In speaking with security and fraud professionals, visibility remains a top priority. This is no surprise, since visibility into the network, application, and user layers is one of the fundamental building blocks of both successful security programs and successful fraud programs. This visibility is required across all environments — whether on-premises, private cloud, public cloud, multicloud, hybrid, or otherwise.
Given this, it is perhaps a bit surprising that visibility in the cloud has lagged behind the move to those environments. This occurred partially because few options for decent visibility were available to businesses as they moved to the cloud. But it also partially happened because higher priority was placed on deploying to the cloud than on protecting those deployments from security and fraud threats.
This is unfortunate, since what we can’t see can hurt us. That being said, it is great news that cloud visibility has become a top priority for many businesses. Here are a few areas where many businesses are looking for visibility to play a key role.
Compliance may not be the most exciting part of our jobs, but it is necessary. Whether because of regulatory requirements, audit requirements, or otherwise, businesses need to show compliance. There are many ways to do so, and visibility is one of them. There is no better way to provide evidence that we are compliant with a given requirement than to have ground-truth data that clearly shows we are.
Before we can detect security and fraud issues within our cloud infrastructure, applications, and APIs, we need to be able to monitor them. This necessitates having the requisite visibility at the network, application, and user layers. This means having logging and insight into the cloud environment at the same level we have within the on-premises environment.
When we either detect a security or fraud issue or are notified of one, we need to begin an investigation. We need to interrogate the data to understand what happened, when it happened, where it happened (to what infrastructure), why it happened (root cause), and how it happened. As straightforward and logical as this seems, without proper visibility it is impossible. It is best to address visibility sooner rather than later, as there is no way to “put back” data we aren’t currently collecting when we need it most.
Once an incident has been investigated, the proper response can be architected and implemented. If we don’t have proper visibility, however, we can’t be sure that we are effectively remediating the issue in its entirety. Without adequate visibility, how can we be sure that we haven’t missed other issues or other resources that may be impacted?
We can’t protect what we don’t know exists. Believe it or not, unknown APIs — those which security and fraud teams are unaware of — occur more often than we would like to admit. As such, API discovery is another great use case that shows the value of visibility. It is worth the investment of time, energy, and money to discover APIs that may be deployed at various locations around the cloud, on-premises, and/or hybrid infrastructure. Once we are aware of these APIs, we can begin to take steps to gain visibility into those previously unknown environments.
When an application is compromised, it is not necessarily so easy to detect. Unlike network-level or host-level compromises, application-level compromises don’t always look like intrusions. Sometimes, they spring from stolen credentials. Other times, they happen due to business logic abuse. At yet other times, they result from attackers hopping through or “piggybacking” on the sessions of legitimate users.
In all of these cases, without the proper visibility into both the application layer and the user layer, it will be nearly impossible to become wise to a breach. This is another area where visibility plays a big role in detecting application breaches early, thus mitigating the risk that results from breaches that persist for long periods of time.
Malicious User Detection
With the move to software-as-a-service (SaaS), user authentication and authorization have become increasingly important for granting and controlling access to applications and resources. Malicious users aren’t necessarily hackers or attackers. Rather, they may be users who have logged into one or more resources with the intent to misuse or abuse those resources. Visibility into user behavior as the user navigates the session allows us to look for patterns and signs that the user may actually be a malicious one.
We have been a bit behind in terms of ensuring the requisite visibility into cloud environments. We have lost some time, though it does seem that gaining visibility into the network, application, and user layers is now a priority for many businesses. This is a positive development, as it enables those businesses to better mitigate the risks that operating blindly creates.