A Conversation with
Salvatore Stolfo, founder and CTO of Allure Security
Salvatore Stolfo, PhD, is the co-founder and chief
technology officer of Allure Security, a cybersecurity company built on
Stolfo's decades of research in the areas of cyber risk, fraud and intrusion
detection, user behavior analytics, artificial intelligence and deception
technology. He is also a computer science professor at Columbia University,
where he founded the Intrusion Detection Lab. More recently, Stolfo has been
focused on research and application of security technology to address digital
risks, including securing cloud shares, such as Microsoft OneDrive, and
critical corporate IP assets.
VMblog: Can you give us a sense of the biggest challenges
when migrating documents to the cloud?
Salvatore Stolfo: We've now reached an
inflection point at which businesses are migrating to the cloud faster than
they can secure the data that lives there. In ESG's recent report, Trends In
Cloud Data Security, 27% of IT security leaders surveyed said that they'd moved
more than 50% of enterprise data into the cloud; another 31% have moved between
41% and 50% of enterprise data to the cloud. That data includes corporate
financial documents, intellectual property such as software source codes and
even customer and employee data. Yet, 44% of these leaders still believe that
security for on-premise networks is more mature than security for
cloud-resident data, and 82% say they place a higher priority on securing
on-premises data over cloud-based data. They're concerned that they have lost
cloud-resident data, but they aren't able to confirm it with the security tools
they have in place.
The areas where
enterprises are struggling the most when it comes to securing cloud-resident
data is the loss of intellectual property as a result of stolen or mishandled
cloud documents. Hackers and insiders are finding more ways to steal
credentials and masquerade as legitimate users, and employees are more
frequently sharing and collaborating with third-parties via document links
without the proper access permissions applied or via unsanctioned collaboration
services.
VMblog: In your view, what are the biggest risks to
documents stored in the cloud?
Stolfo: Link sharing is a
major risk that is growing. It's far too easy for users to share an unsecured
link that leads to a document stored in a cloud share, while IT teams have no
way to monitor where the link has gone and
who accesses that link, and what happens to the document once it's been
downloaded. Permission-setting mistakes are almost always the result of human
error when it comes to link-sharing. Users don't check their security settings
unless something goes wrong, or someone from IT alerts them. The sharing of
document links without the proper permissions allows unauthorized views and may
be visible to automated crawlers that can result in search engine indexing by
the bot. These links even turn up in Google searches.
Another major threat
to cloud-resident data: masqueraders. These are individuals either inside an
organization or external adversaries who have acquired legitimate user
credentials and are now free to explore the treasure trove of documents stored
in a public cloud, unfettered. On the surface they look like legitimate users
who seem to have the proper permissions to access files, but in reality,
they're casing the joint, looking for the crown jewels of data to exfiltrate.
VMblog: Can you give us some examples of specific user
behaviors, and what these might indicate in terms of possible security
threats?
Stolfo: For employees who
need to access cloud-based documents, the behaviors may include suddenly
accessing files that are out of the ordinary, such as documents that aren't
needed to do their daily work, or documents that are the domain of another
department. Other behaviors that should be flagged and investigated include
downloading large volumes of files in bulk. This could be a sign that an
employee is preparing to share trade secrets or intellectual property, or that
a legitimate user's credentials have been compromised. Another red flag
behavior is access to documents from atypical or impermissible geolocations,
such as a location where your organization doesn't have an office, or where no
employees are traveling. Other behaviors to look out for include changes in
device types, renaming of corporate files or changing file extension types.
Legitimate users whose credentials have been stolen by masqueraders may upload
executable files that could contain malware or spyware. Such uploads are good
indicators of credential theft and are clearly risky events.
VMblog: What are some of the ways security teams can map
these behaviors to responses?
Stolfo: If security teams are
seeing risky behaviors, the first step is to Investigate the user directly, to
learn if they indeed performed the notable events, and then suspend user
accounts until the issue is resolved. With some cloud security solutions, IT
teams can actually revoke access to files. Sometimes it can be a false alarm,
but it's never a waste of time or resources to investigate it. If documents
that have been leaked by link sharing are indexed by Google or other crawlers,
ask to delete the index and any cached copies. Upon investigation, if your user
indicates that they have not, to their knowledge, been uploading executable
files or downloaking bulk volumes of files, it's likely that they've lost their
credentials. The user's account must be suspended and new credentials need to
be issued. Any uploads by that user account should be quarantined for
investigation. Any downloads by those user accounts are likely examples of
specific data loss. My advice is to gather all of the information, including
download locations, to investigate the extent of the loss.
I also should note
that users often exhibit behavior patterns that can be modeled through machine
learning. New applications of AI in security can help organizations establish a
normal, or baseline, behavior around cloud-based documents. This can be used to
apply AI technology to the flow of business documents, and alert security teams
when that baseline has been violated by unusual behavior or activity.
VMblog: What is the one thing you want enterprises to understand
about cloud-share security risks?
Stolfo: The use of cloud
shares isn't going away, because they facilitate easy and fast collaboration.
If anything, we're going to see more sensitive and confidential data migrate to
the cloud in years to come. But that doesn't mean that productivity has to
overrule security. There are ways to protect files stored in and shared from
the cloud that can co-exist with the need to share information quickly and
easily. One doesn't have to be sacrificed for the other. Any enterprise that is
looking to the public cloud as a way to streamline efficiencies and foster
collaboration among users must also build a strategic security plan to secure
that data.
Step one of that plan
is visibility. For example, AI techniques can be applied to public cloud
activity log data to look for any unusual behaviors and automate the extraction
of key indicators of risk. Just as they did with their on-premises networks,
security teams must implement policies and invest in modern, cloud-based
monitoring and control mechanisms for the cloud, and then enforce those
policies. Without visibility, they cannot know if a policy has been violated
until it's too late.
##