Cloud endpoint security: Balance the risks with the rewards

Real-time cloud-based analysis

Using a cloud threat intelligence service starts when a next-generation firewall, host-based endpoint antivirus or intrusion detection agent prepares to connect to a specific IP address or domain. The endpoint agent checks with a cloud-based database to get background information on the destination IP address or domain. If the intelligence provider has marked that IP or domain as suspicious or malicious, the connection can be dropped immediately.

The next step in cloud threat intelligence is to share sanitized findings of suspicious activity with the vendor to the benefit of other customers using the same platform.

The latest feature being applied to real-time cloud-based analysis is sandboxing. Now it's not just specific artifacts, such as IP addresses and domains, that are being sent to the cloud for analysis -- entire suspicious files can be uploaded.

When a sample file is uploaded, it can be detonated inside the vendor's isolated cloud platform without harming customers' systems or, if needed, it can be manually analyzed by a team of malware specialists. This means an informed decision can be made about whether the file is malicious or benign based on its behavior, not just its file characteristics.

Although this service has incredible potential, care needs to be taken because it opens the users of such a cloud threat intelligence platform to some interesting new security risks.

Risks associated with security vendors

Anyone following information security news should be familiar with the tension between the security company Kaspersky Lab and the U.S. government. The U.S. government, like many other governments around the world, claims that Kaspersky Lab's ties to the Russian government pose a risk to the security of its customers.

When deploying, updating and auditing cloud endpoint security products, it is critical to check any cloud functionality and to make sure the enabled features fall within the broader company security policy.

This risk could technically exist because of the significant access antivirus products have to the systems they monitor. To be effective at malware detection and removal, the security agents have rootkit access, which gives the product full access to any file on the system, including the file system itself. They also use regularly updated, vendor-controlled proprietary signatures to trigger specific artifacts of these files. It is easy for a vendor to create a signature that would, for instance, scan a file for certain confidential keywords.

Recently, cloud features have increased the risk of Data exfiltration. Depending on the configuration of a cloud endpoint security product, it is often possible to upload matching files to an online environment controlled by the vendor and its often-unknown partners. This is meant to be for analysis purposes, but who controls the access to the uploaded files, and in which jurisdiction do they fall?

While the above is still, so far, a hypothetical risk, it is a risk organizations should consider.

Risks around third parties

Some applications use third-party sandboxing or threat intelligence lookup tools, such as VirusTotal. VirusTotal, currently owned by Google, is basically an enormous database of analyzed malware often containing sample files, which are offered as downloadable zip files. Although the sheer size of the gathered data has no real competition and remains a treasure trove of malware information, some risks associated with these tools are commonly known.

One well-documented risk is that actual malware authors monitor these analysis platforms to see the effectiveness of their malware, to learn which affected targets were uploaded for analysis, and to assess the need to modify their malware files and infrastructure.

Another risk to cloud endpoint security that has arisen due to recent progress in automation is that targeted or benign files can include confidential company data, such as infrastructure information or even login credentials. Manually or automatically uploading these files to a public forum and sharing them with the many VirusTotal partners, and basically with the entire public internet, could pose significant risk.

In 2017, cybersecurity journalist Brian Krebs reported that a cybersecurity product sold by Carbon Black was leaking private data. Its security agent would, if the feature was enabled, automatically submit files to VirusTotal -- which in this situation uploaded benign files containing passwords -- for analysis. VirusTotal, in turn, shared the findings and the files themselves on its publicly accessible platform for anyone to download. Carbon Black stated that the upload function was not enabled by default. If this is correct, some of the blame falls on the affected companies, as well.

When deploying, updating and auditing cloud endpoint security products, it is critical to check any cloud functionality and to make sure the enabled features fall within the broader company security policy. If there are any concerns, it is fairly trivial to ensure compliance by creating firewall or proxy rules that block access to certain destinations, such as VirusTotal or the vendor's upload servers.

Cloud features can significantly enhance the capabilities of the entire range of IT security products. Cybersecurity is such a dynamic and fast-changing environment -- and malware changes shape so often -- that real-time intelligence is needed. It is essential, however, to control the associated risks so that these great new security features do not create a data breach themselves.