Runtime protection, the mindset shift cloud security needs (Virsec Blog)

Written by Satya Gupta, CTO, Virsec

For years, companies have adopted cloud infrastructure for ease and speed in deploying applications. However, over the past 18 months, the move to the cloud has accelerated dramatically as employees shifted to working remotely. Companies became laser-focused on getting applications up and running quickly so they could continue to generate revenue in the face of multiple obstacles.

Unfortunately, security tends to fall by the wayside. Many organizations don’t slow down to consider additional security requirements, or they assume their cloud provider or the perimeter tools they have deployed will protect them. But as we’ve seen with the rise in ransomware and supply chain attacks, unless you bring security along as you move to the cloud, pretty soon bad things happen.

cloud security

Surge and shift in attacks

Ransomware attacks were up 225% in 2020. And since the bulk of an organization’s confidential data is located on servers, most ransomware attacks are server-based, with an uptick in cloud-based servers. Ransomware is nothing new, and over the years enterprises have learned how to get a leg-up with data backup solutions that enable them to restore their systems and mitigate the impact of traditional ransomware attacks. But adversaries have adapted, and now 81% of ransomware attacks involve the threat to leak exfiltrated data if the victim doesn’t pay the ransom. Encrypting files is one thing, but these “double extortion tactics” make many victims buckle at their knees. Some studies find that nearly 70% of organizations are paying a ransom to regain data.

We’ve also seen supply chain attacks like SolarWinds, PrintNightmare, and Kaseya that have gone on to infect millions of users downstream and cost billions of dollars to contain and remediate. Traditionally, compromised credentials were a popular tactic to infiltrate organizations but, once again, as defenders gained a leg-up with two-factor authentication and stronger passwords, adversaries shifted their tactics. Application vulnerabilities, either unpatched or unknown, have become a primary gateway to exploit server-based software applications and wreak havoc.

Security measures and misconceptions

Organizations are striving to better protect themselves against these attacks. Many companies are using endpoint protection products (EPP) or endpoint detection and response (EDR) tools that they believe can help mitigate the risk of ransomware attacks and breaches. However, these tools are dependent on finding bad behavior they know about and blocking it. This means they are always in reactive mode. What’s more, applications on servers are fundamentally different from applications running on devices and laptops, and the exploits that target server-based applications are stealthier and easily bypass endpoint tools. That’s why, despite having EDR tools in place, it’s taken some very visible companies upwards of 12 months to discover a breach.

Some companies also mistakenly assume their cloud provider will protect them. Cloud providers are large organizations with robust QA processes, but the PrintNightmare attack made it painfully clear that vulnerabilities still exist and can date back a decade or more. Read the disclaimer in your cloud service contract and cyber risk is clearly positioned as a shared responsibility. Cloud providers are adept at quickly patching known vulnerabilities which is critical to help mitigate risk, but that isn’t enough.

The 2018 Meltdown and Spectre attacks taught us another important lesson: not only can adversaries use vulnerabilities to move between devices and infiltrate enterprises, systems, and servers, but can even creep into servers across other enterprises. To try to combat this, CISOs leverage container technology to break applications into pieces and run the application in multiple clouds and for a short duration so that the attacker does not gain persistence. They also may locate databases and other critical parts of the application within their own environment and use the cloud for computing purposes only. They mistakenly rely on obscurity to try to protect the most critical parts of their applications, but adversaries don’t care how the application is hosted and partitioning doesn’t fix any vulnerabilities that exist.

We need a change in mindset

If insanity is defined as doing the same thing over and over and expecting different results, then how should we define the current state of cybersecurity? There has never been a more appropriate time for organizations to fundamentally change their security strategy. We need to begin to focus on runtime protection.

True runtime protection requires knowing when attacker-influenced code begins to run. To make that distinction, it is very important for the security control to know which individual blocks of code will execute in what order as each software executes. When attacker-controlled code starts to run, this predetermined sequence gets broken and helps a true runtime protection security control to determine if an attack is in progress. The ability to pinpoint when attacker-influenced code has started running also transcends known and unknown vulnerabilities, historical malicious behaviors, and indicators of compromise. Instead, it enforces what the application should be doing and stops what it shouldn’t be doing in real-time – before an attack happens.

Runtime protection proactively disrupts the cyber kill chain. Adversaries are blocked before they can exploit a software vulnerability and gain a foothold. Dwell time is non-existent, so threat actors never have a chance to install malware or exfiltrate data. And organizations gain air cover and time to patch, while still being protected. Runtime protection is the mindset shift we need right now to strengthen security in the cloud.