Perhaps you already have good security practices in place for your chosen enterprise cloud applications used by your organisation, but how do you go about protecting against personal cloud applications chosen by your end users? Dropbox, Google Drive and Microsoft OneDrive are some of the more well-known cloud storage providers that allow people to use them to legitimately store documents, photos and videos, often for free, or at an affordable cost. But how can an organisation not only monitor these applications, but prevent insider threats from leaking company secrets, as happened in the story below? Fortunately, it’s not all grey clouds ahead. Listed below are five best practices to protect any organisation against personal cloud storage applications:
1. Policy and restrictions: Enforcing what is and isn’t acceptable usage on your company network goes a long way. Any misuse outside of this, will likely create a potential insider threat. Allowing traffic flow to cloud-based storage applications is like opening the flood gates. Firewall ACLs, network segmentation, application whitelisting and blacklisting are some of the ways in which cloud activities can be controlled.
2. Traffic monitoring: With the free availability of network monitoring tools such as Bro or LogRhythm Network Monitor, there really is no excuse to not be monitoring your network. From full packet capture to application classification using traffic inspection, there has never been a better time to get visibility of your network and discover and expose personal cloud usage, bandwidth usage, data exfiltration, as well as having the ability to reconstruct files. Being able to track which endpoint performed which action (such as an HTTP post command), and working with existing asset management tools, allows quick identification by IP or MAC address, and ultimately the offending user.
3. DLP: A good data loss prevention (DLP) solution will adhere to various compliance standards, but additionally be able to provide granular control in situations in which documents stored in the cloud contain personally identifiable information (PII), or where documents are sent to personal email, as well as when documents are made available both inside and outside of the organisation. All access should be tracked and monitored. But logging simply isn't enough, which leads on to my next point.
4. Security analytics with advanced threat detection and SAO: With the vast number of logs a typical organisation must deal with every day, it is imperative that SOC teams work smarter by taking advantage of NextGen SIEM capabilities. Artificial intelligence and machine learning helps drive efficiency by helping analysts focus on real security incidents and incident response activities. Signature-based antivirus and intrusion detection systems are things of the past. Leveraging an advanced threat detection solution to be able to observe behavioural patterns, such as trending, statistical, whitelisting, or whether an event does or doesn’t happen, all in real-time, is critical. Using security automation and orchestration (SAO) assists your SOC team to follow industry playbooks, then to trigger either manual or auto-remediation actions to disable accounts, isolate network communications on an endpoint, or any of the other numerous possibilities made available by support of APIs.
5. UEBA: User and entity behaviour analytics addresses the personal cloud issue by detecting insider threats, data access and exfiltration, as well as alerting when abnormal user behaviour is observed, such as logging in at unusual hours. Being able to recognise the user's true identity and being able to contextualise the log data allows for rapid escalation to raise a case and compile the list of evidence in the form of logs, alarms and notes.
A jury trial found a former engineer at a Navy contractor guilty of stealing trade secrets regarding Navy projects by uploading the files to his personal Dropbox account. According to an indictment obtained by Bleeping Computer, LBI accused [Jared Dylan] Sparks of uploading over 5,000 files containing information about LBI's work on Navy contractors to his personal Dropbox account, right before he quit his job in December 2011