Visibility into user actions is one of the critical challenges in the modern digital landscape. Traditional rule-based security solutions that generate a high number of alerts within modern environments are no longer practical; a new approach is needed. This is where User and Entity Behavior Analytics (UEBA) emerges as a critical security component, providing cybersecurity teams with visibility into user behaviors. Powered by technologies such as Artificial Intelligence and Machine Learning, UEBA establishes baselines for regular user activity within a network and then identifies deviations from these baselines. This empowers cybersecurity teams to detect advanced attacks, such as insider threats and zero-day exploits, which can easily slip under the radar of traditional security products.

What is UEBA?

UEBA utilizes a data-driven approach to cybersecurity by baselining normal behavior using advanced technologies such as machine learning. Any activity that deviates from this baseline is flagged for investigation. This advanced analytics approach enables it to detect subtle, advanced attacks that would be undetectable by controls like firewalls and anti-malware solutions. UEBA has emerged as a critical defense in modern cybersecurity frameworks as attacks increase in sophistication and complexity.

An example of where UEBA can provide visibility is in cases of compromised accounts. Credential compromise is an extremely difficult attack to detect once the attacker has successfully authenticated using the stolen credentials. However, UEBA can detect patterns in user behavior that are indicative of suspicious activity and flag them for review, potentially averting a cybersecurity incident.

Another example would involve insider threats, which are even more challenging to detect than compromised accounts. An employee abusing the authorized access they have been granted can be detected by UEBA, due to unusual file access patterns or data exfiltration attempts that might go unnoticed by other solutions.

How does UEBA work?

UEBA applies the power of machine learning to detect anomalies within the massive amounts of data generated in an environment. A UEBA solution is typically implemented in the following steps:

• Data Ingestion and Aggregation: A UEBA requires visibility into the environment to work effectively. This is achieved by gathering and aggregating data from audit logs, network traffic, authentication, and authorization systems, etc. This data is crucial for the UEBA to learn the environment.
• Baselining: In this phase, the UEBA utilizes its powerful machine learning algorithms to develop a baseline of what is and is not normal within the environment. The more information about the environment the UEBA learns, the better it is at detecting potential malicious activity. This baseline is not static and evolves over time as user behavior changes.
• Monitoring: In this phase, the UEBA starts monitoring and flagging anomalies such as unusual privileged activity, unusual logins, excessive file downloads, etc. The nuanced and intelligent approach it provides to cybersecurity monitoring makes it a powerful tool within an environment that complements existing endpoint and network security controls.

UEBA use cases

UEBA can handle various use cases within cybersecurity due to its behavior-centric model. Let us take a look at some of the critical scenarios where UEBA can be particularly effective:

• Insider Threats: Employees with malintent can cause significant damage to an organization by abusing the authorized access they have been granted. A UEBA can detect such malicious intent by identifying patterns of behavior that differ from how the employee typically operates, such as working at odd hours, unusual logins, excessive downloads, etc. This can be extremely effective for organizations that grant employees access to highly sensitive data or during periods of high turnover, where the risk of disgruntled employees is high.
• Compromised Accounts: Attackers can compromise user credentials to gain access to an environment to carry out cyberattacks. The same principle as the previous scenario applies here, where the UEBA could detect deviations from how the user usually operates and flag it for review.
• Brute-force Attacks: Repeated attempts to guess passwords or gain access to a system can indicate an employee trying to access unauthorized systems. UEBA can detect and flag this behavior, which may indicate a larger attack or fraud.
• Privilege Abuse and Misuse: Users with high privileges within an environment carry a higher level of risk than traditional employees. They can be socially engineered into handing over their credentials or attempting to abuse the access themselves. A UEBA solution can detect if an admin-level user behaves in a way that is different from their traditional activities, leading to early detection of malintent.
• Privilege Escalation: The first step that attackers carry out once they have compromised an environment is to elevate their privileges. This enables them to carry out further attacks and establish a foothold within the environment. UEBA can detect such elevation of privileges and proactively flag such permission changes to the cybersecurity teams.
• Unauthorized Data Access & Exfiltration: Data leakage is another crucial risk area that is often difficult to defend against. Employees can attempt to circumvent the organization’s policies by exfiltrating data, or the same can be part of a more significant cyberattack. UEBA can detect such data transfers and sound an early alarm to avert a potential data breach.
• Automated Risk Prioritization: UEBA recognizes that not all events are equal and prioritizes its alerts based on intelligent risk scoring. This enables cybersecurity teams to focus on those events that require immediate attention and prevents them from drowning in “alert fatigue.”

These scenarios highlight the versatility of UEBA as a security component and its ability to adapt to different types of security scenarios within an organization.

How InsiderSecurity can help with Automated UEBA

Cyberattacks are increasing in complexity every year, and it is clear that UEBA is one of the most critical controls to implement to protect against today’s advanced attacks. InsiderSecurity’s Automated UEBA can help protect your organization with its unique features that set it apart from SIEMs:

• Comprehensive Defense: The ability to protect data both on-premises and in the cloud provides a consolidated line of defense against attacks. Cybersecurity teams can obtain clear visibility into how data is accessed, used, and moved between environments.
• Advanced Threat Detection: Automated UEBA leverages advanced machine learning algorithms to detect suspicious activity at both the user and network levels, empowering cybersecurity teams to take swift remedial action.
• Cost Savings: With reduced raw log volumes and fewer IT analysts needed, save on manpower. Our solution solves today’s modern threats and enables organizations to reduce the risk of security events without compromising productivity. UEBA is a crucial strategic control in any modern environment, and we are here to guide you through this essential journey with our state-of-the-art solution.

Our solution addresses today’s modern threats and enables organizations to reduce the risk of security events without compromising productivity. UEBA is a crucial strategic control in any modern environment, and we are here to guide you through this essential journey with our state-of-the-art solution.

In the landscape of cybersecurity, compliance requirements across industries demand that businesses stay vigilant and up to date with regulations. Keeping up with the compliance measures is undeniably challenging yet essential to safeguard your business.

Ideally, companies should align with one of the many globally recognized cybersecurity standards, such as ISO 27001, PCI DSS, or CIS Critical Security Controls, to ensure alignment with universally accepted cybersecurity benchmarks.

However, it’s worth noting that certain industries introduce additional layers of guideline and regulations. While some align with international, industry-agnostic standards, businesses operating within these sectors must adhere to the specific guidelines illustrated below.

Let’s delve into the sectors affected and the corresponding guidelines they must comply with:

Government agencies

The Instruction Manual for ICT & SS Management, formerly known as IM8, aims to support agencies as they embrace ICT & SS for digital transformation. This enables them to manage risk and maintain their security. This manual spans various domains, including, Digital Service Standards (DSS), Third-Party Management (TPM), and Data. Although security policy details are not publicly available, it establishes customised security practices and government systems based on system classification and criticality.

Government agencies interested in leveraging InsiderSecurity for IM8 Policy on Security compliance can contact us for more information.

Financial services

Guidelines on Technology Risk Management (MAS-TRM), issued by the Monetary Authority of Singapore (MAS), sets out risk management principles and best practices to guide financial institutions (FIs). The MAS-TRM aims to promote adoption of sound and robust practices for the management of technology risk, as well as to maintain IT and cyber resilience. The TRM guidelines apply to all FIs that MAS regulates, ranging from banks, insurers, exchanges, venture capital managers and payment services firms.

It is important to note that while the MAS-TRM Guidelines serve as a set of principles and best practice standards, providing essential guidance for FIs, they do not impose legal obligations on FIs in themselves.

However, these guidelines offer valuable insights into the mandatory requirements outlined in two critical technology risk management notices issued by MAS: 

• Notice on Technology Risk Management
• Notice on Cyber Hygiene

These notices, in contrast, carry the weight of legal obligations for FIs, accompanied by penalties for noncompliance. They highlight the imperative nature of adhering to key security measures, including the timely application of security patches to address vulnerabilities and the secure management of administrative account access. Complying with these guidelines is essential to ensure the continued security and resilience of financial institutions operating in Singapore’s dynamic digital landscape.

Financial institutions interested in learning how InsiderSecurity can assist in achieving MAS-TRM compliance are encouraged to contact us for more information.

Healthcare

In healthcare, protecting personal and medical data is extremely important. Recognizing this critical need, the Ministry of Health (MOH) developed the Healthcare Cybersecurity Essentials (HCSE). HCSE aims to provide guidance to healthcare providers regarding basic cybersecurity measures that can be adopted to ensure the security, confidentiality, integrity, and availability of IT assets, systems, and patient data. With its foundational principles, HCSE is dedicated to supporting healthcare providers in enhancing their cybersecurity posture.

Designed to be both practical and feasible, HCSE serves as an ideal starting point for healthcare providers, especially those with smaller IT infrastructures. HCSE sets out 12 recommendations designed to assist healthcare providers in enhancing the security of their systems and data. These recommendations include establishing an IT asset inventory, enabling multi-factor authentication, deploying anti-malware protection, and conducting audits of logs. 

If your work involves defending organizations in this sector, MOH regularly publishes advisories, circulars, and regulations to keep you informed of relevant developments. For those involved in developing software for medical devices or supplying such devices, adopting a Total Product Life Cycle approach is essential to adapt to the rapidly evolving environment.

Telecommunications

The Infocomm Media Development Authority (IMDA) has issued the Telecommunications Cybersecurity Code of Practice to bolster cybersecurity readiness for designated licensees. The Codes are currently enforced on major Internet Service Providers (“ISP”) in Singapore, making it mandatory for them to follow these rules. The Code were created based on international standards and best practices including the ISO / IEC 27011 and IETF Best Current Practices.

Other regulatory guidelines

Apart from these industry-specific rules, Singapore also has some industry-agnostic cybersecurity guidelines, including:

1. Cybersecurity Code-of-Practice (CCoP) 2.0: 

CCoP 2.0 specifies the minimum cybersecurity requirements that organizations operating Critical Information Infrastructure (CII) must implement to ensure the security and resilience of their IT or OT system and/or network infrastructure, including physical devices and systems, software platforms, and applications of the CII.

The primary objective of CCoP 2.0 is to enhance the defensive capabilities of organisations against the sophisticated tactics, techniques, and procedures (TTPs) employed by cyber attackers. It seeks to impede their progress of attacks and improve the agility to tackle emerging risks in domains such as cloud, AI, and 5G. Additionally, it facilitates coordinated defenses between the government and private sectors to promptly identify, discover, and respond to cybersecurity attacks and threats.
The designated CII sectors, which are responsible for the continuous delivery of essential services in Singapore, are Government, Energy, Water, Healthcare, Banking & Finance, Transport (encompassing Land, Maritime, and Aviation), Media, Infocomm, and Security & Emergency Services.

CIIs interested in leveraging InsiderSecurity for CCoP2.0 compliance can reach out to us for more information.

2. PDPA (Personal Data Protection Act):

The PDPA (Personal Data Protection Act) establishes a baseline standard for the protection of personal data in Singapore. It governs the collection, use, disclosure, and protection of personal data. The PDPA also establishes a national Do Not Call (DNC) Registry, allowing individuals to opt out of unwanted telemarketing messages. It aims to balance the protection of personal data with legitimate data use by organizations while maintaining trust. The PDPA applies to personal data in both electronic and non-electronic formats but doesn’t typically include personal or domestic use, employees’ data, public agencies, or certain business contact information. Its aim is to enhance Singapore’s reputation as a trusted business hub.

The challenge of keeping up with compliance

Every organization, regardless of size or industry, is vulnerable to cyberattacks. Compliance with cybersecurity standards and regulations goes beyond fulfilling legal requirements; it critically determines an organization’s success, operational efficiency, and adherence to strict security practices.

Data breaches, beyond their immediate financial impact, can lead to complex challenges that tarnish an organization’s reputation and legal standing. Legal proceedings and disputes stemming from such breaches are increasingly common across industries. Therefore, compliance is a pivotal component of any organization’s cybersecurity program, serving as a shield against cyber threats and a guardian of reputation and financial well-being.

Conclusion: The future of cybersecurity compliance in Singapore

In Singapore, cybersecurity compliance transcends legal obligation; it is critical for protecting your organization, maintaining trust, and enhancing the nation’s digital resilience. By understanding the regulatory framework, implementing robust cybersecurity measures, and staying proactive, businesses can thrive in Singapore’s digital-first landscape while safeguarding their data and operations from cyber threats.

Need assistance with cybersecurity compliance?

InsiderSecurity offers tailored products for compliance:

• User-friendly, particularly for small IT teams
• Automated review of account activity to save monitoring hours
• Built-in workflow to support governance and audits

Learn how InsiderSecurity can help you meet your compliance and security requirements. Schedule a demo with us today!

The increasing prevalence of digital transformations in businesses has led to a global surge in cloud adoption. Many companies are now opting for a hybrid cloud model, which combines private and public cloud services to harness the advantages of both while introducing specific security challenges. It’s important for businesses to be aware of the risks and follow best practices for managing hybrid cloud security. The article examines the security challenges faced in hybrid cloud setups and recommended best practices.

Security challenges within hybrid cloud environments

1. Lack of visibility and increased complexity

Hybrid cloud combines public and private cloud services, creating a complex IT setup. This complexity can pose risks as security teams find it challenging to oversee and manage workloads in both environments. It also leads to complicated logging systems with multiple storage sources for security events. This lack of visibility and increased complexity can leave potential threats unnoticed. To address this, security teams need to restructure their logging approach for centralized, unified visibility across both environments.

2. Misconfiguration risks

Misconfigurations in hybrid clouds pose a significant security risk. The quick and flexible nature of hybrid cloud setups can create challenges for businesses with rigid change management processes. These processes may not easily adapt in a cloud environment, where changes in the production environment can be made with a single click or code change. Accidental misconfigurations in the cloud can expose data and infrastructure, making them vulnerable to cyberattacks. Moreover, there’s a risk of malicious insiders making deliberate insecure changes that can go unnoticed. To address these issues, it’s crucial to implement a comprehensive cloud security solution that can automatically fix insecure configurations before they become exploitable.

3. Inadequate network protection

Hybrid clouds offer flexibility and resilience due to their dynamic and distributed nature. Nevertheless, this uniqueness can render traditional network defenses ineffective at securing and controlling workloads within them. While these defenses work well in on-premises environments, they may not seamlessly adapt to the cloud, creating security “blind spots” that threat actors could exploit. As a result, security teams need to assess and adapt their controls to align with the specifics of the hybrid cloud environment.

4. The cloud skills gap

Cloud Security differs considerably from traditional on-premise security in several areas, such as a shared responsibility model, higher focus on automation, data residency requirements, etc. These skills needs to be developed within security teams, which can take time and effort. Most businesses invest heavily in hybrid cloud infrastructure without upskilling their teams in parallel, creating a skill gap. This can lead to risks like security misconfigurations and loopholes in the cloud environment.

5. Compliance and governance

Companies often choose Hybrid Cloud to enhance data and workload control and security. Nevertheless, it’s vital to grasp how compliance and governance operate in the cloud. To safeguard data from leaving a specific geographic location, Data Residency controls are necessary. Additionally, the shared responsibility model might entail shifting some compliance obligations to the cloud provider. Hence, businesses need to update their governance and compliance approaches to maintain oversight of their cloud environments.

Security best practices for hybrid cloud

To mitigate these risks, several security best practices can be implemented within a hybrid cloud environment:

1. Understanding the shared responsibility model

The Shared Responsibility Model is the basis for how security is governed within the cloud. Not understanding it can lead to problems within a hybrid cloud environment as businesses struggle to understand who is responsible for what. It is essential to have a thorough understanding of this model that outlines the cloud provider as being accountable for the security OF the cloud and the customer as being responsible for security IN the cloud. Most hybrid cloud environments utilize infrastructure and storage services in which customers are responsible for securing the application and services hosted on top of these services. By having a firm understanding of this model, security teams can delineate their responsibilities and take advantage of the security benefits the cloud provider brings.

2. Enhancing monitoring

We mentioned visibility as a significant challenge within hybrid cloud hence monitoring becomes one of the critical pillars of an effective security strategy. It is essential to have complete visibility into the security posture of all mixed cloud workloads so that security threats can be responded to promptly. Businesses should invest in security tooling that can monitor the security posture of the hybrid cloud and take automated actions based on threat indicators. AI and Machine Learning can also greatly support such tooling due to the volume of data that gets generated.

3. Unified security controls

Standardizing security controls is essential for maintaining security in a hybrid cloud. Maintaining different levels of security across environments leads to a high level of risk and blind spots that attackers can exploit. Businesses must adopt a unified approach to cloud security in which standard security guardrails are implemented that maintain the same level of security across environments. This ensures that data is protected regardless of where it resides.

How InsiderSecurity can help

InsiderSecurity’s CSX is a powerful solution built from the ground up to address the unique security challenges of the hybrid cloud. Some of its key features are;

1. Unified cloud security: CSX provides a unified layer that covers the security of all cloud layers, be it Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).
2. Unified identity and visibility: The problem of visibility within the hybrid cloud goes away with CSX’s ability to provide a single view of the hybrid cloud security posture. CSX can also generate a cloud asset inventory, providing visibility into your cloud resources.
3. SaaS security monitoring: CSX has the unique ability to monitor the security of SaaS solutions like M365 and Google Suite, where traditional solutions might fall short. It can also leverage the power of AI and User and Entity Behavior Analytics (UEBA) to intelligently analyze the massive amount of data present and identify anomalies. This also allows it to detect insider threats, especially within SaaS services. It can flag suspicious data access and privileged activity attempts, indicating an insider threat. 
4. Security response automation:  CSX provides the ability for automated security response for applicable use cases. This allows for instant risk mitigation and response, especially in the misconfiguration of cloud assets. By automating response and remediation, businesses can mitigate the risk of accidental cloud misconfigurations and prevent them from being exploited.

Conclusion

In summary, the hybrid cloud brings tremendous security benefits, such as increased flexibility and control, while introducing new challenges. By understanding these risks and implementing best-in-class solutions like CSX, businesses can enjoy the full benefits of a hybrid cloud safely and securely.

Concerns of cloud data breaches are a key reason that cloud adoptions hit a roadblock in companies despite an eagerness to go “cloud first”. Despite the promise and flexibility that the cloud offers, security is something that companies cannot compromise on. Cloud security expertise remains high in demand and low in supply, with most CISOs struggling to fill the skills gap in their team.

It is essential to understand the fundamental principles on which cloud security is built before cloud adoption may be implemented properly. One of the biggest mistakes that companies can make is to implement a cloud solution without much consideration to its cloud security.

Let us take a look at a few of the key areas within cloud security and how they all work together.

Visibility

It is difficult to secure what you do not have visibility on, and nowhere is this more true than cloud security.

Without proper change management, cloud infrastructure can get updated within seconds leading to a security nightmare unless proper security checks are implemented. CISOs and cybersecurity teams must monitor and get visibility on what is happening within their cloud environments before a security breach happens. This is easier said than done, as cloud workloads can be geographically dispersed, managed by different teams, and even spread across different cloud providers like AWS, GCP, and Microsoft Azure. Many companies prefer to go multi-cloud to prevent vendor lock-in, which becomes a major visibility challenge for CISOs.

One solution is to adopt Cloud-native tooling like Cloud Security Posture Management (CSPM) tools so that threats and misconfigurations can be proactively identified before they lead to a security breach. These solutions may also allow auto-remediations, enabling faster response times than possible for on-premise. In addition to threat mitigations, CISOs implementing such tools gain visibility into their single or multi-cloud environment, enabling the CISOs to make informed decisions about their cloud risk posture. 

Continuous monitoring

Gaining visibility leads to the next key area, which is continuous monitoring for threats. Monitoring also helps companies to maintain compliance with regulatory standards.

The cloud lends itself to automation, and millions of events can be taking place, any one of which could be due to a potential cyber threat. Manual security response is not feasible in such an environment. A high volume of events and alerts lead to alert fatigue and critical alerts being missed out.  

It is helps to have cloud monitoring solutions powered by machine learning that can make sense of these events and to detect suspicious user activity automatically.

Security by design

It is important to include security at the design stage of cloud adoption, and not to bolt on security as an afterthought. For example, companies can make use of Infrastructure as Code (IaC) templates to spin up cloud infrastructure like compute instance, databases, networks, security groups etc with certain security controls baked in from the start.
Security by design will not only make life easier for cloud administrators but lend itself to better security down the road.

Identity Management

One of the most significant changes in cloud security is how the traditional network perimeter decreases in importance. Identitiy access management becomes much more important. While network perimeter controls do not vanish entirely, security controls now focus more on validating the user and machine identities in the cloud.

Besides strong password policies and multi-factor authentication controls, other data such as location, risk score, device status etc may also be used to establish the identity. This is part of the Zero Trust model, where there is no implicit trust granted to any user or device, whether it resides within or outside the network.

Vulnerability Management

Migrating your infrastructure to the cloud does not mean that you can now completely pass the job of vulnerability management to the cloud service provider. With the shared security responsibiliy model used by all cloud service providers, the company is responsible for vulnerability management in certain portions of the cloud infrastructure (which varies depending on whether you are using IaaS, PaaS or SaaS).

The rapid speed at which cloud environments change, and the complex architectures involved (servers, containers, serverless functions etc) can make vulnerability management in the cloud challenging.

An effective cloud vulnerability management program should recognize the unique nature of cloud workloads but carry over the best practices from an on-prem vulnerability management program. Identification, severity tracking, and tracking to closure are all activities that are needed to ensure the cloud environment is not exposed to any critical vulnerabilities.

A final note : cloud security is not static

Cloud Security does not finish after security controls are implemented. As the threat landscape changes fast, cloud security implementations can fail if they are viewed as a project with a clear start and end date. Instead, companies should regularly review and improve or adjust their cloud security controls.

These areas discussed should be addressed by security controls and be made part of an overall cloud security plan to be reviewed regularly. This eases the cloud adoption process for companies, so that companies can reap the benefits of cloud.

How can InsiderSecurity help?

InsiderSecurity Cloud Security Monitor detects threats in real-time for Microsoft 365 environments. It is a simple-to-use SaaS for enterprises to monitor their data security in Microsoft 365. With its award-winning automated cybersecurity analytics and machine-learning, InsiderSecurity CSM makes sense millions of events that are occurring in Microsoft 365, easing the burden on overworked security teams. It provides an easy way to monitor your Microsoft 365 data security.

Cloud adoption is speeding up in 2023, with Gartner estimating the worldwide spending on public cloud services to grow by 20% from 2022. This has beaten the initial forecasts of 18% for cloud growth, showing the high demand for public cloud services despite an overall economic slowdown across the globe. Infrastructure as a Service (IaaS) leads this growth, with the other services close behind.
The cloud bring benefits for companies due to its agile and scalable nature. However, at the same time, cloud adoption presents unique security challenges as well.
We look at the key cloud security challenges in cloud adoption and how to address these challenges.

Insufficient cloud security expertise

Cloud is a different environment from on-premise and cybersecurity teams that “copy-and-paste” security controls into the cloud will soon find that this approach does not work. Cloud lends itself to automation and speed, hence native cloud security tooling becomes a important requirement. These tools require upskilling the current cybersecurity teams; otherwise, CISOs will find themselves with environments their teams are not equipped to defend! It is essential to implement tools that are optimized for cloud environments and to invest in the proper training of the cloud security teams.

Misconfigurations

Misconfigurations are a key reason for most cloud security breaches, as cloud administrators unintentionally end up exposing cloud interfaces and infrastructure over the internet. This is easily picked up by attackers and used as an entry point into the cloud environment. The misconfiguration may also be carried out by an insider threat with malicious intent, and not be detected due to a lack of cloud security tooling. Insider threat is a genuine risk regardless of which environment it is occurring in, and misuse of authorized access can be very difficult to detect without proper tooling.

Lack of visibility

Multi-cloud is a reality today as most companies do not want to live with the risk of vendor lock-in. Most companies adopting the cloud have hybrid environments with workloads split between on-prem and two or more cloud providers. While this provides flexibility and options, it also becomes a nightmare for CISOs to control and secure due to its scattered nature. Each cloud environment is different in how it functions, and it is important to have a cloud security solution put in place that can provide centralized view of the risk posture of each environment.

Account takeovers

Cloud identities are a key focus point for attackers, given that the traditional network perimeter no longer exist in the cloud. Cloud control planes are the “keys to the kingdom” in most cloud environments and attackers can target cloud administrators via phishing attacks, malware etc. to compromise their credentials and gain access. This is especially easy to do if multi-factor authentication (MFA) has not been configured or the password itself is weak and susceptible to brute-forcing attacks. Even if MFA is enabled, attackers can still compromise the cloud control plane if the administrator’s machine has been compromised.
This attack is not just restricted to user identities but also to services and applications. Users can unintentionally grant access to SaaS applications within their cloud environments, which may be malicious and allow attackers to bypass security controls and gain access to your cloud environment. It is essential to follow a zero-trust model and authenticate every request made. SaaS applications should be reviewed for excessive permissions that grant trusted access to cloud data.

Cloud vulnerabilities

Cloud workloads can be vulnerable to the same weaknesses that are present in any software unless controls are set up within the pipeline. Missing patches, insecure coding, weak communication protocols, excessive permissions etc. are all weaknesses that can be taken advantage of by attackers and used to gain a foothold within a cloud environment. Cloud workload protection mechanisms help to assess the security posture of workloads throughout the lifecycle and can mitigate risks arising in real time.

How Cloud Security monitor can help

Cloud Security Monitor monitors for threats in real-time for Microsoft 365 environments. Its award-winning automated cybersecurity analytics and machine learning makes sense of the millions of events that are occurring in Microsoft 365, easing the burden on overworked security teams. It monitors for insider threats and suspicious data access.
Some of its key features are :
● Discover if an insider threat or hacker is stealing valuable company data from Sharepoint or OneDrive
● Monitor for documents shared to the public by accident
● Easy-to-read summary reports instead of alerts
● Monitor your cloud security health with easy-to-read summary reports without the need to manually go through a high volume of events or alerts
● Intelligent algorithms automatically uncover suspicious activities and automatically provide risk grading of the entities
● Get notified when there is a high-risk activity
● With intelligent algorithms making sense of activity events, you only get alerted when there is a high-risk activity, so you do not get swamped by alerts
● Discover if your Microsoft 365 accounts are compromised and whether a hacker is accessing your company data and emails

Ask any CISO about the top three risks to his or her enterprise, and you can be sure that malware will be on that list.  

Malware as a cybersecurity threat has evolved over the years from a nuisance to a devastating multi-billion-dollar industry that can bring governments and companies to their knees. The Colonial Pipeline ransomware attack in 2021 was just a taste of things to come, and attackers have further refined their attempts to weaponize malware. Recent events like the Russia-Ukraine conflict provide them with more avenues for ransomware and state-sponsored attacks, with the government of Costa Rica being forced to declare a state of national emergency after ransomware devastated its infrastructure.  

Attackers go where the money is, and the top two technology trends of the last few years have been the rapid adoption of Cloud Computing and Artificial Intelligence. Cloud adoption is expected to reach $1.55 Trillion by 2030, which is a staggering amount, and attackers have not been slow to see its potential. 

How malware can compromise the cloud

Along with the increased adoption by companies, attackers have also started using the cloud to be more scalable and efficient in their operations. There have already been reports of SaaS models cropping up offering cybercrime hosted on the cloud. Just like businesses, attackers are now utilizing the speed and agility of the cloud to supercharge their operations, which extends to malware as well.  

Malware can use cloud computing in one of two ways: 

• As a delivery platform: By using the power and storage of the cloud, attackers can automate and streamline their operations to be faster, more cost-effective, and thus more dangerous. The cloud can be used as a delivery vehicle for malware and an amplifier, with attacks like DDOS benefiting from the cloud resources they can access.   

• As a target: Cloud infrastructure can become the target of the malware itself, with misconfigured infrastructure services and storage like S3, Dropbox, etc. being a prime target of attackers. There are many ways of doing this:  

• Misconfigurations: Despite cloud security maturing year by year, there are still reports of simple misconfigurations having devastating effects, like the recent S3 bucket that exposed over 69 million documents and 12TB+ of production data!  
• Malicious Cloud apps: Most cybersecurity teams are unaware of the permissions they have granted to SaaS applications within their environments, nor do they verify their origin. Attackers can gain a foothold into a tenant by tricking users into installing a malicious cloud app or using a compromised account to install a cloud app that acts as a backdoor. 

• As part of a supply chain attack: Many companies use the cloud for their code repositories and keep critical workloads on-prem in a hybrid computing model. Attackers can compromise the cloud repos and inject malicious templates as a jumping pad into the customer’s environment.  

How to combat cloud malware

Protecting against cloud malware is not all that different from safeguarding against on-prem attacks. Along with investing in a proper anti-malware solution, you should follow these best practices to secure your environment:  

• Strengthen your access control, as the more locked down your permissions are, the more difficult it will be for cloud malware to take control of your infrastructure. Best practices like principle of least privilege, multi-factor authentication, and role-based access control are all essential practices for securing your cloud.  
• Implement a process to audit the permissions given to SaaS applications within your environment. What level of permissions do these applications have, and are they verified? Is there an approval process present before a SaaS application can connect to your cloud? 
• Make sure you have a backup method so that you can recover from malware disruptions. This can be a different media or a separate account or subscription. 
• Implement a governance model that segregates your production cloud environment from less secure accounts like development or sandbox. You should be using a different cloud account or subscription for running your production and development workloads. The best practice is to segregate them and implement guardrails on what developers can do, even with elevated access.  This will ensure that even if malware can compromise privileged access within a development cloud account, it cannot laterally move onto your production workloads.  
• Implement behavioral analytics to detect malicious activity within the cloud. In large cloud environments, there are millions of events happening at any given time, which is beyond the scope of human security analysts or SIEM solutions to analyze. Using tools like InsiderSecurity’s Cloud Security Monitor can help you detect suspicious cloud activities and prevent cloud data from being misused by malicious or compromised users. Our software will help you identify any malicious activity before it can infect your environment and your users.  

The future of malware  

Malware is an evolving threat, and cybersecurity professionals must keep pace or risk being attacked. Teams must upskill themselves to take advantage of cloud security controls and their speed/automation in stopping such threats. One of the biggest mistakes cybersecurity teams make is to “copy-paste” their on-prem controls to the cloud and not take advantage of its security tooling. The cloud is now in the cross-hairs of cybercriminals both as a target and as a platform, and cybersecurity teams need to take steps to secure their cloud footprint before it is targeted. 

Cloud security protects critical applications and data from attacks and unauthorized access. It is especially important since at least 50% of data worldwide is stored and processed in the cloud, and 60% of enterprises have implemented multi-cloud infrastructure. The increased reliance on cloud solutions to manage data, enable remote working, scale business operations, and provides instant network resources, has provided attackers with numerous incentives for targeting cloud services. According to a 2022 security report, 27% of organizations suffered a cloud security breach, with misconfigurations and poor data security practices contributing to 23% and 15% of the attacks, respectively. Here are the top four practices for enhancing cloud security.

1.    Strengthen the security configuration

Many companies are turning to multi-cloud infrastructure to drive business operations. A recent survey found that more than 30% have at least three cloud computing providers and the increasing complexities introduce security concerns due to misconfigurations. Misconfiguration is one of the largest cloud computing security threats, but strengthening cloud security configuration can improve cloud security.

Firstly, adopt effective user management procedures. User management is the ability to manage devices, networks, systems, and users that can access and use cloud services. It is a core part of cloud IAM (Identity and Access Management), which involves defining the users who can access cloud resources.  Users and devices should only be provided with the minimum level of access required in work, so as to protect cloud data and applications from unauthorized access and misuse.

Verify the access permissions of cloud data, files, and assets. Performing security audits can identify users with unnecessary permissions that heighten security risks and assets exposed to public access. For example, in 2021, a cyber-analytics firm exposed five billion personal records after allowing public access to a database without password or encryption protection. Verifying the access permissions can prevent such incidents from occurring.

Also, enable multi-factor authentication MFA for all cloud accounts since 61% of breaches involve compromised credentials. Additionally, it would be a good idea  if you make use of a whitelist of devices, users, and regions that can access your cloud environment to reduce the possibility of an attack. Finally, it is important to check if cloud applications installed by users into their cloud accounts are not being exploited by third parties to attack the organisation.

2.    Monitor your user logs

Most cloud providers provide audit logs for user activities. The audit logs record activities performed in the cloud environment. These include configuration changes, provision of new cloud resources, and the user accounts involved in the activities. Monitoring these user activity logs is key to early detection of cloud breaches. For example, continuous cloud monitoring can identify suspicious data access, such as accessing data at odd business hours and unusual download of  data. User activity logs can reveal suspicious logins. For example, multiple login attempts from different devices spread across different locations may be due to compromised credentials. Monitoring of privileged user activities can identify suspicious behaviors which may result in a data breach, such as sharing cloud resources with external parties and the sudden creation of mailbox forwarding rules.

3.    Encrypt your cloud data

A 2021 research drawing at least 2,600 security and IT experts found that a surprising 83% of businesses do not encrypt half of their crucial cloud data. At the same time, 24% of organizations store all their data and workloads in the cloud. Cloud data encryption transforms data from a readable text format to a scrambled format that can’t be read without the decryption key.

Enabling encryption by default in the cloud environment encrypts data at rest and in transit, thus protecting it from malicious actions even if it falls into the wrong hands.

For additional protection, you can consider separately encrypting data before storing or transferring it to the cloud, so as to prevent access or modification by unauthorized users (however this may or may not be feasible, depending on how the cloud data is to be used).

4.    Provide anti-Phishing training for employees regularly

51% of companies blame phishing for compromised cloud credentials. Phishers trick users into clicking malicious links that lead to spoofed websites and reveal login credentials. For example, an attacker may pose as an IT security staff in an organization and target employees with phishing emails requiring them to address some issues with their cloud accounts. Untrained employees often fall for this trap and reveal their login credentials.

Anti-phishing training is an essential practice for strengthening cloud security. Anti-phishing education trains employees on how to identify phishing emails. It also trains on how to report such messages and how they can report to security staff for further investigation. By understanding how phishing works, employees can avoid falling victim, which leads to enhanced cloud computing security.

Summary

Cloud security incidents will continue increasing as more users adopt cloud services. Strengthening security configurations should include adopting effective user management practices such as IAM. Verifying access permissions helps to identify users with excessive permissions and to identify publicly exposed data. Enabling MFA can protect your cloud environment from unauthorized access via compromised credentials. Continuous monitoring of cloud user logs is key for early detection of cloud beaches. Monitor user logs to identify suspicious data access, suspicious login patterns, and anomalous behaviors that can result in a serious data breach. It helps to encrypt cloud data at rest and in transit to protect against unauthorized modification and access. Lastly, it is a good idea to train employees to identify and respond to phishing attacks.

How can InsiderSecurity help?

InsiderSecurity CSM (Cloud Security Monitor) provides automated monitoring of cloud user logs. It is a simple-to-use SaaS for enterprises to monitor their data security in Microsoft 365.

With its award-winning automated cybersecurity analytics and machine-learning, InsiderSecurity CSM makes sense of the high volume of Microsoft 365 activity events, so that you do not have to. It provides an easy way to monitor your Microsoft 365 data security. CSM discovers insider threats, compromised accounts, and suspicious data access. It can also discover documents shared with the public by accident.

Contact us now and try a demo!

The Covid-19 pandemic helped increase the pace of what was already a steady transition to cloud services. The shift to remote work pushed companies to adopt cloud infrastructure. The increased adoption of cloud services comes with a need for increased Cloud Security.

Organisations in Singapore are lagging behind when it comes to cybersecurity, with only 49% able to respond to threats within a day. This is compared to the global average of 70% across 11 markets. In the past year, 65% of organisations in Singapore have experienced at least six cybersecurity incidents and for 45% of organisations, the cloud application or infrastructure is the source of the breach.

The cloud is as secure as any on-premises IT, provided a robust cybersecurity strategy is in place. And therein lies the problem:  Many companies have a cybersecurity strategy which caters for on-premises IT, but not yet for cloud services.

Understanding the problem is usually half the solution. Albert Einstein, one of the greatest minds that ever lived, once said, “Given one hour to save the world, I would spend 55 minutes defining the problem and 5 minutes finding the solution.”

So, let’s understand a few common security threats that can be challenges specific to the cloud.

Cloud Security Common Threats and Challenges: 

• Misconfigurations: A recent study by the National Security Agency (NSA) has revealed that cloud data misconfiguration is the most common vulnerability in cloud-based systems. It occurs due to a lack of knowledge about good cloud security practices. When cloud systems are not configured correctly, they lead to cyber exposures and security breaches. Unsecure Identity and Access Management (IAM), Insecure Data Storage, and Insecure Authentication practices are the most common culprits.

• Internal threats: Insider threats are particularly dangerous as these threats originate from within your organization. These threats could be due to negligence, credential theft, or someone with criminal intent. In the latter’s case, they could be current or former employees, contractors, or business partners. The Ponemon Institute has categorized Insider threats into 4 categories:
  1. The Pawn: These are employees who are unaware that they are manipulated into performing malicious activities.
  2. The Goof: These users are ignorant about security policies and actively try to bypass them. They tend to leave critical data and resources unsecured.
  3. The Collaborator: These are the insiders who collaborate with external threats, typically for personal or financial gain.
  4. The Lone wolf: These are individuals that act alone for personal gain. They can be extremely dangerous if they have elevated levels of IT privilege.

• Account hijacking: Account hijacking occurs when a cybercriminal manages to gain control of an employee’s cloud account. This can be achieved using a variety of techniques, e.g., Phishing attacks, Brute force password attacks, Server-side request forgery (SSRF) attacks, or malware etc. Account hijacking can be particularly dangerous if an employee’s account with privileged access, for example, a system or database administrator, is hacked. More sophisticated cybercriminals can even install backdoors that will allow them to access these accounts anytime.

• Lack of visibility and tracking: As you increasingly continue to use cloud services, the size of your infrastructure grows. In such instances, it’s easy to lose track of or forget about the various services. A major issue is a lack of visibility of cloud infrastructure, which can delay response to threats and result in a data breach. Managers, sysadmins, and DevOps teams must take a proactive approach to security in such instances.

How To Secure Your Data Hosted on the Cloud? 

Data can be hosted on the cloud by adopting a comprehensive cybersecurity strategy that addresses the vulnerabilities specific to the cloud. A few good practices to follow are:

• Strengthen Identity and Access Management (IAM): When it comes to IAM, it’s best to adopt the principle of least privilege. This means limiting access privileges to users so that users only have access privileges to cloud resources that are needed for them to do their work. It is also good practice to frequently review access privileges for users.

• Monitor for suspicious activities: A sound cloud cybersecurity strategy should also focus on user activity monitoring. Various factors, such as abnormal changes in database activity, suspicious access patterns, and modifications to files, can all indicate a potential cyberattack or data breach. There may be an attacker who has gained access to legitimate credentials and is actively exploiting the credentials to gain unauthorized access to your cloud infrastructure. You may uncover suspicious behaviour, such as user access at odd hours, multiple failed login attempts, and suspicious administrator activities. Security measures to detect such suspicious user activity early will protect your organisation’s data and prevent major data loss in the cloud.

• Track and maintain Cloud inventory: Cybersecurity professionals should comprehensively review their organization’s cloud infrastructure to identify potential risks, such as shadow IT. Shadow IT is a term used to describe unauthorized applications or devices used within an organization without the knowledge or approval of the IT department. Shadow IT can pose a serious security risk to an organization, as it can allow unauthorized access to sensitive data and systems. Cyber security teams can identify and mitigate these risks by deep diving into their existing cloud infrastructure and performing regular audits.

How To Secure Your Data Hosted on the Cloud? 

InsiderSecurity has redefined security with Singapore’s most advanced cloud-native platform that integrates seamlessly with Microsoft 365 to monitor data security. The industry continues to recognize InsiderSecurity as an innovation leader, most recently with the Cyber Security Agency of Singapore (CSA) naming InsiderSecurity a winner at the 2022 Cybersecurity Innovation Day.

Cloud Security Monitor is a simple-to-use SaaS for enterprises to monitor their data security in Microsoft 365. With its award-winning automated cybersecurity analytics and machine-learning, Cloud Security Monitor makes sense of the high volume of Microsoft 365 activity events, so that you do not have to. Finally, an easy way to monitor your Microsoft 365 data security.

When it comes to protecting cloud data, the choice is InsiderSecurity’s Cloud Security Monitor.

Contact us now and try a demo!

In Singapore’s Cybersecurity Awareness Month in Oct, various data breaches impacting organizations large and small were reported. High-profile incidents included Australian telcos Optus and Telstra, eight Shangri-La hotels around Asia, health insurance provider Medibank, online retailers MyDeal and Vinomofo .

In late September 2022, Optus, Australia’s second largest telco is breached. It has been revealed that 2.1 million personal identification numbers have been stolen with 30,000 of its current and former employee details leaked as well. In early October, Telstra had 18.8 million of its accounts stolen. There was another data breach earlier last week in Australia’s biggest health insurance provider Medibank, which led to 200GB worth of confidential data being stolen. Another major cybersecurity incident occurred at MyDeal just a day after the Medibank data breach. MyDeal has confirmed that the data of around 2.2 million customers has been breached.

With today’s sophisticated hackers, no business is safe from data breaches. Small and medium-sized enterprises (SMEs) often have leaner cybersecurity teams and budgets and lack effective cyber security strategies. Cyber criminals are aware of the fact that SMEs are often easier targets. It is a misconception that SMEs are spared from cyber criminals.

So how can you stop this from happening to your company? In this article, we will discuss five solidly proven ways to prevent cyber disaster from occurring at your organisation.  

1. Beware Shadow IT

Gartner refers to shadow IT as “IT devices, software and services outside the ownership or control of IT organizations”. Training the users on the risk of shadow IT and having the IT team be able to support the needs of the business is extremely important. Gone were the days which IT folks can ask users to wait weeks or months to get a service up, because most people would simply use google to find out if the service was available for them to use online. It would be a major plus point if these services are free, but in our current modern world that values data more then any other thing, are free services truly free?

2. Automate certificate services

Certificates are used everywhere, in your websites, on your email, when you do a VPN or when your administrators log into a web portal to perform actions on hardware devices. We see a trend of maturity where larger organisations create a central Public Key Infrastructure(PKI) service to centralise control over all certificate usage. This central PKI service issues certificate for the entire organisation and provides the gateway devices the ability to block any self-signed services reducing the risk that was previously mentioned. The next step would then be the automation of not just the certificates request via self-service but the renewal of these certificates as well. Netrust is a well-known Singapore Certificate Authority that would be able to help with this.

3. Uncover the internal threats early 

User and Entity Behaviour Analytics (UEBA) has emerged as the most effective approach to comprehensively detect a far wider range of real-time suspicious activities and unknown threats in the enterprise. 
InsiderSecurity’s Automated UEBA applies algorithms, scenario analytics and advanced machine learning rather than rules or signatures to provide crucial visibility and risk score of suspicious activity. It reduces response time to cyber attacks. Based on advanced analytics of user behavior, our automated UEBA provides increased security coverage with minimal investment for security experts in SMEs.
For example, consider this attack scenario. There is a zero-day vulnerability in your systems, which is not yet known to the public but is already being actively exploited by attackers. InsiderSecurity’s Automated UEBA is able to uncover such an attack by monitoring for the suspicious account and network activity in the systems and alert you early.

4. Secure the database server

Database Activity Monitor is a critical aspect of minimizing your company’s risks and protecting not only your data but also company’s reputation. For organizations with sensitive databases, InsiderSecurity’s Database Activity Monitor automatically discovers suspicious data access and data theft early. This leverages on InsiderSecurity’s AI-driven cybersecurity analytics. Database Activity Monitor works out-of-the-box as users do not need to configure complex rules. Furthermore, Database Activity Monitor helps meet data protection regulations such as PDPA and GDPR. 
After attackers or rogue insiders gained initial access in a victim’s infrastructure, they will move laterally around the internal IT systems and attempt to access high-value data stored in the enterprise’s databases. InsiderSecurity’s Database Activity Monitor can discover such database access early before there is serious data loss.

5. Ensure data security in cloud services

To safeguard against the ever-evolving cloud threats, consider implementing InsiderSecurity’s Cloud Security Monitor (CSM) for managing cloud access and securing the cloud workspace. It is a simple-to-use SaaS to monitor data security in cloud services. CSM detects suspicious data access and new and emerging threats with behavioral analytics. It applies machine-built timelines to decrease response times and improve analyst productivity by automating incident investigation. CSM also monitors for compromised Microsoft 365 accounts and discovers documents shared to the public by accident. 
Attackers are known to do this: after compromising an on-premise network, the attackers are able to steal the cloud credentials to access the victim’s cloud infrastructure and gain access to sensitive documents in OneDrive or SharePoint. With InsiderSecurity’s Cloud Security Monitor, such threat behaviour can be detected early to mitigate further damage.

Summary

In the past 10 years, the number of data breaches has increased significantly. Protecting the business from these threats is essential. Protect your company by implementing the approaches described above. 

Clearly understanding the possible danger from shadow IT and the benefits of certificate automation are vital for ensuring the proper security of your organization’s critical assets. Netrust is a well-known Certificate Authority that provide such certificate services, please reach out to Netrust Pte Ltd at sales@netrust.net or visit https://www.netrust.net/ if you would like to find out more.

The other key is to be able to detect the breach early. Detecting the breach early enables a company to minimize or prevent data loss altogether and avoid a cyber disaster. InsiderSecurity’s award-winning solutions help you to do this.