Is Your Cloud Security Strategy Creating Success or Stress?
by Walt Westfall, Director of Digital Transformation, cStor
In our world of everything changing, it’s the quality of thoughts in our heads that create success or stress.
As people and organizations adopt cloud services, having a strategy to secure assets is as essential as breathing. Whatever was secured on premise, needs to be secured in a cloud. It simply doesn’t matter what or who’s cloud it is, those assets must be protected.
Let me illustrate with a real-life example.
A few Sunday’s ago I was sitting on my couch drinking a beer, watching the end of the Formula One race (go Vettel), when I received a phone call. I don’t normally answer unknown numbers at all, let alone on the weekend, but for some odd reason on this one I did.
“Paula” was the name of the caller (I’ve changed her name to protect the compromised) and she gave me a frantic elevator pitch on why and how her company had been compromised. Maybe it was the beer, maybe it was the F1 distraction, maybe it was her description of how her outsourced IT team reacted… but I had to go over her story a few times before I could send my Cybersecurity team over to assist.
I wanted to be sure I knew exactly what kind of lion’s den we were headed into.
The spoiler alert is simple: clean up the environment and launch a cloud security plan… stat. In this particular breach, nearly 1,000 companies were exposed, including Paula’s. One of my first recommendations was that they also get some expert legal advice. That’s probably another post.
But here is the other part of the story.
They had a fifteen-minute meeting with me and my cybersecurity team showing me the evidence they gathered resulting from the breach and then further explained what steps their outsourced IT group had taken.
Here’s how it all went down.
- On Friday they received a Phishing email with an attachment that gave the attacker the ability to gain access to the user’s account, which was, as you could guess, an “admin” account.
- The attacker then used the creds that the malware gathered and used the account to gather the company’s entire customer list.
- Then the attacker sent the malware as an attachment in the form of a PDF that looked like an invoice from the company to all of its customers.
- To their credit, many of the customers sent a reply back to the company asking if it was legitimate… but the attacker managed to have the emails auto-forward to a “deleted” folder, and then proceeded to reply to customers without knowledge of the company. Naturally the attacker’s reply said ‘yes.’
- The company was then used as a conduit to spread the virus and in some cases, have money transferred to the attacker using the information sent in the PDF that appeared to be a legitimate invoice.
Once discovered, the outsourced IT Group changed the user’s password in hopes of locking them out. However…
- The attacker had already set up an admin account in the O365 account and was controlling the environment.
- The attacker then changed the password again to maintain control.
- The IT Group called Microsoft and they all decided to change the DNS records to point away from O365, in essence stopping all email flow.
- The company’s email was down over the weekend and the cStor Cybersecurity team arrived on Monday to more thoroughly assess the situation.
- We went through the server, scanned for malware and verified that there was no breach.
- We directed the IT group to go over all accounts with the CFO to verify that they were legitimate, then changed password and removed all elevated access.
- We accessed GP and hardened the password policies.
- We then asked the IT group to restore the O365 instance; their response shocked us. Contact me if you want the inside scoop.
- Email was restored by the next morning.
Our Cybersecurity team followed up the next day around noon
- All was restored and no other indications of the attacker was present.
- As a result, they wanted to discuss CASB to protect themselves moving forward.
If you’re not sure where to begin, enlist a Cloud Access Security Broker (CASB). CASB’s have become a must-have resource for information security teams, whether in-house or contracted, they can be the catalyst for providing critical capabilities such as governing usage, securing data and protecting against threats.
They can also ensure sensitive data is properly secured, mitigate the risk of its loss, and protect the business against both internal and external threats. In fact, you could say the CASB role can empower your organization to extend your information protection policies and programs from your on-premise environment to the cloud, and help remediate during or just after an attack.
So if you’re considering a CASB, there are a host of specific use cases that they’re likely to assist with, not the least of which is guiding architectural requirements for your infrastructure and cloud migration strategy. As evidenced in my example, they also help you build a sound strategic plan for securing data, governing data usage and threat mitigation.
Yes, everything is constantly changing, and human nature is to be fearful and cautious of change, if not flat out reject it. But in today’s world, adding a very simple CASB can make the difference between creating stress or success in mitigating risk and reducing if not altogether eliminating customer exposure (and in turn, brand reputation, future revenue, etc.).
Paula and team are fine, and in much better shape today with their own CASB in place.
For me, it was successful Sunday. Vettel came in second. I had a second beer. And it was a rare “unknown” call that I was happy, if not uncharacteristically, glad I accepted.