Cloud attacks are following enterprise workloads

Data also reveals that the Cloud is not inherently less secure than traditional on-premises environments

Enterprise workloads are shifting to Cloud and hosting environments in ever greater numbers and attacks that have historically targeted on-premises environments are following them, according to a new report.

But while attacks on cCloud environments have increased significantly in frequency and are becoming as diverse as those targeting on-premises datacentres, the data also reveals that the Cloud is not inherently less secure than traditional on-premises environments.

"Cloud deployments are no less secure than your own data centers," says Stephen Coty, chief security evangelist at Alert Logic, a provider of managed security services for on-premises data centers as well as hosting and cloud service providers. "That's what the numbers are really showing across the board."

Alert Logic this week released its Spring 2014 Cloud Security Report, the latest in a series of Cloud security reports it began releasing in early 2012.

The Spring 2014 report is based on a combination of real-world security incidents captured in customer environments secured via Alert Logic's intrusion detection system (IDS) and honeypot data gathered using low-interaction software to emulate a vulnerable OS. The report draws from 232,364 verified security incidents (validated by a team of Global Information Assurance Certification (GIAC)-certified security analysts) that were identified from more than one billion events observed between April 1 and September 30, 2013.

Alert Logic says the customer set includes 2,212 organisations across multiple industries, located primarily in North America and Western Europe. Of those customers, 80 per cent use Cloud hosting provider (CHP) environments, while 20 per cent represent on-premises datacentres.

Alert Logic found that with a single exception, attacks have increased across all incident types malware/botnet, brute force, vulnerability scan, Web app attack, recon and app attack in both on-premises and CHP environments.

In CHP environments, brute force attacks (exploit attempts enumerating a large number of combinations in hopes of finding a weakness) increased from 30 per cent of customers in the 2013 report to 44 per cent of customers in the current report. Vulnerability scans (automated vulnerability discovery in applications, services or protocol implementations) increased from 27 per cent to 44 per cent in the same period.

The sole exception to the increases was app attacks (exploit attempts against applications or services not running over HTTP) in on-premises environments, which were experienced by 19 per cent of on-premises customers in 2013 and 16 per cent in 2014. On the CHP side, app attacks increased from 3 per cent of customers to 4 per cent of customers over the same period.

Coty notes that while brute force attacks and vulnerability scans have historically been far more likely to target on-premises environments, the data show that they are now occurring at near-equivalent rates in both CHP and on-premises environments. Likewise, malware/botnet attacks, which are the most prevalent form of incident for on-premises datacentres (affecting 56 per cent of customers), are on the rise in CHP environments; they now affect 11 per cent of customers.

Still, the most prevalent types of incident do vary between on-premises environments and CHP environments. The top three incident classes for on-premises datacentres were malware/botnet (affecting 56 per cent of customers), brute force (49 percent of customers) and vulnerability scans (40 per cent of customers). For CHPs, the most common incidents were brute force (44 per cent), vulnerability scans (44 per cent) andWeb application attacks (44 per cent).

"Our intelligence suggests that the observed increase in cloud attacks is correlated to the growth of cloud adoption in the enterprise," Coty says. "As more enterprise workloads have moved into the cloud and hosted infrastructures, some traditional on-premises threats have followed them. This reinforces the necessity for enterprise-grade security solutions specifically designed to protect Cloud environments."

"The number one thing you need to really understand in a Cloud environment is that security in the Cloud is a shared responsibility," Coty says. "The service provider is responsible for the foundation. They're even responsible for some level of perimeter security, hardening the hypervisor, giving you root access to your instance. But other than that, you as a consumer are 100 per cent responsible for what happens in that environment. The better you understand the shared model between you and your service provider, the better you'll be able to secure your environment. That really applies to all service providers."

Alert Logic's Cloud honeypots also told an interesting story. The company deployed its honeypots in public cloud infrastructures around the world in an effort to observe the types and frequencies of attacks, as well as how they vary geographically. Alert Logic found that honeypots in European Clouds experienced the highest number of attacks four times more than honeypots in US Clouds and twice as many as honeypots in Asian clouds.

The incident attack types against European honeypots were tremendously varied. They included: MS-SQL Server (13 per cent), MySQL (13 per cent), HTTP (13 per cent), RPC (13 per cent), FTP (13 per cent) and MS-DS (35 per cent).

"The attacks in Europe were probably more diverse than anywhere else in the world," Coty says. "Outside of attacks on Microsoft Directory Services, everything was about 13 per cent across the board."

Coty attributes the number and variety of attacks in Europe to Eastern European malware "factories," primarily in Russia, testing their efforts locally before deploying worldwide.

"The Eastern European guys who write a lot of this code test it in their own backyard," Coty says. "It originates from Europe. Once they've successfully deployed one place in Europe, they just go all over the globe now."

In Asia, the story is different. Attacks on MS-DS represent 85 percent of incidents there, particularly attacks on port 445. Coty attributes this to the plethora of pirated (and unpatched) Microsoft software in China and some other Asian countries. Port 445 supports direct hosted "NetBIOS-less" SMB traffic and file-sharing in Windows environments and, if not locked down appropriately, it is an easy target for accessing files and infecting systems.

Attacks on US honeypots included MS-SQL Server (12 percent), MySQL (13 percent), HTTP (23 percent) and MS-DS (51 percent).

Alert Logic also notes that 14 percent of the malware collected through its honeypot network was not detectable by 51 percent of the world's top antivirus vendors. That's not because it was zero-day malware, Coty notes. Instead, much of the malware that was missed was repackaged variants of older malware like Zeus and Conficker.

"The threat diversity for the Cloud has increased to rival that of on-premises environments," Alert Logic says in the report. "And new threats uncovered by our honeypot research demonstrate how top antivirus software vendors cannot be solely relied upon to detect attacks. The continued focus by hackers on infiltrating IT infrastructure underscores the importance of adopting the right security procedures and tools, and of continuously evaluating and adjusting those procedures and tools as attackers find new ways to thwart defense."

Coty says that much as with on-premises datacentres, security in depth is the key. He says a Cloud security solution should address:

  • Network: Firewall, intrusion detection and vulnerability scanning to provide detection and protection, while also lending visibility into security health.

  • Compute: Antivirus, log management and file integrity management to protect against known attacks, provide compliance and security visibility into activity within an environment and to help you understand when files have been altered (maliciously or accidentally).

  • Application: A Web application firewall to protect against the largest threat vector in the cloud: web application attacks. Encryption technologies should be ubiquitous for data in-flight protection, and some companies select encryption for data-at-rest when necessary, assuming applications can support it.

  • Application Stack: Security Information Event Management (SIEM) can address the big data security challenge by collecting and analysing all data sets. When deployed with the right correlation and analytics, this can deliver real-time insights into events, incidents and threats across a cloud environment.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycloud computinginternet

More about CotyMicrosoftMySQL

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts