With ever-increasing sophistication and frequency of attacks, rapidly detecting signs of breaches and insider activities is critical for any enterprise. According to recent research by IBM and Ponemon Institute, the average cost of a data breach for a company has increased 23 percent over the past two years, costing $3.79 million.
Cloud applications with a black-box approach are particularly challenging for enterprises to secure. Hence, enterprises are constantly looking for breadcrumbs or early warning signs to get ahead of the game. Organizations need to ask themselves, “What are the telltale signs of a threat in the cloud?”
In this slideshow, Palerra has identified the top five key indicators of threats to cloud apps that organizations need to monitor (in no particular order).
Cloud Breach Warning Signs
Click through for five key indicators of threats to cloud apps that organizations need to monitor, in no particular order, as identified by Palerra.
Abnormal Outbound Network Traffic
Early detection requires more than monitoring what comes into the network; it is also about seeing what is leaving the network and applications. Unusual traffic patterns leaving a network or exiting an application are among the most telltale signs that something is awry. Compromised systems often call home to command-and-control servers, and IT staff members can catch this traffic pattern before any real damage is done.
Irregular Access Locations and Logins
When a user or program accesses an application from unexpected geographical locations, this is another indicator that an attacker is pulling strings by hopping around different locations. Typically, this type of hopping is done as a masquerade; the attacker is actually stationary. When you combine access from diverse geographical locations with rapid successive logins to your cloud application, this is a marker of pending trouble. A particularly strong indicator of compromise consists of irregular geographical access, rapid successive logins, and outbound network traffic going to a location where your enterprise usually doesn’t conduct business.
Large Number of Requests for the Same Objects or Files
One of the most popular attack methods is trial and error. In this case, attackers try a variety of exploits and hope that one of them sticks. For example, if you see a large number of requests for the same file type or permission setting in your IaaS and PaaS clouds that have virtual machines, operating systems and databases, it suggests a need for pause and analysis.
Anomalies in Privileged User or Administrator Activity
The greatest cause of damage to an enterprise consists of privileged users and administrators whose credentials are compromised or misused. Monitoring privileged account holders for atypical activity has become table stakes for cloud applications. To illustrate, think about the power wielded by account administrators for Salesforce, a hosted Exchange system, or Amazon Web Services. Keeping tabs on atypical (or anomalous) activity safeguards against both account takeover and insider misuse.
Excessive Read Operations
Finally, once an account is compromised, ex-filtration of information becomes a concern. A spike in file-read requests, application record access, or database read volume signals that a person or a process is trying to gather valuable data. The ability to monitor for exceeded thresholds on reads is a critical element of security monitoring for enterprises.
