The use of the cloud is relatively new for antivirus products, but it has led to the evolution of one of the most...
traditional security products.
Vendors such as CrowdStrike, Symantec and Palo Alto Networks use their cloud platforms to enable cloud endpoint security agents, servers and devices to obtain real-time threat intelligence data. This connectivity enables customers to make informed decisions about suspicious file or network activity and, if possible, to automatically contain a compromised system in its earliest stages.
Without the benefits of a distributed cloud platform, vendors may have a hard time providing that kind of service. Also, before cloud connectivity, threat intelligence lists had to be downloaded by every customer individually, and the delay between scheduled updates meant the data in production was always at least slightly behind the vendor's data.
Now that cloud endpoint security products are more widely available to enterprises, analysis and intelligence services are also more accessible.
Real-time cloud-based analysis
Using a cloud threat intelligence service starts when a next-generation firewall, host-based endpoint antivirus or intrusion detection agent prepares to connect to a specific IP address or domain. The endpoint agent checks with a cloud-based database to get background information on the destination IP address or domain. If the intelligence provider has marked that IP or domain as suspicious or malicious, the connection can be dropped immediately.
The next step in cloud threat intelligence is to share sanitized findings of suspicious activity with the vendor to the benefit of other customers using the same platform.
The latest feature being applied to real-time cloud-based analysis is sandboxing. Now it's not just specific artifacts, such as IP addresses and domains, that are being sent to the cloud for analysis -- entire suspicious files can be uploaded.
When a sample file is uploaded, it can be detonated inside the vendor's isolated cloud platform without harming customers' systems or, if needed, it can be manually analyzed by a team of malware specialists. This means an informed decision can be made about whether the file is malicious or benign based on its behavior, not just its file characteristics.
Although this service has incredible potential, care needs to be taken because it opens the users of such a cloud threat intelligence platform to some interesting new security risks.
Risks associated with security vendors
Anyone following information security news should be familiar with the tension between the security company Kaspersky Lab and the U.S. government. The U.S. government, like many other governments around the world, claims that Kaspersky Lab's ties to the Russian government pose a risk to the security of its customers.
This risk could technically exist because of the significant access antivirus products have to the systems they monitor. To be effective at malware detection and removal, the security agents have rootkit access, which gives the product full access to any file on the system, including the file system itself. They also use regularly updated, vendor-controlled proprietary signatures to trigger specific artifacts of these files. It is easy for a vendor to create a signature that would, for instance, scan a file for certain confidential keywords.
Recently, cloud features have increased the risk of data exfiltration. Depending on the configuration of a cloud endpoint security product, it is often possible to upload matching files to an online environment controlled by the vendor and its often-unknown partners. This is meant to be for analysis purposes, but who controls the access to the uploaded files, and in which jurisdiction do they fall?
While the above is still, so far, a hypothetical risk, it is a risk organizations should consider.
Risks around third parties
Some applications use third-party sandboxing or threat intelligence lookup tools, such as VirusTotal. VirusTotal, currently owned by Google, is basically an enormous database of analyzed malware often containing sample files, which are offered as downloadable zip files. Although the sheer size of the gathered data has no real competition and remains a treasure trove of malware information, some risks associated with these tools are commonly known.
One well-documented risk is that actual malware authors monitor these analysis platforms to see the effectiveness of their malware, to learn which affected targets were uploaded for analysis, and to assess the need to modify their malware files and infrastructure.
Another risk to cloud endpoint security that has arisen due to recent progress in automation is that targeted or benign files can include confidential company data, such as infrastructure information or even login credentials. Manually or automatically uploading these files to a public forum and sharing them with the many VirusTotal partners, and basically with the entire public internet, could pose significant risk.
In 2017, cybersecurity journalist Brian Krebs reported that a cybersecurity product sold by Carbon Black was leaking private data. Its security agent would, if the feature was enabled, automatically submit files to VirusTotal -- which in this situation uploaded benign files containing passwords -- for analysis. VirusTotal, in turn, shared the findings and the files themselves on its publicly accessible platform for anyone to download. Carbon Black stated that the upload function was not enabled by default. If this is correct, some of the blame falls on the affected companies, as well.
When deploying, updating and auditing cloud endpoint security products, it is critical to check any cloud functionality and to make sure the enabled features fall within the broader company security policy. If there are any concerns, it is fairly trivial to ensure compliance by creating firewall or proxy rules that block access to certain destinations, such as VirusTotal or the vendor's upload servers.
Cloud features can significantly enhance the capabilities of the entire range of IT security products. Cybersecurity is such a dynamic and fast-changing environment -- and malware changes shape so often -- that real-time intelligence is needed. It is essential, however, to control the associated risks so that these great new security features do not create a data breach themselves.