For many organizations, Cloud Computing and the use of Cloud applications is the new norm. Employees are accessing their email and files while on the road—using both personal and business devices—because the Cloud makes data available from anywhere there is an internet connection.
At the same time, organizations are falling victim to high-profile data breaches, exposing employee and customer personally identifiable information (PII) and payment card industry (PCI) data. This data is now being used by hackers in account takeover attacks, phishing schemes and more. This means that the same Cloud applications giving employees the freedom to work and access company data from anywhere now pose a problem for traditional security techniques. A “secure perimeter” is a thing of the past. Companies are instead adopting what many in the security industry call a zero trust security model.
A zero trust model means exactly what it says — trust no one. Initially penned by Forrester in 2010, zero trust is centered on the core concept of “never trust, always verify,” with the goal of removing internal “trusted” zones within an organization. Zero trust focuses its approach around user identity with methods such as Single SignOn (SSO) and/or Multi-Factor Authentication (MFA). However, it’s been well documented that most data breaches are caused by internal threats and human error.
Now, organizations not only need to monitor who has access to a company’s Cloud data—they must also be monitoring the behavior taking place on the inside. Threats to an organization are now internal and external, and the unfortunate reality is that many organizations are falling behind when it comes to monitoring their attack surface.
Machine Learning Gives Organizations a Leg-Up
Machine Learning is a major asset for organizations when monitoring their environment—from both internal and external threats—as three out of four companies have experienced loss or theft of important company data.
Organizations are getting a leg-up against hackers and account takeovers by analyzing locations, devices, IP addresses, and times a typical employee logs into a Cloud application to offer valuable insight regarding unusual account behavior. This information helps detect abnormal behavior and determine if the user account has been compromised in an account takeover attack. Cloud app APIs also make it easy to monitor who is accessing documents, who they are shared with, where they are downloaded from, who is modifying them, and more.
An example of how hackers gain access to an account is through OAuth. Hackers gain access to an employee’s inbox through an OAuth grant issued by a connected application that the IT team is unaware of and execute a man-in-the-middle attack with a user’s compromised credentials. The rise in Shadow IT has made it difficult for IT teams to know all the applications an account is connected to and analyzing this can help organizations gain visibility into every third-party application with access to an employee’s account, the documents within and the activity taking place.
In addition to monitoring for unusual activity, organizations must also be aware of the documents within an employee’s account to quickly detect and respond to the risks of sensitive, confidential or regulated data being sent through cloud applications. By analyzing for data loss prevention (DLP) policies, specifically with image scanning and optical character recognition (OCR), IT teams can monitor everything going on inside the account and identify noncompliant third-party applications that have authenticated access to an organization’s domain. This allows for the quick remediation of data exposure and to maintain a proper security posture
Whether it is analyzing user logins, access patterns, third-party apps being granted OAuth tokens or employees unknowingly sharing sensitive data outside the organization, the amount of data collected and analyzed is vast. To effectively find issues, the use of Machine Learning techniques is helpful.
Knowledge Is Power When It Comes to Threats
The result of past data breaches is that millions of PII and PCI data is now available for purchase, and use, by hackers. With this information, hackers are sending phishing emails and malware appearing to be from an authorized user within an organization. Now, we’re seeing hackers become more sophisticated in their attacks and send emails directly from an employee’s compromised email account (typically connected to a third-party game app published by the hacker themselves)—making the attack much harder to detect.
Machine Learning provides IT security teams the ability to bubble up threat indicators that would otherwise be lost in a sea of data. Teams have a better grasp of the activity taking place within an account, as well as the documents inside, and pair the data with typical user access patterns that machine learning has been trained against to determine if an account is behaving suspiciously. As a result, Machine Learning helps organizations form an improved defense from both internal and external threats, and implement a more robust zero trust security model.
Cloud applications are always on, always accessible from every device and location. If not properly configured, applications create significant vulnerabilities for organizations. In a rapidly-evolving security world, organizations need to adapt faster than hackers in order to be prepared to face emerging threats. With Machine Learning implemented, they will be in a much better position to do so.