"If you have an estate of thousands of services and you maintain 97% of them then you might think that you are doing a good job but the problem is that it's the 3% that the attacker will exploit."
Avi Shua, Orca Security CEO
Today - July 28th 2020 - Orca Security have released their 2020 State of Public Cloud Security Report. The report has been compiled by Orca through their cross-industry research into public cloud security deployments based on data from more than 2 million scans of 300,000 public cloud assets.
Their research shows that enterprises continue to be breached by the weakest links in their security caused by neglected workloads, authentication issues, discoverable credentials, and misconfigured storage buckets. Some of the key findings contained in Orca’s report include:
· 80% have at least one neglected, internet-facing workload
· 60% have workloads that has reached “end-of-life” and will no longer be supported by manufacturer security updates.
· 49% even have at least one publicly accessible unpatched web server despite awareness of how that could result in large data breaches
· Authentication and credential issues are also widespread, with 25% having cloud accounts without multi-factor authentication
· When it comes to lateral movement risk, the security posture of internal machines is much worse than internet-facing servers, with 77% of organizations having at least 10% of their internal workloads in a neglected security state.
Insecure IT systems can lead to catastrophe. Privately, security flaws allow hackers to corrupt or steal your data; a very public breach, however, has the potential to permanently damage an organizations’ reputation. So why, when organizations are fully aware of the risks, did Orca discover such a high number of vulnerabilities? To find out the answers to this question and more we spoke to Orca Security CEO Avi Shua.
“When you are expected to deliver IT solutions quickly, sometimes security is put on the back seat and so security teams are left to understand the risks and to convince people to fix them. Of course, it is much harder to fix something when it is already live in production.” explained Avi. “Today, in the cloud, the power has shifted to development teams and security often comes second as there’s always something more important to do.”
Despite many alarming statistics contained in the report, their research does show that the vast majority of workloads in organizations’ cloud environments are well maintained. In most areas of business, a 90%+ success rate would be seen as a great victory yet, unfortunately, this does not translate so well into the cybersecurity world.
“If you have an estate of thousands of services and you maintain 97% of them then you might think that you are doing a good job but the problem is that it’s the 3% that the attacker will exploit. This is why security is hard and unfair – you need to secure everything, but an attacker only needs to find one weak spot.” explained Avi.
Weak security authentication is one of the key problem areas identified in the report where 23.5% of organizations had at least one cloud account that didn’t use Multi-factor Authentication. Multi-factor Authentication (MFA) is where a user is granted access to a system after successfully presenting two or more pieces of evidence and provides much greater security than traditional username/password log ins. What makes this statistic surprising is that MFA functionality is a standard feature in all modern cloud platforms.
“The problem is that the path of least resistance is often taken and so just putting in a password is easier than using MFA and this highlights the fact that you need security governance with good coverage across the board.” explains Avi.
Identifying problems in technology is always the easy part, coming up with viable solutions is much more difficult. Orca’s report concludes with the following key recommendations:
· Security is only as good as its coverage. Make sure you cover 100% of your cloud assets as attackers will always sneak through the weakest links.
· Get your basics straight before progressing to more advanced capabilities. Breaches mostly stem from simple things such as an unpatched, neglected service or a stolen root account password with no MFA. Invest in IT hygiene and monitor it on a daily basis.
· Look for lateral movement risk. Assume that internet-facing workloads may be breached and make sure it doesn’t lead to uncontained damage via less secure internal servers.
· Mistakes will happen. This is human nature. Embrace it while implementing tools that will allow you to react quickly.
The reasons for vulnerabilities vary across organizations and appear to be largely rooted in a lack of awareness, a lack of skill, a lack of correct tooling and/or a lack of time. An obvious solution is to simply bring in third party support and yet complexities remain around the use of traditional invasive on-premise style technologies. This is where Orca’s SideScanning technology is potentially game-changing as it only requires read only access to an organizations cloud environment – Avi uses the analogy of the difference between an MRI scan versus using an invasive needle to explain this.
“The unique capability of our SideScanning technology is that it only requires read-only access to the environment and we are able to see deep and wide. We can see all of the workloads for 100% of the environment and this is how we are able to pinpoint the neglected workloads. Instead of a cloud security practitioner asking the development team to install agents to see if there are any risks, we examine the environment and identify the cases where there is a critical vulnerability. This is much more ‘fact’ based which allows you to build better relationships and push people to fix the issues because they now know about them.”
Cloud security features and tools continue to evolve at a pace quicker than many organizations can adopt them. We took the opportunity to ask Avi for his expert opinion on where he thinks cyber security in the cloud is heading next.
“The future of cybersecurity is in reducing the engineering work. Engineering of security should be embedded as much possible into the platform. So, more automation and more built-in visibility that leaves the security practitioner to focus on issues inherent in solutions that cannot fixed be fixed automatically by the platform” said Avi.
Security has always been a game of coverage. Ultimately, it’s not enough to secure 99% of your environment if attackers can exploit the other 1% and penetrate your systems. The cloud is here to stay but is a very different world to on-premises environments and requires different methodologies and new tools. In order to win at cyber security, organizations can no longer limit themselves to the limitations of the on-premises environment. The cloud has its challenges, but it also has tools that facilitate better security that makes it possible to reach the 100% that wasn’t always possible before.
“Most issues can be fixed within a matter of hours from the time we identified them but it’s the manner of knowing them without requiring you to change the way you work. The solution is in creating visibility and knowing what problems you have – ignorance is bliss until you are breached. We’ve seen organizations that are able to reduce issues to zero within the space of a few months simply because of the new visibility we provide.” Avi concluded.