 0:22 seconds, and the third alert is sent to security operations.
In security operations, the third alert is correlated by McAfee Enterprise Security Manager, which raises the threat level of this activity within a few minutes. A security analyst uses a feature called “look around” to investigate past activity related to the alert, to help quickly determine the intent.
Given the sensitive nature of the activity, McAfee Enterprise Security Manager, through McAfee ePolicy Orchestrator® (McAfee ePO™) software, automatically applies increased security policies within 0:31 seconds to the host firewall to restrict any further attempts.
As the security analyst reviews the relevant information, it is determined in just over a minute that, whether intentional or accidental, the activity of repeatedly trying to exfiltrate the same data needs to be stopped. Actionable commands are available directly from McAfee Enterprise Security Manager that send instructions McAfee ePO to isolate the user.
Optimized Security Process for Insider Accidental Policy Violation
Both McAfee Endpoint Security and McAfee Host Intrusion Prevention receive the notification from McAfee ePO software to isolate the user’s machine and remove their access to sensitive data, and complete the containment within 1:25.
Optimized security process: Data contained. Total elapsed time: 7 minutes, 31 seconds.
Reactive Security Process for Insider Accidental Policy Violation
Threat Case 2: Data Exfiltration Through Database Access
This second example is at the operational maturity level, and, while perhaps not as common as an accidental policy violation, it could still happen in most organizations. In this case, a user with malicious intent and privileged access to sensitive data accesses a database and attempts to send data to an external cloud service. The motivation could be monetary, activism, or revenge and will likely cause some financial and reputational damage if the thief is successful.
The user employs their privileged credentials to access a sensitive database and send the query result to an external cloud service. In this case, the file is not being directed to the user’s own computer, so it is the McAfee DLP Network function, not the endpoint system, that intercepts the theft. The classified data is detected by the McAfee DLP Network, which sees that the destination is external and that the transmission is not encrypted, contrary to policy. Within 0:48 seconds, the transfer is stopped and an alert sent to security operations.
A database activity monitor notes the unauthorized activity and raises the threat level of the event within a few minutes. The event is assigned to a security analyst, who begins to investigate by using the “look around” feature to examine the user’s recent activities.
Given the sensitive nature of the activity, McAfee Enterprise Security Manager, through McAfee ePO software, automatically applies increased security policies within 0:31 seconds to the host firewall to restrict any further attempts.
Optimized Security Process for Data Exfiltration Through Database Access
Less than two minutes later, the analyst concludes that the user’s actions are unlikely to be legitimate, and takes steps to block further access by this user. Commands are sent to McAfee ePO software to remove the user’s access to privileged data.
McAfee Endpoint Security and McAfee Host Intrusion Prevention receive the notification from McAfee ePO software and take actions, removing the user’s access rights and isolating their machine, completing their actions within 2:33.
Optimized security process: Data contained. Total elapsed time: 7 minutes and 43 seconds.
Reactive Security Process for Data Exfiltration Through Database Access
Threat Case 3: Data Exfiltration with Malware and SSL
The third case is a classic malware infection. In this example, malware installed by a spear-phishing email is used to access a sensitive database. After collecting the data, it attempts to exfiltrate the file over an encrypted SSL channel in an effort to get past the McAfee DLP Network functions that scan for classified data.
The McAfee Web Gateway has SSL scanning enabled, decrypts the attempted transmission, and passes it to McAfee DLP Network. McAfee DLP Network identifies the classified data contained in the transmission, blocks the connection within 0:28 seconds, and sends an alert.
Within a couple of minutes, this event is brought to the attention of a security analyst, who begins to investigate immediately.
In the meantime, the firewall temporarily blocks access from this user’s computer within 0:51 seconds.
The security investigation pivots on the user’s history looking for further suspicious activity. McAfee Database Activity Monitor and McAfee Network DLP provide the necessary information, and the analyst locates the suspicious file that is the likely source of malware.
In a little over a minute, the suspicious file is located, retrieved using McAfee Active Response and sent to McAfee Advanced Threat Defense, whose sandbox functions can quickly execute the file, analyze the code, and provide a pass or a conviction.
Optimized Security Process for Data Exfiltration with Malware and SSL
McAfee Advanced Threat Defense convicts the file within 3:36 and uses OpenDXL to notify McAfee Threat Intelligence Exchange, which passes the file reputation information on to other security defenses.
Using backtrace, the security analyst locates other systems that have this file or have exhibited similar behavior within a minute.
Endpoint systems, informed of the malicious file and its related malware attributes, remediate any infected hosts within 0:46 seconds.
One minute later, endpoint systems and firewalls also block access to the host that was the source of the malware and the command and control server.
Optimized security process: Data contained. Total elapsed time: 12 minutes and 48 seconds.
Reactive Security Process for Data Exfiltration with Malware and SSL
Threat Case 4: Data Exfiltration via Unknown Application
The fourth case is a more sophisticated attack, involving an application that has been legitimately installed on the user’s computer. In this example, the unknown application performs a potentially legitimate function, but also has malicious code hidden inside.
When the unknown app attempts to access a sensitive database, the McAfee DLP Endpoint is going to allow it.
However, McAfee DLP Endpoint queries McAfee Threat Intelligence Exchange and, within 0:20 seconds, because it has no reputation information at all on this application, temporarily blocks access and sends an alert.
Security operations receives the alert within a few minutes, which is initially set at a moderate priority. The analyst waits for the collaborative tools to complete their analysis.
In the meantime, the host firewall adds an application rule temporarily blocks access from this app within 0:41 seconds. The McAfee DLP Endpoint policy is updated to block this application from accessing sensitive data.
The security investigation pivots on the user’s history looking for information on the installation of the unknown application and any other suspicious activity.
In a little over a minute, the executable for the suspicious app is sent to McAfee Advanced Threat Defense, whose sandbox functions can quickly execute the file, analyze the code, and provide a pass or a conviction.
Optimized Security Process for Data Exfiltration via Unknown Application
McAfee Advanced Threat Defense convicts the file within 3:22 and uses OpenDXL to notify McAfee Threat Intelligence Exchange, which passes the file reputation information on to other security defenses.
Using backtrace, the security analyst locates other systems that have this file or have exhibited similar behavior within a couple of minutes.
Endpoint systems, informed of the malicious file and its related attributes, remediate the infected hosts in a minute and a half.
Upon conviction, McAfee Advanced Threat Defense notifies Threat Intelligence Exchange of the file’s reputation and attributes, blocking any further installation attempts.
Optimized security process: Data contained. Total elapsed time: 14 minutes and 25 seconds.
Reactive Security Process for Data Exfiltration via Unknown Application
Threat Case 5: Malicious Insider Data Theft
The fifth case is an intentional and malicious attempt at data theft by a privileged insider. In this example, the user is aware of the restrictions placed on their actions, and attempts to circumvent the rules by downgrading the classification of the file and then copying it to a cloud service without the required encryption.
A partner application from TITUS, which enables users to classify, protect, and confidently share data with authorized and appropriate individuals, identifies the file downgrade and informs the other security defenses via OpenDXL.
When the user attempts to copy the now declassified file to the cloud service, McAfee DLP Endpoint is already aware of the downgrade and blocks the file copy within 0:44 seconds, and sends an alert to security operations.
Security operations were already aware of the file downgrade from the OpenDXL notification, which is correlated with the attempted copy outside of the organization. The incident priority is increased, triggering an investigation within a few minutes.
Optimized Security Process for Malicious Insider Data Theft
The firewall follows the configured policies, and temporarily restricts access by the user’s device in less than a minute.
Security operations begins their investigation of the user’s actions, reviewing their profile, privileges, and recent activity.
Within a few minutes, the analyst determines that the user’s actions are unauthorized, and that the intent is probably malicious. Commands are sent to McAfee ePO software to isolate the user and remove their privileges to sensitive or encrypted data.
Less than two minutes later, the user’s privileges have been revoked, and their computer is isolated from the network.
Optimized security process: Data contained. Total elapsed time: 10 minutes and 59 seconds.
Reactive Security Process for Malicious Insider Data Theft
Conclusion and Recommendations
The contrasts between reactive and optimized security processes are substantial, especially when it comes to preventing infections and data loss, instead of merely detecting them after the damage has been done.
In reactive mode, security operations teams are typically investigating incidents days or even weeks after they have happened, often focused more on the need to comply with privacy and security regulations than effectively managing the risks. Security technologies operate in silos, and analysis and correlation of events is largely manual and time consuming. Compensating for this with restrictive policies results in delays and disruption of standard business processes.
In proactive mode, investigations happen more quickly, perhaps within hours of an incident being prioritized. Security operations armed with threat intelligence can identify some attacks as or before they happen and contain many accidental incidents and basic malware infections. Unfortunately, the speed and sophistication of cyberattacks means they are still allowing data to slip out of the organization.
In optimized mode, integrated security technologies, automated analysis, and intelligence sharing can prevent and detect sophisticated multistage attacks within minutes. Analytics-driven security operations aided by single-pane management views can quickly identify internal or external threat indicators and unauthorized access attempts. Orchestrated management of policy control and data storage locations secures data wherever it goes, resulting in fewer disruptions to business processes.
Pervasive data protection enables organizations to rapidly move their security operations from reactive or proactive to optimized. Common data classifications, rules, and policies allow organizations to effectively control their data, maintain compliance, and demonstrate data sovereignty. Centralized, singlepane- of-glass consoles provide the big picture, while also enabling quick drill down into prioritized incidents. Integration with multiple operating systems, devices, and cloud applications deliver stronger security of public and private clouds services. Interoperable encryption services protect data regardless of location. Open communication protocols enable a broad ecosystem of security products to rapidly share information and effectively collaborate against known and emerging threats. Data protection is no longer just a technical problem, it is now a risk management activity that must be an integral part of business processes, and pervasive data protection is an essential component.
Source: McAfee
