Virtualization Technology News and Information
VMblog Expert Interviews: Allure Security Talks Leveraging Unique Document Indicators to Surface Cloud Risks


A Conversation with Salvatore Stolfo, founder and CTO of Allure Security

Salvatore Stolfo, PhD, is the co-founder and chief technology officer of Allure Security, a cybersecurity company built on Stolfo's decades of research in the areas of cyber risk, fraud and intrusion detection, user behavior analytics, artificial intelligence and deception technology. He is also a computer science professor at Columbia University, where he founded the Intrusion Detection Lab. More recently, Stolfo has been focused on research and application of security technology to address digital risks, including securing cloud shares, such as Microsoft OneDrive, and critical corporate IP assets.

VMblog:  Can you give us a sense of the biggest challenges when migrating documents to the cloud?

Salvatore Stolfo:  We've now reached an inflection point at which businesses are migrating to the cloud faster than they can secure the data that lives there. In ESG's recent report, Trends In Cloud Data Security, 27% of IT security leaders surveyed said that they'd moved more than 50% of enterprise data into the cloud; another 31% have moved between 41% and 50% of enterprise data to the cloud. That data includes corporate financial documents, intellectual property such as software source codes and even customer and employee data. Yet, 44% of these leaders still believe that security for on-premise networks is more mature than security for cloud-resident data, and 82% say they place a higher priority on securing on-premises data over cloud-based data. They're concerned that they have lost cloud-resident data, but they aren't able to confirm it with the security tools they have in place.

The areas where enterprises are struggling the most when it comes to securing cloud-resident data is the loss of intellectual property as a result of stolen or mishandled cloud documents. Hackers and insiders are finding more ways to steal credentials and masquerade as legitimate users, and employees are more frequently sharing and collaborating with third-parties via document links without the proper access permissions applied or via unsanctioned collaboration services.

VMblog:  In your view, what are the biggest risks to documents stored in the cloud?

Stolfo:  Link sharing is a major risk that is growing. It's far too easy for users to share an unsecured link that leads to a document stored in a cloud share, while IT teams have no way to monitor where the link has gone and  who accesses that link, and what happens to the document once it's been downloaded. Permission-setting mistakes are almost always the result of human error when it comes to link-sharing. Users don't check their security settings unless something goes wrong, or someone from IT alerts them. The sharing of document links without the proper permissions allows unauthorized views and may be visible to automated crawlers that can result in search engine indexing by the bot. These links even turn up in Google searches.

Another major threat to cloud-resident data: masqueraders. These are individuals either inside an organization or external adversaries who have acquired legitimate user credentials and are now free to explore the treasure trove of documents stored in a public cloud, unfettered. On the surface they look like legitimate users who seem to have the proper permissions to access files, but in reality, they're casing the joint, looking for the crown jewels of data to exfiltrate.

VMblog:  Can you give us some examples of specific user behaviors, and what these might indicate in terms of possible security threats?

Stolfo:  For employees who need to access cloud-based documents, the behaviors may include suddenly accessing files that are out of the ordinary, such as documents that aren't needed to do their daily work, or documents that are the domain of another department. Other behaviors that should be flagged and investigated include downloading large volumes of files in bulk. This could be a sign that an employee is preparing to share trade secrets or intellectual property, or that a legitimate user's credentials have been compromised. Another red flag behavior is access to documents from atypical or impermissible geolocations, such as a location where your organization doesn't have an office, or where no employees are traveling. Other behaviors to look out for include changes in device types, renaming of corporate files or changing file extension types. Legitimate users whose credentials have been stolen by masqueraders may upload executable files that could contain malware or spyware. Such uploads are good indicators of credential theft and are clearly risky events.

VMblog:  What are some of the ways security teams can map these behaviors to responses?

Stolfo:  If security teams are seeing risky behaviors, the first step is to Investigate the user directly, to learn if they indeed performed the notable events, and then suspend user accounts until the issue is resolved. With some cloud security solutions, IT teams can actually revoke access to files. Sometimes it can be a false alarm, but it's never a waste of time or resources to investigate it. If documents that have been leaked by link sharing are indexed by Google or other crawlers, ask to delete the index and any cached copies. Upon investigation, if your user indicates that they have not, to their knowledge, been uploading executable files or downloaking bulk volumes of files, it's likely that they've lost their credentials. The user's account must be suspended and new credentials need to be issued. Any uploads by that user account should be quarantined for investigation. Any downloads by those user accounts are likely examples of specific data loss. My advice is to gather all of the information, including download locations, to investigate the extent of the loss.

I also should note that users often exhibit behavior patterns that can be modeled through machine learning. New applications of AI in security can help organizations establish a normal, or baseline, behavior around cloud-based documents. This can be used to apply AI technology to the flow of business documents, and alert security teams when that baseline has been violated by unusual behavior or activity.

VMblog:  What is the one thing you want enterprises to understand about cloud-share security risks?

Stolfo:  The use of cloud shares isn't going away, because they facilitate easy and fast collaboration. If anything, we're going to see more sensitive and confidential data migrate to the cloud in years to come. But that doesn't mean that productivity has to overrule security. There are ways to protect files stored in and shared from the cloud that can co-exist with the need to share information quickly and easily. One doesn't have to be sacrificed for the other. Any enterprise that is looking to the public cloud as a way to streamline efficiencies and foster collaboration among users must also build a strategic security plan to secure that data.

Step one of that plan is visibility. For example, AI techniques can be applied to public cloud activity log data to look for any unusual behaviors and automate the extraction of key indicators of risk. Just as they did with their on-premises networks, security teams must implement policies and invest in modern, cloud-based monitoring and control mechanisms for the cloud, and then enforce those policies. Without visibility, they cannot know if a policy has been violated until it's too late.


Published Monday, July 01, 2019 7:35 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<July 2019>