People, processes, and technology have long been the core pillars dictating how cybersecurity programs are managed, and with good reason: organizations need well-trained talent on their staff, trusted processes in place to prevent breaches and respond should they occur, and the latest security technologies to detect and block malicious activity. This layered approach to security has protected organizations for many years. However, this alone won’t keep organizations safe as adversaries continue to sharpen their techniques.
While the “people, process, and technology” tenet remains critical, IT and security teams must think about how these three pillars span three important domains that organizations should prioritize in their defensive strategies. Security teams need to consider workloads (endpoint and cloud), identities (user and machine) and data as the epicenter of enterprise security risk and the new “three-legged stool” informing their approach.
The only way to stay ahead of adversaries is to adapt. When looking at threat activity, all signs point to the fact that attackers are following the trend of enterprise cloud adoption and developing their capabilities to navigate and exploit cloud workloads. Identity compromise has become an important component of security threats and driving the value of employee credentials for cybercriminals. A set of valid credentials, or a single misconfiguration, can be all an attacker needs to gain access to the ever-growing pool of critical data and assets hosted in the cloud.
Workloads: endpoint and cloud
Adversaries view the cloud as an opportunity to pursue intellectual property theft, data extortion, and ransomware campaigns, among other goals. Common cloud attack vectors include vulnerability exploitation, credential theft, cloud service provider abuse, use of cloud services for malware hosting and command-and-control (C2), and exploitation of misconfigured image containers.
Of course, cloud workloads aren’t the only ones that need protection. Security teams must protect endpoints as well, and these have a different risk profile and threat exposure. When setting their sights on endpoints, adversaries continue to demonstrate how they have moved beyond malware. Rather, they have been observed using legitimate credentials and built-in tools — an approach known as “living off the land” — to evade detection by legacy antivirus products.
As organizations grow and add more endpoints, cloud workloads and containers, as well as new tools to protect them all, security can quickly become complicated. Security teams should enable runtime protection, obtain real-time visibility and eliminate configuration errors as part of their best practices for securing their assets.
Identities: user and machine
Today’s adversaries use billions of stolen usernames and passwords to slip past legacy defenses and act as legitimate users. Most breaches are now identity-driven (80% to be exact) — a stat that should motivate security teams to carefully think about their identity protection strategies.
Credential-based intrusions against cloud environments are among the more common vectors used in both cybercrime and targeted attacks. Cybercriminals often host fake authentication pages to collect legitimate credentials for popular cloud services, then use them to attempt to access victim accounts. They just need one valid set of credentials to log in as an employee – assuming additional security measures don’t get in their way.
As part of their defense strategy, organizations should ensure full deployment of multi-factor authentication (MFA), especially for privileged accounts; disable legacy authentication protocols that don’t support MFA; and track and control privileges and credentials for both users and cloud service administrators.
Data: the importance of data protection
Ultimately, adversaries target data. As organizations think about the future of data protection, they should consider how workloads (endpoint and cloud), identities (user and machine) and data are interconnected — and how data changes based on how these assets interact. Identities are authenticated via endpoints, while code repositories, cloud workloads and applications are accessed through the endpoint. Data flows from asset to asset, and it exists across devices and across cloud environments.
It's a big job to protect all of this data, and it looks slightly different for every organization. There are many steps that security teams can take to help protect the data that keeps their business running:
- Enable cloud workload protection: Protecting workloads demands visibility and discovery of each workload and container events, while securing the full cloud-native stack on any cloud across workloads, containers and serverless applications.
- Protect all identities: Adversaries use stolen credentials to bypass legacy defenses and disguise themselves as legitimate users. Security team require a strong focus on identity to protect organizations from modern threats.
- Know what to protect: Organizations must have an enterprisewide understanding of their data assets. Unified visibility of assets, configurations and activity can help detect misconfigurations, vulnerabilities and data security threats, while also providing insights and guided remediation.
Now more than ever, organizations must think about security across every part of the business. As the attack surface grows amid the increased adoption of cloud computing and remote work, enterprise security must encompass all workloads, identities, and data. Every CISO should make these three layers top of mind.
Amol Kulkarni, chief product and engineering officer, CrowdStrike