As I am sure you have read in the news, an AWS account was allegedly used as a means to access and exfiltrate data. Although I am not sure we will find out the real details, it looks like a relatively straightforward breach.
On the surface it appears as though there was no malware installed, firewalls attacked, or social engineering. The attackers acquired cloud account credentials and accessed information from there.
Cloud services give us the ability to innovate with speed and scale. The resulting velocity helps companies create a competitive advantage. That said, security cannot be an afterthought. Additionally, conventional security controls cannot simply be virtualized and called cloud “AKA Cloud Washing,” to help solve this problem. Cloud security needs to be purpose fit to enable you to move with the necessary velocity. Your firewall, your endpoint, your AV, and your email security all are blind to attacks targeted at data and applications in the cloud.
With that in mind, you have to ask yourself — What would we do if this happened to our company? Do we have a threat model that accounts for privileged access from breached accounts? How would we know if someone gained access to one of our cloud accounts, moved laterally, and exfiltrated data? How long would it take to detect the intrusion, understand the timeline of the event and evaluate the scope of the incident?
Last week I was fortunate to join Lacework. Our mission is to allow companies to move with the necessary speed and scale by securing the cloud with modern security technology. In the aforementioned breach case it's highly likely we would have alerted on each stage of the attack and provided the visibility and forensics trail to alert and understand what happened at time zero and into the past.
If you would like a demo of the service or some examples of how we could have caught something similar to this please let us know by contacting me direct at dan+demo -(at)- lacework.net.