The only exception, it seems, has been cloud service providers, who boast an enviable record when it comes to cybersecurity, thanks to rigorous security practices like Google’s continuous patching.

As security breaches continue to happen hourly, sooner or later zero trust requirements are going to be forced upon all organizations, given the impact and cost to society. The Biden Administration is already pushing ambitious cybersecurity legislation, but it’s unlikely to get very far in the current Congress. I am very surprised that the cyber insurance industry has not required zero trust architecture already, but perhaps the $1.4 billion Merck judgment that went against the industry last week will begin to change that.

The central question is, can any organization implement a full zero trust stack, buy hardware and software from various vendors and put it together, or will we all have to move to cloud service providers (CSPs) to get zero trust security?

Old arguments that cloud profit margins will eventually make on-premises IT infrastructure seem like the cheaper alternative failed to anticipate an era when security became so difficult that only cloud service providers could get it right. That has enormous implications for the future of IT, which we’ll explore.

The 7 Tenets of Zero Trust

Both NIST and the U.S. Department of Defense (DoD) have published guidelines on zero trust requirements. The NIST guidance can be found here.

NIST has 7 tenets of zero trust. We’ll go over them briefly here but the details can be found on page 16 of the document.

1. All data sources and computing services are considered resources.
2. All communication is secured regardless of network location. Network location alone does not imply trust.
3. Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before the access is granted.
4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets. No asset is inherently trusted.
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications, and uses it to improve its security posture.

Below is a picture of the NIST stack from DoD:

The DoD document is very good, as it defines specific requirements and implementation. The document can be found here. A good example of workflow can be found on page 28:

The U.S. government has done a great job leading in this area up to this point, similar to the 1980s when the government helped lead the POSIX standards for common application interfaces.

Zero Trust is ‘Very Complex’

Needless to say, zero trust is very complex. Everything needs to be tracked and authenticated, starting with users, both standard and higher-privileged users. Networks need to be segmented and authenticated. Supply chains need to be validated. Encryption needs to be done for the environment, and that means that key management is another very complex process.

All of this has to be tracked, and policies need to be dynamically implemented for networks and systems. What if a new job runs and uses resources in a different way and takes your whole system down, as the policy manager thinks the new job is an intruder? This could easily happen. Add to that the complexity of third-party reliance, like what if one of the software packages you use for say multi-factor authentication was hacked (think Okta) and someone was able to enter your system, circumventing the zero trust border.

All of this is incredibly complex and requires a large IT staff and a test environment for any big organization. Maybe big banks and healthcare systems can afford to do this because they can’t afford not to, but smaller companies and those with less critical IT needs often cannot financially afford to do this.

Examples of those that needed zero trust include critical infrastructure like Colonial Pipeline, various school systems, and state and local governments around the world that have been hacked and have impacted all of us. Even the local public schools near where I live have been hacked. Given the complexity of the systems needed to accomplish the workloads in our complex world, how can any small organization afford the IT staff and hardware resources to implement a zero trust stack?

Of course many, if not most, of the hacks done today are simply someone going to an email link that they should not have clicked on, but that too is part of zero trust, and hackers are upping their game and getting more sophisticated daily. If a school system, for example, was going to build a zero trust stack, they would need to integrate all the tenets of the zero trust stack for all hardware and software and implement multi-factor authentication across the environment. I have a cousin that is the IT administrator for a school system and he does not have the budget or resources to even consider this, and luckily his systems have not been hacked as of yet.

Also read: Zero Trust: Hype vs. Reality

What About the Cloud Service Providers?

Cloud service providers (CSPs) have a huge advantage over traditional hardware (server and network) and software vendors for a number or reasons:

1. There is a single software stack that they control and, for the most part, they write themselves that can be integrated for monitoring. They do not have to have network monitoring, multi-factor monitoring, OS monitoring, etc., and they integrate, coordinate and correlate things themselves.
2. The hardware stack is controlled by the cloud service providers. For the most part the CSPs build their own hardware and they’ve even been building their own CPUs. They build their own network devices, NVMe SSDs and motherboards. They control the firmware, the signing, and the supply chain. Everything is integrated by the CSPs.
3. The entry points are monitored closely. When you connect to a CSP, everything is monitored by the cloud service provider. If you have a breach, they might know it before you do because if there was anomalistic behavior, they would see it first.

Yes, cloud service providers likely cost more than owning your own IT infrastructure, but with that cost comes much greater security than most organizations can afford or ever hope to achieve, so the cost difference may no longer be as great as it once was. Have the CSPs been hacked? Yes, but the last major breach was the 2009 Chinese hack of Google. There have been no publicized large hacks of CSPs since then, other than hacks that started by getting into customer sites then into the CSP or databases left open by a CSP customer. Of course there could be things we don’t know about, but Colonial Pipeline-like breaches have not happened in CSP environments as far as we know.

Also read: Building a Ransomware Resilient Architecture

What All This Means

From my vantage point (semi-retired and with lots of time to think, I might add) all this means that one of two things needs to happen.

1. The current group of hardware and software vendors needs to get together and create a zero trust environment that is integrated and secure and that can be implemented by anyone and everyone, from each of our home PCs to SMBs to large corporations. There must be testing environments for businesses and organizations, and budgets must be defined to ensure that testing can be done for upgrades and new workloads. Some of the most difficult things to do will be the development of a test suite for workloads that will emulate the customer’s current and future workloads and ensure that automatic policy generation does not needlessly shut things down.
2. Or every one should move to the big cloud vendors who have zero trust stacks and have all kinds of workload generators and likely have policy management systems that have seen current and future customer workloads.

There is no middle way, with apologies to the Buddha. The current state of affairs cannot continue; something will give.

If zero trust is a future requirement, and I think it is, the traditional commercial off-the-shelf (COT) on-premises vendors are all going to have to get together to develop a zero trust stack. That means — and is not limited to — hardware vendors (network, server, storage, firewall, etc.), OS vendors (both Linux and Windows), software vendors (multi-factor, metrics, policy, etc.). This is a huge integration task, and on top of that a workload emulation system must be created.

Some big on-premises organizations such as financial services, healthcare and others have the requirements and resources to do this on their own, but smaller organizations do not, and many of them have been and will be attacked. To me the alternative is clear, that if zero trust is a requirement, the CSPs are far ahead of the COTs vendors, and the COTs vendors need to work together to develop standards and a framework that works across all platforms. This is a large investment that the CSP vendors seemingly have made.

Security Ain’t Free

Security does not come for free and you get what you pay for. I am somewhat surprised that cloud service providers don’t tout their security advantages more than they do, and I am equally surprised that the COTs vendors do not band together faster than they have been to work on zero trust. But what surprises me the most is the lack of pressure on everyone to move to zero trust and get a leg or two up on the current attack techniques and make the attack plane much smaller than it is. I am waiting for the insurance companies to mandate zero trust for the organizations they insure. Perhaps with the Merck ruling, the cyber insurers finally got the financial incentive to do so.

See the Top Zero Trust Security Solutions

The post Zero Trust: Can It Be Implemented Outside the Cloud? appeared first on eSecurityPlanet.

In recent years, CASB solutions have become part of broader secure access service edge (SASE) technology as edge and cloud security risks have expanded to include all threats outside the network perimeter, including edge computing, IoT, mobile, cloud, web, email and more.

But an organization looking to protect itself from SaaS application and shadow IT risks still has much to gain from a standalone CASB. We’ve surveyed the CASB market to provide our recommendations for the top CASB vendors, along with buying guidance for those in the market for a CASB solution.

Table of Contents

• Broadcom Symantec CloudSoc CASB: Best for compliance
• Censornet:Best for reporting
• Forcepoint: Best for risk analysis
• iBoss: Best for zero trust
• Lookout: Best for protecting highly sensitive data
• Skyhigh Security CASB: Best for access controls
• Microsoft Defender for Cloud Apps: Best for Windows environments
• Netskope: Best for security integrations
• Palo Alto Networks Next-Gen CASB: Best for Prisma Cloud and Palo Alto NGFW customers
• Proofpoint: Best for employee protection
• 5 Features of CASB Solutions
• Why Do You Need a CASB?
• CASB Benefits
• Best Practices for Implementing CASB
• How to Choose the Best CASB
• 3 Types of CASB Deployment
• Frequently Asked Questions (FAQs)
• How We Evaluated CASB Solutions
• Bottom Line: CASB Solutions

Broadcom

Best for compliance

Broadcom’s solution for addressing visibility into cloud application security is the Symantec CloudSOC CASB. Big cybersecurity acquisitions of Blue Coat Systems and Symantec in the last decade provided the roots of Broadcom’s CASB offerings. Paired with the Symantec cloud data loss prevention (DLP) solution, the Symantec DLP Cloud includes CASB Audit, CASB for SaaS and IaaS, and CASB Gateway.

Pricing

Contact Broadcom’s sales team for pricing details or find an official distributor or consulting services partner.

Key features

• Deep content inspection and context analysis for visibility into how sensitive data travels
• API-based inline deployment for fast risk scoring, behavioral analysis, and detection
• Continuous monitoring of unsanctioned applications, malware, and security policies
• Central policy engine for controlling how users and apps access and use data

Pros

• Multiple deployment routes, including endpoints, agentless, web, proxy chaining, and unified authentication
• Compliance focus for organizations with strict data protection needs

Cons

• No free trial
• Limited support contact options

Censornet

Best for reporting

A part of the vendor’s Autonomous Security Engine (ASE) solution, Censornet Cloud Access Security Broker comes integrated with adaptive multi-factor authentication, email security, and web security. Censornet’s CASB also offers Identity as a Service (IDaaS) for secure user authentication.

Censornet offers extensive reporting capabilities, including pre-built trend reports. Users can download and email reports to other members of the organization or to customers. Multiple report views allow security teams to report by device, threat level, user, and other views.

Pricing

The email security plan starts at £1.70 per user/month. The web security and antivirus plan starts at £2.30 per user/month. The CASB plan starts at £2.50 per user/month. To receive an exact quote for your business, contact the sales team.

Key features

• Risk assessment, rating, and categorization for cloud applications
• Granular policy-setting control by user, role, device, network, and function
• Audit reports with multiple criteria, including app class, risk level, and threat type
• Security awareness training product

Pros

• Multiple customers have praised the technical support team
• Extensive reporting options
• Free trial

Cons

• Might take time for inexperienced teams to fully customize 

Read more about application security

Forcepoint

Best for risk analysis

Forcepoint’s CASB products focus on protecting sensitive data and critical applications. Forcepoint’s cloud audit and protection capabilities are designed for real-time activity monitoring and analytics. Forcepoint has added to its CASB offerings with technology acquisitions from Imperva and Bitglass.

It uses malware engines from CrowdStrike and Bitdefender to halt malware that’s transferred between users to SaaS applications.

Pricing

Forcepoint offers a demo to potential customers. Contact its sales team for a specific quote for your enterprise.

Key features

• Native user behavioral analysis for profiling app risks and business impact
• Customizable and advanced risk metrics for evaluating cloud app threat posture
• Interoperability with Identity-as-a-Service (IDaaS) partners like Okta, Ping, and Centrify
• MFA for user identification

Pros

• Detects unmanaged SaaS solutions being used by employees and allows admins to block those applications
• Integrates CASB data in Common Event Format, a security logging system, for existing SIEM environments
• Integrates with other Forcepoint solutions, including web security and NGFW

Cons

• Customer support is priced as an add-on

iBoss

Best for zero trust

iBoss offers CASB as a product in the Application and Data Discovery capabilities of its zero trust platform. iBoss restricts data transfers in corporate systems, redirecting file uploads and other transfers to company accounts if a user tries to send business data to a personal account. iBoss’s CASB offerings are particularly useful for social media and Google and Microsoft cloud applications. The product is well rated by users and analysts alike.

Pricing

iBoss has three zero trust plans, only one of which includes both inline and out-of-band API CASB features (Zero Trust Complete). The least expensive plan requires add-on pricing for both of the CASB features, while the median plan requires add-on pricing for out-of-band API CASB.

Key features

• Out-of-band deployment options via APIs from MS365, Google, and Box
• Policy management based on users, groups, and information accessed for data security
• Native integration with Microsoft Azure, Office 365, and Microsoft Defender for Cloud Apps
• Policy-based application controls for social media sites like Facebook, Twitter, and LinkedIn

Pros

• Easy-to-use dashboard displaying usage and application data
• Highly useful for Office 365 and Google applications

Cons

• iBoss doesn’t have a standalone CASB, and users must pay additional fees for CASB functionality in some plans.

Lookout

Best for protecting highly sensitive data

Bolstered by the acquisition of CipherCloud, Lookout boasts a number of advanced CASB features like DLP, UEBA, zero trust, and integrated endpoint security. Users can scan historical cloud data to find open file shares and unprotected information. Lookout analyzes encrypted traffic from approved applications as well as unapproved ones and detects application activity even from administrators for potential malicious activity. Another highlight is digital rights management, which allows security teams to encrypt data and limit access to that data based on which applications and services are permitted to see it.

Pricing

Lookout offers a CASB buyer’s guide for customers who want to learn more about the Secure Cloud Access product. To receive an exact quote from Lookout, contact the sales team.

Key features

• Digital rights management
• Integration with enterprise mobility management (EMM) solutions for endpoint policies
• Context-aware tags, including user, group, location, device type, OS, and behavior
• Notifications when application users access and share sensitive data

Pros

• Built-in user and entity behavior analytics (UEBA) assessing traffic, devices, and users
• Data protection that integrates with company email accounts and identifies potential anomalies when emailing sensitive information

Cons

• Customers must pay for an additional support program to receive technical support. Note that you must pay for at least the second plan, Premium, to get 24/7 support.

Skyhigh Security CASB

Best for access controls

Skyhigh Security’s CASB solution supports data loss prevention policies and blocks attempts to download corporate information to employees’ personal devices. Skyhigh uses both forward and reverse proxy for inline deployment. It provides integrations via API for a variety of business applications, including Slack, Zoom, and GitHub, as well as multiple identity and access management tools. Skyhigh — which comprises McAfee’s former cloud business — includes the CASB tool as part of its SASE platform.

Pricing

Skyhigh offers a demo for potential customers. It has three plans: Essential, Advanced, and Complete. Note that the Essential plan doesn’t have endpoint data loss prevention. To receive an exact quote, contact Skyhigh’s sales team.

Key features

• Central policy engine with options for templates, importing, and custom policy creation
• Integrations with existing security software like SIEM, secure web gateways (SWG), NGFWs, and EMM
• User behavior analytics to identify potential insider threats
• Shadow IT Cloud Registry, which assesses potential risks for cloud applications that employees might want to use

Pros

• Gives customers access to 261-point risk assessments and ratings of pertinent cloud applications
• Offers highly granular access policies based on IP address, location, activity, and other criteria
• Detects malicious or negligent behavior with machine learning

Cons

• No free trial 
• Might be challenging for inexperienced analysts to fully learn because of its granular policies and advanced risk assessments

Microsoft Defender for Cloud Apps

Best for Windows environments

Microsoft Defender for Cloud Apps addresses DLP, compliance, discovery, access and other security functions across business environments like social media, SaaS apps, and email. Office 365 is, of course, a particularly strong use case.

Defender for Cloud Apps supports blocking downloads on untrusted devices. Admins can also label files based on the sensitivity of the data in the file, creating protective rules that limit how the data can be accessed and shared.

Pricing

Note that unlike most of Microsoft’s security solutions, Defender for Cloud Apps doesn’t have a free trial specific to its product. Contact Microsoft’s sales team for further pricing information.

Key features

• Add-on application governance for OAuth-enabled apps in Azure’s Active Directory instance
• Central view of cloud security configuration gaps with remediation recommendations
• Download blocking for untrusted devices 

Pros

• Provides real-time controls for remediating threat behavior identified at access points
• Over 90 risk factors and 26,000+ available app risk and business assessments
• Good choice for Microsoft cloud environments

Cons

• Limited third-party SaaS integrations
• No free trial

Netskope

Best for security integrations

Netskope has long been a leader in CASB technology, with continuous security assessment and compliance. The company has also packaged together a number of offerings as a SASE solution. Highlights of the CASB solution include the Cloud Exchange for tech integrations, including third-party security solutions like EDR and SIEM, and malware blocking for both email and storage service.

Pricing

Potential customers can request a demo from Netskope and request an executive briefing to create specific business solutions custom to their organization. For exact pricing, contact the sales team.

Key features

• Encryption at rest or managed in real time with certified FIPS 140-2 Level 3 key management systems
• Integrations with productivity, SSO, cloud storage, EMM, and security applications
• Dashboard aggregating all traffic, users, and devices for SaaS, IaaS, and web activities
• Role-based access control for administrator, analyst, and other privileged user roles

Pros

• Netskope offers regular technical account management sessions for customers
• Access to 40 threat intelligence feeds informing the detection of anomalous behavior

Cons

• No free trial
• 24/7 support and phone call customer service is only available through additional cost

Palo Alto Networks Next-Gen CASB

Best for Prisma Cloud and Palo Alto NGFW customers

Palo Alto Networks has brought its considerable security expertise to bear on the CASB and SaaS protection market with an offering that includes SaaS monitoring, compliance, DLP and threat protection. Palo Alto’s SaaS Security and Enterprise DLP products combine to create the CASB. The Next-Generation CASB also has strong integrations with Palo Alto firewalls and access solutions, making it a good choice for businesses that already use Palo Alto security products.

Pricing

The Next-Gen CASB has a lengthy free trial for potential buyers. Contact Palo Alto’s sales team for an enterprise-specific quote.

Key features

• Advanced DLP functionality via deep learning, NLP, and optical character recognition (OCR)
• Activity monitoring through scans of traffic, ports, protocols, HTTP/S, FTP, and PrivateVPN
• Built-in data security reporting for compliance auditing such as GDPR
• Application controls for setting risk attributes and policy

Pros

• Native integration with PAN’s VM-Series, NGFW, and Prisma Access solutions
• 60-day free trial for the Next-Gen CASB solution

Cons

• May be challenging for smaller, less experienced teams to learn and implement

Proofpoint

Best for employee protection

Enterprise cybersecurity company Proofpoint’s CASB is a user- and DLP-focused solution for revealing shadow IT activity and managing the use of third-party SaaS applications. Proofpoint offers multiple security integrations and helps teams identify the employees most likely to be attacked. It’s a good choice for businesses that want to closely track their organization’s biggest targets.

Pricing

The CASB solution has a live demo available for potential customers. Contact sales to receive a specific quote.

Key features

• More than 46,000 apps categorized by type and risk attributes 
• Identify VAPs (Very Attacked People) and set appropriate privileges for sensitive access
• Deployment integrations with SOAR, IAM, and cloud-service APIs
• Continuous DLP controls and policies across endpoints, web, email, and cloud applications

Pros

• Threat detection is based on user-specific contextual data
• API integration options with multiple other enterprise solutions, including SOAR, SIEM, and ticketing tools
• Free trial

Cons

• Administration could be more straightforward for using multiple Proofpoint solutions in one organization.   

5 Features of CASB Solutions

CASBs play the critical role of enforcing enterprise security policies for accessing cloud services. The following security features included in CASB solutions are important for businesses that use multiple cloud applications, have remote employees, and need to improve their compliance posture.

Authentication, authorization, and SSO

Correctly identifying users’ identities and making sure they’re actually permitted to use an application helps organizations decrease cyberattacks that come from unauthorized access. Authentication differs from authorization — while authentication reveals a user’s identity, authorization allows them to enter and use. Single sign-on technologies provide authentication for an organization’s set of cloud applications. When a user logs in to the SSO platform, they can securely access all applications for that session with one click.

Malware detection and prevention

Malware is one of the biggest threats to enterprises’ day-to-day operations. CASB solutions detect anomalies across cloud applications that could indicate the presence of malware or malicious activity. Examples of anomalies include an attempt to download customer data from Salesforce at a strange time or unfamiliar files that are randomly shared with employees’ Google accounts. CASBs alert security admins to this behavior so they can identify and halt potential threats. 

Device profiling

Security teams need to know what their organizations’ devices are doing. Device profiling compiles data for each device, like behavioral data (like device traffic) and specification data (like device operating system). This helps teams create a comprehensive view of the device and its presence and behavior on networks, whether company or home networks. Device profiling makes it easier for security teams to identify device-specific threats. 

Logs and alerts

CASB logs track and store data from behavior within the cloud environment. These logs should provide device, user, and application information that can be used to detect and identify threats. Alerts notify security teams when a potential threat has been identified within the cloud environment. Alerts should happen instantaneously to give personnel time to mitigate the threat before it spreads or causes more damage. 

Encryption and tokenization

Encryption protects data as it’s stored in cloud solutions and transmitted between them. Encrypting data shields the information from any user who attempts to view it without the decryption key. Tokenization shields employee or user data from view by using symbols, or tokens, to represent personally identifiable information. 

Why Do You Need a CASB?

The explosion in internet-enabled technology has created a reliance on digital advancements like cloud computing. However, the increase in internet-accessible resources comes with the inherent security risks posed by the worldwide web. Enterprise firewalls, web gateways (SWGs), and web application firewalls (WAF) all strengthen organizations’ security posture, but they fail to offer cloud-specific security.

Also Read: Cloud-based security: SECaaS

Protecting applications

Data and applications are moving away from private data centers and leaving behind a stack of on-premises security solutions that offer network visibility, access, data loss prevention (DLP), threat protection, and breach logging. The cloud’s introduction of SaaS products has moved data from private, on-premises DCs to cloud-based operations. 

Similarly, users have widely adopted cloud applications because accessing these tools outside of work and remotely is easier than ever. The added risk to applications and data on the network edge makes tools like CASB essential for cloud-based security.

Also Read: SaaS Security Risks: It’s the Users, Stupid

Remote work and BYOD

The consequence of cloud and mobile proliferation means data and users live beyond the on-premises security infrastructure. Where legacy security systems could effectively monitor local network traffic, CASBs have taken the mantle of monitoring and authenticating access in the cloud.

As organizations have adopted remote work and permitted personal devices (BYOD) for staff, the cloud offers open access to unmanaged or unsanctioned devices that the user can authenticate. This makes data vulnerable because it lives in the pertinent cloud applications and can be downloaded with little effort. Without a CASB in place, struggling to identify all access points is a significant roadblock to improving security.

Auditing network applications

Outside of every IT department lives unsanctioned technology known as shadow IT. Wandering personnel using unsanctioned tools pose a security risk to the organization. IT departments evaluate the network security posture, pertinent configurations, and user training needed to deploy the product best before implementing applications. 

Without these steps and close attention to detail, employees could be agreeing to terms of use and downloading applications that are in direct conflict with the organization’s internal or compliance standards. CASB solutions help decrease the effects of shadow IT.

Also Read: Remote Work Security: Priorities & Projects

CASB Benefits

CASB solutions aren’t a one-size-fits-all product. SaaS applications today have specialized APIs that require a compatible CASB to protect the application’s specific traffic. Enterprise organizations can have a suite of CASB solutions to cover the network’s cloud application traffic. 

While CASB products don’t provide perfectly comprehensive security for all cloud systems, they’re a beneficial tool for managing access to business applications. Consider the benefits and limitations of CASB tools before implementing one in your organization’s security infrastructure. 

CASBs control cloud application and data access by combining a variety of security policy enforcement requirements. They can manage single sign-on, logging, authentication and authorization, device profiling, encryption, and tokenization. They can detect, alert, and prevent malware attacks. Benefits of deploying a CASB include: 

• Restricting unauthorized access
• Identifying account takeovers
• Uncovering shadow cloud IT
• Preventing cloud data loss
• Managing internal and external data access controls
• Recording an audit trail of risky behavior
• Identifying loud phishing and malware threats
• Continually monitoring for new cloud risks

Other benefits noted by industry adopters include reduced costs and increased agility, and outsourced hardware, engineers, and code development.

Also Read: Cloud Security Requires Visibility, Access Control: Security Research

Best Practices for Implementing CASB

A CASB is an unusual security solution in that it spans the cloud and on and off-premises users, so deployment can be tricky. For a successful rollout, keep the following best practices in mind.

1. Build visibility

The first step is to gain visibility into current cloud usage. This means diving into cloud application account usage and identifying activity by user, application, department, location, and devices used. Analyzing web traffic logs will offer a good reference point and will allow you to evaluate what enterprise or SMB CASB is appropriate. 

2. Forecast risk

The second step is to develop a cloud risk model based on the network’s standard usage patterns. Whether a hacker has gained access with leaked credentials or a former employee still has access to the organization’s cloud applications, these are both instances of risk that the network administrator must consider. 

Unsanctioned access can be dangerous when users have malicious intent and the ability to steal or delete critical data. Organizations can extend existing risk models or develop specialized risk models based on the needed security configurations.

3. Deploy the CASB

The third and final step involves applying the risk model to the current shadow cloud usage and deploying your CASB for action. With the risk model defined, the enterprise can enforce use policies across all cloud services. The IT team can assign risk scores and categorize cloud services for even more visibility into network services moving forward. When onboarding the CASB is complete, administrators can rest assured that their network and cloud infrastructure monitor traffic, protect against threats, fill the DLP gap, and ensure compliance with data privacy and security rules.

After deployment, network administrators and security analysts must give attention to CASB activity and ensure it’s functioning properly for its intended use. Many organizations start small on this process by integrating CASB for an initial application and analysis before integration across the network.

Read more about best business practices for cloud security.

How to Choose the Best CASB for Your Business

Cloud access security solutions aren’t typically one-size-fits-all. To successfully analyze CASBs and choose a suitable product for your organization, consider the following points.

Play to your strengths

Different security teams have varied skillsets, sizes, and levels of expertise. Choose a CASB that’s suitable for the security team that will be using it. An experienced and tenured team will likely benefit from a highly configurable solution, while a team of junior security personnel will want an easy-to-navigate interface and some out-of-the-box templates.

Know your budget

Narrow your list of potential CASBs down to a few choices and contact the sales team for each, getting a specific quote based on your business’s needs. Then analyze with your buying committee to determine which solution is the best combination of affordable and appropriate.

Keep integrations in mind

When shopping for a CASB, make sure the solutions you’re considering support all of the cloud applications that your business needs to protect. For example, if you want to monitor Slack access and behavior, look at CASB products that integrate with Slack.

Don’t forget customer support

Different security teams will need different levels of technical support from the vendor. Less experienced or small teams should select a CASB solution with highly rated, responsive customer support. Larger security teams with years of experience may not need quite as intensive technical services.

3 Types of CASB Deployment

There are three primary deployment methods for CASB solutions: forward proxies for inline deployment, reverse proxies for inline deployment, or APIs for out-of-band deployment.

Inline deployment: Forward proxies

A forward proxy is positioned closer to users and can proxy traffic to multiple cloud services. CASBs inspect cloud traffic for users and employ an SSL man-in-the-middle technique to steer traffic to the CASB forward proxy.

The downside of using a forward proxy is that each device accessing the proxy requires the installation of self-signed certificates. An excess of users can also cause latency. For relevant devices, traffic is redirected to PAC files, unique DNS configurations, third-party agents, advanced forwarding, chaining, or TAP mechanisms.

Inline deployment: Reverse proxies

A reverse proxy is positioned closer to the cloud application and can integrate with Identity-as-a-Service (IDaaS) and IAM solutions. It doesn’t require particular configuration or certificate installation. Reverse proxies receive requests from the cloud application, apply predefined security rules, and pass the user’s request.

Also Read: Application Security Vendor List

Out-of-band deployment: API-based

CASBs typically sit in the traffic path between users and cloud platforms; however, out-of-band deployment uses asynchronous APIs to do the job. APIs receive all cloud traffic from log events to the configuration state necessary to create and enforce the appropriate security policies. Out-of-band CASB deployment enables frictionless change for application behavior, north-south and east-west traffic coverage, and retrospective policy enforcement for data-at-rest and all new traffic.

Gartner points out that APIs’ development and their ability to offer real-time visibility and control could mean the end of proxy-based methods for deploying CASB.

Frequently Asked Questions (FAQs)

You might still have questions about using CASB solutions or need to provide further information to executive team members or a buying committee. These questions help explain the importance of CASB technology and the ways it’s different from other security solutions.

If I already have a firewall, do I need a CASB?

Whether you need a CASB depends on your business’s overall needs. Do you have a large number of cloud-based applications or many users? Are your employees constantly sharing files or accessing sensitive information? 

Regardless of whether you need a CASB, know that a firewall is not enough for most enterprises. You’ll at least need a next-generation firewall, and aside from that, it’s important to invest in a security solution that hunts for threats and vulnerabilities within your infrastructure. Because firewalls are at the perimeter of a network, server, or application, they won’t be able to halt an attack if it gets through the initial barrier.  

What is the difference between CASB and SIEM?

While CASB focuses specifically on cloud applications, SIEM can encompass a broader range of enterprise technology, including hardware. SIEM solutions typically generate events or alerts from cloud solutions as well as other on-premises environments. 

What is the difference between CASB and DLP?

DLP is often a single feature of advanced CASB solutions: CASB not only provides data loss prevention but also other capabilities under its umbrella. Data loss prevention is specifically designed to protect sensitive data from being leaked or stolen. While CASB solutions have features that shield data, that’s not the only goal of cloud access security software.  

What is the difference between CASB and SASE?

Both CASB and SASE protect cloud environments. However, SASE includes large-scale networking security for remote users and locations, while CASB usually covers just SaaS protection. SASE also requires more time to deploy, typically necessitating a full overhaul of existing network security infrastructure. CASB takes less time to implement.

How We Evaluated CASB Solutions

We evaluated a wide range of CASB vendors across multiple data points and product features to make it easier for you to make a thorough assessment of their features, strengths, and limitations. Independent tests, user reviews, vendor information, and analyst reports were among the sources used in our analysis.

Bottom Line: CASB Solutions

Cloud access security brokers help enterprises manage the wealth of cloud apps needed for everyday business operations. The more applications a company uses, the more vulnerable its security posture can be. CASBs help mitigate the threats that besiege cloud applications, including phishing attacks, unauthorized access, and malware. These top-of-the-industry solutions will help your organization become more aware of its cloud vulnerabilities and secure its most important applications.

Considering a variety of cloud solutions? Read about our picks for the top cloud security providers next.

Jenna Phipps contributed to this report.

The post Top 10 Cloud Access Security Broker (CASB) Solutions for 2023 appeared first on eSecurityPlanet.

The statistics are sobering: Small businesses report substantial downtime and lost data and business from those cyberattacks, and fewer than 30% are able to recover from a cyberattack within eight hours.

Most website owners don’t know how to protect their sites. That makes a reliable and secure hosting environment critically important. In an ideal world, that would mean having full control over your services while remaining fully protected from outside breaches.

That’s where SPanel can help.

See the Top Web Application Firewalls (WAFs)

What is SPanel?

SPanel is an all-in-one cloud management solution developed by the team behind ScalaHosting, this article’s sponsor. It was created to enable businesses to grow their websites in a secure environment. The platform uses the latest software technologies to achieve maximum performance.

SPanel integrates easily with most popular web server solutions, such as LiteSpeed, OpenLiteSpeed, and Nginx. It runs as an Apache proxy, meaning that websites get the best possible speeds. For PHP processing, SPanel supports the latest PHP and MySQL/MariaDB versions. In addition, it comes with Memcached installed, which also helps with fast content caching.

The Admin interface allows for server and accounts management. It also shows the system load, memory and disk usage, as well as IP reputation.

To sum up, SPanel is lightweight, easy to use, and free. But is this enough?

Why Use SPanel on a Cloud VPS?

Cloud virtual servers prove to be the best environment for SPanel. The cloud technology allows users to get the most of their server resources and further improve their security. Pairing that up with a lightweight and multifunctional platform means you can take full advantage of your virtual server.

SPanel gives users a centralized point of control. Thanks to its integration with Softaculous, anyone can install web building apps in just a few clicks, no tech knowledge needed.

Developers and web studios get to enjoy even more features. They can change SPanel’s branding with their own, get usage reports, and download or view the Apache and PHP logs. Also, webmasters can manage:

• API access
• PHP
• MySQL databases
• DNS records
• Backups
• FTP users

Users can also create packages with predefined resource limits, view resource usage, automate accounts management, and more.

SPanel and Web Security

With cybercrime rising and website owners not prepared to protect themselves, ScalaHosting made sure SPanel comes with top-notch security features, some unique to the platform. Those security features set SPanel apart from competitors like cPanel and DirectAdmin.

SShield

SShield monitors all website activity 24/7. It blocks 99.998% of threats before they reach the server. The platform carefully collects information about attacks, makes a report, and notifies the site owner.

SShield relies on AI-based algorithms and advanced machine learning to protect websites. When it encounters a new attack, the platform learns from itself and updates its database. Unlike other solutions, SShield doesn’t block access to the affected account; it allows the owner enough time to fix the issue without affecting website uptime.

SWordPress Manager

As WordPress is used by 43% of all websites, SPanel contains the unique SWordPress Manager. The tool is included in the platform by default and offers a one-of-kind security feature: Security Lock. When it is activated, it effectively locks all files and directories. No one can modify data or upload files, so the website is fully protected from unauthorized access.

SSL Certificates for data encryption

The S at the end of an HTTP connection indicates a Secure Sockets Layer (SSL). This certificate is actually a digital data file installed on web servers to verify their identity. SSL also protects confidential data (for example, payment details), improves SEO rankings, and inspires trust.

SPanel offers free SSL certificates that automatically renew to avoid any service interruptions.

Offsite backups

SPanel accounts also get free daily backups to a remote server. Users can restore the data at any time from SPanel. All information is archived and can be accessed easily.

The user interface also features a Backup manager that enables users to do manual backups. It also allows them to easily restore and download the saved information. Incremental local and remote backups can be scheduled hourly, daily, weekly or monthly.

You can set optional expiration dates on your backups so SPanel automatically removes them to free up disk space.

Two-factor authentication

Two-factor authentication verifies your identity using your username/password and another method. Most often, the tool sends a confirmation code to the user’s smartphone.

Admins can enable the two-factor authentication feature by going to the SPanel Admin interface and clicking Server Settings. Then it’s a matter of simply switching the toggle next to 2FA to On.

SPanel Licensing

SPanel.io recently released new licensing plans allowing SPanel to be used with any web hosting vendor.
The fully-managed option comes with the control panel, free website migration, support from the SPanel team, and more. The self-managed one comes with only an SPanel license. It works on both virtual and physical servers and is renewed on a monthly basis.

You can see the full list of features on the official SPanel website, which also lists pricing.

Bottom Line: Secure Hosting

SPanel is a good option for easy hosting management and creating a secure environment for your website. Thanks to its security features, such as the SShield, SWordPress Manager, and daily offsite backups, website owners can focus on what truly matters — developing their business. The platform can handle the rest.

Read next: Application Security: Complete Definition, Types & Solutions

The post SPanel: Taking Website Security to the Next Level appeared first on eSecurityPlanet.

According to Netwrix’s 2022 Cloud Data Security report, 53% of organizations reported an attack on their cloud last year, and most of those attacks led to unplanned expenses to fix security gaps.

Enterprises that don’t want to be part of that statistic should understand and implement cybersecurity best practices and tools to protect their cloud infrastructure. Although these measures don’t prevent every attack, they do help businesses shore up their defenses, protect their data, and implement strong cloud security practices.

One key way to improve cloud security is to make sure that users and devices connecting to cloud apps are as secure as possible. Kolide — this article’s sponsor — works with Okta to ensure that only secure devices access cloud applications and resources, enabling zero trust, device trust, and patch management.

Cloud Security Best Practices

• Understand Your Shared Responsibility Model
• Ask Your Cloud Provider Detailed Security Questions
• Deploy an Identity and Access Management Solution
• Train Your Staff
• Establish and Enforce Cloud Security Policies
• Encrypt Data in Motion and At Rest
• Use Intrusion Detection and Prevention Technology
• Double-Check Your Compliance Requirements
• Consider a CASB or Cloud Security Solution
• Conduct Audits, Pentesting and Vulnerability Testing
• Enable Security Logs
• Understand and Mitigate Misconfigurations

1. Understand Your Shared Responsibility Model

In a private data center, the enterprise is solely responsible for all security issues. But in the public cloud, things are much more complicated. While the ultimate obligation lies with the cloud customer, the cloud provider assumes responsibility for some aspects of IT security. Cloud and security professionals call this the shared responsibility model.

Leading infrastructure as a service (IaaS) and platform as a service (PaaS) vendors like Amazon Web Services (AWS) and Microsoft Azure provide documentation to their customers so all parties understand where specific responsibilities lie according to different types of deployments. The diagram below, for example, shows that application-level controls are Microsoft’s responsibility with software as a service (SaaS) models, but it is the customer’s responsibility in IaaS deployments. For PaaS models, Microsoft and its customers share the responsibility.

Enterprises that are considering a particular cloud vendor should first review its policies about shared security responsibilities and understand who is handling the various aspects of cloud security. That can help prevent miscommunication and misunderstanding. More importantly, though, clarity about responsibilities can prevent security incidents that occur as a result of a particular security need falling through the cracks.

Also read: Cloud Security: The Shared Responsibility Model

2. Ask Your Cloud Provider Detailed Security Questions

In addition to clarifying shared responsibilities, organizations should ask their public cloud vendors detailed questions about the security measures and processes they have in place. It’s easy to assume that the leading vendors have security handled, but security methods and procedures can vary significantly from one vendor to the next.

To understand how a particular cloud provider compares, organizations should ask a wide range of questions, including:

• Where do the provider’s servers reside geographically?
• What is the provider’s protocol for suspected security incidents?
• What is the provider’s disaster recovery plan?
• What measures does the provider have in place to protect various access components?
• What level of technical support is the provider willing to provide?
• What are the results of the provider’s most recent penetration tests?
• Does the provider encrypt data while in transit and at rest?
• Which roles or individuals from the provider have access to the data stored in the cloud?
• What authentication methods does the provider support?
• What compliance requirements does the provider support?

3. Deploy an Identity and Access Management Solution

Another major threat to public cloud security is unauthorized access. While hackers’ methods of gaining access to sensitive data are becoming more sophisticated with each new attack, a high-quality identity and access management (IAM) solution can help mitigate these threats.

Experts recommend that organizations look for an IAM solution that allows them to define and enforce access policies based on least privilege, or zero trust principles. These policies should also be based on role-based access control (RBAC) permissions. Additionally, multi-factor authentication (MFA) can further reduce the risk of malicious actors gaining access to sensitive information. Even if they manage to steal usernames and passwords, they’ll have a much harder time completing biometric scans or requests for a text code.

Organizations may also want to look for an IAM solution that works in hybrid environments that include private data centers as well as cloud deployments. This can simplify authentication for end users and make it easier for security staff to ensure that they’re enforcing consistent policies across all IT environments.

Read more: Best IAM Tools & Solutions

4. Train Your Staff

To prevent hackers from getting their hands on access credentials for cloud computing tools, organizations should train all workers on how to spot cybersecurity threats and how to respond to them. Comprehensive training should include basic security knowledge like how to create a strong password and identify possible social engineering attacks as well as more advanced topics like risk management.

Perhaps most importantly, cloud security training should help employees understand the inherent risk of shadow IT. At most organizations, it’s all too easy for staff to implement their own tools and systems without the knowledge or support of the IT department. Without top-to-bottom visibility of all systems that interact with the company’s data, there’s no way to take stock of all vulnerabilities. Enterprises need to explain this risk and emphasize the potential consequences for the organization.

Organizations also need to invest in specialized training for their security staff. The threat landscape shifts on a daily basis, and IT security professionals can only keep up if they are constantly learning about the newest threats and potential countermeasures.

Frequent conversations about good security practices establishes better accountability between peers and between managers and direct reports, too. Establishing accountability looks like:

• Making sure every employee knows the security expectations in your organization. This might look like thorough cybersecurity training for new hires or quarterly sessions for the whole company.

• Having frequent conversations about topics like data privacy, proper password management, and protecting the physical premises. The more you talk about it, the harder it is to ignore.

• Asking good questions. Even questions like “does this rule make sense?” or “what’s the hardest security regulation our organization expects people to keep?” can open dialogue and reveal why some employees aren’t inclined to follow the rules.

Read more: Best Cybersecurity Awareness Training for Employees

5. Establish and Enforce Cloud Security Policies

All organizations should have written guidelines that specify who can use cloud services, how they can use them, and which data can be stored in the cloud. They also need to lay out the specific security technologies that employees must use to protect data and applications in the cloud.

Ideally, security staff should have automated solutions in place to ensure that everyone is following these policies. In some cases, the cloud vendor may have a policy enforcement feature that is sufficient to meet the organization’s needs. In others, the organization may need to purchase a third-party solution like a cloud access security broker (CASB) that offers policy enforcement capabilities. CASB is a broad cloud security tool that can prevent data loss, control access and devices, discover shadow IT and rogue app usage, and monitor IaaS configurations, a source of many cloud data breaches, and secure access service edge (SASE) tools expand those protections even further.

Zero trust tools and controls can also help by offering refined control over policy enforcement. Tools in this category work with other systems to determine how much access each user needs, what they can do with that access, and what it means for the broader organization.

See the Top Cloud Access Security Broker (CASB) Solutions

6. Secure Your Endpoints

Using a cloud service doesn’t eliminate the need for strong endpoint security—it intensifies it. After all, in many cases it’s the endpoint that’s connecting directly to the cloud service.

New cloud computing projects offer an opportunity to revisit existing strategies and ensure the protections in place are adequate to address evolving threats.

A defense-in-depth strategy that includes firewalls, anti-malware, intrusion detection, and access control has long been the standard for network and endpoint security. However, the list of endpoint security concerns has become so complex in the cloud era that automation tools are required to keep up. Endpoint detection and response (EDR) tools and endpoint protection platforms (EPP) can help in this area.

EDR and EPP solutions combine traditional endpoint security capabilities with continuous monitoring and automated response. Specifically, these tools address a number of security requirements, including patch management, endpoint encryption, VPNs, and insider threat prevention, among others.

Read more: Top Endpoint Detection & Response (EDR) Solutions

7. Encrypt Data in Motion and At Rest

Encryption is a key part of any cloud security strategy. Not only should organizations encrypt any data in a public cloud storage service, but they should also ensure that data is encrypted during transit—when it may be most vulnerable to attacks.

Some cloud computing providers offer encryption and key management services. Some third-party cloud and traditional software companies offer encryption options as well. Experts recommend finding an encryption product that works seamlessly with existing work processes, eliminating the need for end users to take any extra actions to comply with company encryption policies.

Read more: Best Encryption Software & Tools

8. Use Intrusion Detection and Prevention Technology

Intrusion detection and prevention systems (IDPS) are among the most effective tools on the market. They monitor, analyze, and respond to network traffic, either as a standalone solution or part of another tool that helps secure a network like a firewall.

Major cloud services like Amazon, Azure and Google Cloud offer their own IDPS and firewall services for an additional cost. They also sell services from cybersecurity companies through their market places. If you’re working with sensitive data in the cloud, these add-on security services are worth the cost.

Read more: Best Intrusion Detection and Prevention Systems

9. Double-Check Your Compliance Requirements

Organizations that collect personally identifiable information (PII), including those in retail, healthcare, and financial services, face strict regulations when it comes to customer privacy and data security. Some businesses in certain geographic locations—or businesses that store data in particular regions—may have special compliance requirements from local or state governments as well.

Before establishing a new cloud computing service, your organization should review its particular compliance requirements and make sure that a service provider will meet your data security needs. Staying compliant is a top priority. Governing bodies will hold your business responsible for any regulatory breaches, even if the security problem originated with the cloud provider.

Related: Best Third-Party Risk Management (TPRM) Tools

10. Consider a CASB or Cloud Security Solution

Dozens of companies offer solutions or services specifically designed to enhance cloud security. If an organization’s internal security staff doesn’t have cloud expertise or if the existing security solutions don’t support cloud environments, it may be time to bring in outside help.

Cloud access security brokers (CASBs) are tools purpose-built to enforce cloud security policies. They have become increasingly popular as more organizations have started using cloud services. Experts say that a CASB solution may make the most sense for organizations that use multiple cloud computing services from different vendors. These solutions can also monitor for unauthorized apps and access too.

CASBs cover a wide range of security services, including data loss prevention, malware detection, and assistance with regulatory compliance. CASBs have integrations with multiple SaaS and IaaS platforms, needing to work with many different cloud-based software solutions to secure an organization’s entire infrastructure. Consider CASB providers that support all your business’s cloud-based tools.

And CASB’s not the only solution for securing cloud environments. Others include cloud-native application protection (CNAPP) and cloud workload protection platforms (CWPP)

See the Top Cloud Security Companies

11. Conduct Audits, Pentesting and Vulnerability Testing

Whether an organization chooses to partner with an outside security firm or keep security functions in-house, experts say all enterprises should run penetration tests and vulnerability scans. Pentesting helps organizations determine whether existing cloud security efforts are sufficient to protect data and applications, and cloud vulnerability scanners can find misconfigurations and other flaws that could jeopardize your cloud environment.

Additionally, organizations should conduct regular security audits that include an analysis of all security vendors’ capabilities. This should confirm that they are meeting the agreed-upon security terms. Access logs should also be audited to ensure only appropriate and authorized personnel are accessing sensitive data and applications in the cloud.

Read more:

• Best Penetration Testing Tools
• Best Vulnerability Scanner Tools

12. Enable Security Logs

In addition to conducting audits, organizations should enable logging features for their cloud solutions. Logging helps system administrators keep track of which users are making changes to the environment—something that would be nearly impossible to do manually. If an attacker gains access and makes changes, the logs will illuminate all their activities so they can be remediated.

Misconfigurations are one of the most significant challenges of cloud security, and effective logging capabilities will help connect the changes that led to a particular vulnerability so they can be corrected and avoided in the future. Logging also helps identify individual users who may have more access than they actually need to do their jobs, so administrators can adjust those permissions to the bare minimum.

Cloud services providers offer logging, and there are third-party tools available also.

13. Understand and Mitigate Misconfigurations

It’s important not just to log data on misconfigurations but also to reduce them overall. Some cloud services give read permissions or administrative capabilities to any user, including someone outside the organization who might be able to access the bucket from their web browser. This type of misconfiguration opens the door for malicious actors to not only steal from a bucket but also potentially move laterally through the storage infrastructure if they gain the right information.

Additionally, if an account’s permissions are misconfigured, an attacker that steals credentials could escalate their administrative permissions for that account. This allows further data theft and potential cloud-wide attacks.

Even if the work is tedious, your enterprise’s IT, storage, or security teams should personally configure every single bucket or groups of buckets. Receiving help from dev teams is a good idea, too — they can ensure that web cloud addresses are properly configured. No cloud bucket should have default access permissions. Determine which user levels need access — whether view-only or editing permissions — and configure each bucket accordingly.

Also read: Cloud Bucket Vulnerability Management

What are the Biggest Threats to Cloud Security?

There’s a reason so many companies are concerned about security in their public cloud environments. Having data in a provider’s data center, especially in a shared hosting environment, can make IT and security teams feel out of control. Although these concerns aren’t insurmountable, they’re valid. The following threats weaken enterprises’ cloud security posture.

Cloud misconfigurations

A misconfigured bucket could potentially give access to anyone on the internet. If a cloud resource’s settings aren’t configured to only users in your organization, authenticated cloud users from other organizations could access its data, too. API security is another important cloud connection to watch.

Unnecessary access

Some organizations may be tempted to give equal access permissions to all members of their IT, cloud, and storage teams. But this opens the door for permissions misuse: not all team members, particularly junior ones, need cloud admin privileges. Additionally, there’s always the possibility of insider threat, and to reduce the chance of an internal breach, reducing admin privileges to a few trusted team members is best. Additionally, data downloads should also have strict controls.

Cloud vendor weaknesses

Not all cloud providers have equal levels of security, and In public cloud hosting, the weaknesses of one cloud instance can affect all the others on the same host, even if the corrupted instance is from a different organization. Businesses also have less control over the security for their public cloud instances in general, since those often reside in remote data centers. DDoS attacks are another common threat that cloud services face, but they are generally prepared to maintain access as much as possible when these occur.

Employee errors

These include misconfigurations, but they also include mistakes like sending passwords in plaintext over online services or clicking a suspicious link in an email. Even downloading malware onto a computer can compromise cloud accounts if the user has file syncing set up on the device and a file is corrupted.

Bottom Line: Implementing Strong Cloud Security Practices

Although businesses consider the cloud to be one of their biggest vulnerabilities, it doesn’t have to be an open avenue for attackers. Tightening access controls, conducting regular cloud audits, and implementing strong encryption are just a few ways that your business can take ownership of cloud environment security. Understanding providers’ security procedures not only helps you choose the right vendor but also helps you better manage your own responsibilities.

The fact is that cloud service providers generally have pretty secure environments, and your biggest risks will be how you connect to the cloud and control data and access. The good news in that is it puts cloud security in your hands—all the more reason to learn cloud security best practices.

This article was originally published on May 24, 2017 and was updated by Jenna Phipps on March 21, 2023.

Read next: Top Secure Access Service Edge (SASE) Providers

The post 13 Cloud Security Best Practices for 2023 appeared first on eSecurityPlanet.

Ensuring the security of your cloud-based services — and the ways they are accessed — is essential for modern enterprises. To help, we’ve analyzed a range of cybersecurity vendors and services to arrive at this list of the best cloud security companies for threat protection, data security, identity management services, and more.

Top cloud security companies:

• Fidelis: Best for DevSecOps
• Skyhigh: Best Security Service Edge
• Lacework: Best CNAP Platform
• Qualys: Best for Compliance
• Palo Alto: Best for Cloud Workload Protection
• Symantec: Best for CASB
• Tenable: Best for Vulnerability Management
• Trend Micro: Best for Hybrid Cloud Security
• Netskope: Best Overall Cloud Security
• Zscaler: Best for Advanced Threat Protection
• Methodology and cloud security buying considerations

Fidelis Cybersecurity: Best for DevSecOps

Fidelis Cybersecurity acquired CloudPassage in 2021 to help create Fidelis CloudPassage Halo, a cloud security platform that provides automated security and compliance monitoring for public, private, and hybrid cloud environments. It gives security teams an automated, unified platform for managing cloud infrastructure, IaaS, PaaS, servers, container applications, and workloads. The company also offers a range of network security solutions to extend that protection. Fidelis is capable of meeting broad security needs, but container and PaaS security are standout features.

The Halo platform adds visibility to your security operation center (SOC) so security teams can quickly protect, detect, respond to, and neutralize threats. Additionally, the platform offers continuous compliance monitoring to ensure that cloud infrastructure and workloads comply with data privacy and other regulations.

Key Features

• Three options: Fidelis CloudPassage Halo is a single platform with three SKUs – Halo Cloud Secure, Halo Server Secure, and Halo Container Secure. All three are licensed by usage level.
• Monitoring and compliance: Fidelis CloudPassage offers automated security visibility and compliance monitoring for workloads that run in any on-premises, public cloud, or hybrid cloud environment.
• Security features: File integrity monitoring, software vulnerability assessment and log-based intrusion detection are some of the standout security features.
• Identity control: A key differentiator for Fidelis CloudPassage Halo is the platform’s automated approach to identify when and if a given workload or configuration strays outside defined policies.
• Cloud platform support: Works across several cloud environments, including AWS, Azure, and GCP

Pros

• Provides real-time visibility, assessment, and control
• Multiple support channels (operations support, customer care, education, training and professional service)
• Integrates with third-party solutions, including SIEM, SOAR, CICD pipeline tools, EDR, ICAP-based products and log files
• Helps organizations reduce compliance costs, improve security posture, and adopt DevSecOps best practices
• Works for all sizes of businesses, including small, medium, and large

Cons

• Lacks transparent pricing
• Steep learning curve

Pricing

Fidelis Cybersecurity does not advertise pricing on its website. However, they offer a 15-day free trial so potential buyers can evaluate the product. Buyers can also request a product demo, which Fidelis Cybersecurity typically provides free of charge. To receive an accurate quote, buyers should contact the vendor directly for more information about their exact pricing structure.

Skyhigh Security: Best Security Service Edge

Skyhigh Security is the cloud security business spun off after McAfee Enterprise and FireEye merged to form Trellix. The company provides a suite of security solutions for cloud infrastructure, data security, and user access. It protects all data access, including a secure web gateway (SWG), cloud access security broker (CASB), and data loss prevention (DLP) capabilities. Skyhigh’s focus is primarily on edge use cases like SASE/SSE, and offers DLP capabilities in a joint offering with Trellix.

Skyhigh Security describes itself as a company that “provides a data-centric approach to security that offers 360-degree access control to wherever your data resides, expanding to include how your data is used, shared, and created.”

The company is designed to secure data across the web, cloud (SaaS, PaaS, and IaaS) and private applications to reduce risk for businesses using cloud applications and services.

Key Features

• Broad coverage: Adaptive risk-based enforcement (over 30K apps policy advisor)
• Performance: Offers 99.999%, ultra-low latency and over 85 global points of presence (PoPs)
• Isolation: Provides intelligent remote browser isolation and real-time emulation sandboxing
• Logging: Records a detailed log of every action taken by users and administrators to aid post-incident examinations and digital forensics
• Risk management: Offers a customizable 261-point risk assessment to help manage and govern cloud services, giving access to the most comprehensive and precise registry of cloud services globally
• Encryption: Secure sensitive structured data with enterprise-controlled keys using peer-reviewed, function-preserving encryption methods
• Consolidated management: Merges Private Access, CASB, SWG, and remote browser isolation (RBI) into a single platform that can be managed from a single console.

Pros

• Users find the solution stable
• Efficient URL filtering capability
• Unified architecture
• Comprehensive threat analysis
• Integration with third-party tools such as Office 365 and Salesforce
• Post-incident inspections and analytics

Cons

• Limited training resources
• The interface could be improved
• According to user reviews, this solution lacks support for unsanctioned apps

Pricing

Skyhigh Security pricing is available on request. Interested buyers can contact the Skyhigh Security sales team to learn more about the product and request a demo.

Lacework: Best CNAP Platform

Lacework is a cloud-native application protection platform (CNAPP) for modern IT environments. It provides automated security and compliance solutions for cloud workloads, containers, and Kubernetes clusters. With nearly $2 billion in venture funding, the fast-growing startup boasts one of the highest valuations of private security companies.

The Lacework Platform uses cloud security posture management (CSPM), infrastructure as code (IaC) scanning, cloud workload protection platform (CWPP), and Kubernetes security to help organizations protect their environment. It also provides cloud incident and event monitoring (CIEM) to quickly detect and respond to threats. With Lacework, developers can scan for security issues locally, in registries, and in CI/CD pipelines while building large-scale applications.

Key Features

• Contextual analysis: The Polygraph feature offers a visual representation of relationships across account roles, workloads and APIs to deliver better context.
• Compliance: Lacework provides monitoring of cloud workloads for both compliance as well as security concerns.
• Intrusion detection: Of particular value is the automated workload intrusion detection capability powered by machine learning to help reduce risks
• Configuration assistance: Configuration best practices support and guidance is another standout feature.
• Threat detection: Uses machine learning and analytics to detect threats in cloud-native environments.
• Vulnerability management: Lacework uses risk-based prioritization to help you identify, prioritize, and remediate known vulnerabilities in your environment.

Pros

• Ease of use
• Users find the dashboard visually appealing
• Users find the solution useful for container image scanning, compliance reports, and AWS CloudTrail

Cons

• Support could be better
• Reporting capabilities could be improved

Pricing

Lacework does not advertise its pricing on its website, as each customer’s needs can vary significantly. The best way to get an accurate quote is to contact Lacework directly. Lacework offers a 14-day free trial for customers to test features and services.

See the Top Cybersecurity Companies and Startups

Qualys: Best for Compliance

Qualys is a cloud security and compliance software platform that helps enterprises identify and protect their digital assets. It provides a unified platform for security, compliance and IT operations teams to detect and respond to threats, reduce their attack surface, and ensure regulatory compliance.

Qualys helps organizations automatically identify all known and unknown assets in their global hybrid IT environment, providing a complete, categorized inventory enriched with details such as vendor lifecycle information. The platform also provides continuous security monitoring, vulnerability assessments, malware detection and patching capabilities.

The Qualys cloud platform has multiple modules that enable different facets of cloud security, including compliance, vulnerability scanning, and cloud workload protection.

Key Features:

• Vulnerability detection: The Web Application Scanning module provides automatic scanning capabilities for web apps to help detect and rank security vulnerabilities.
• Compliance: Qualys offers multiple modules for compliance use cases, including the PCI-DSS module that scans all devices to identify compliance status.
• Configuration: The Policy Compliance module offers automated security configuration assessments across on-premises and cloud assets.
• Asset detection: Qualys automatically identifies all known and unknown assets on your global hybrid IT environment — on-premises, endpoints, clouds, containers, mobile, OT and IoT.
• DevOps: Integrates with CI/CD toolchains such as Jenkins and Azure DevOps.
• Security: The Qualys platform also includes a range of threat detection and response protections, web application firewalls, container security, and more.

Pros

• Patch and vulnerability management
• Ease of use
• TotalCloud solution offers fast remediation with no-code, drag-and-drop workflows
• Users find Qualys solutions scalable
• Enables DevOps team to test for vulnerabilities throughout their development cycle
• Public cloud infrastructure and workload inventories

Cons

• Users report false positives
• Support could be better

Pricing

Qualys doesn’t advertise pricing on its website and notes that pricing depends on the number of apps, IP addresses, web apps and user licenses.

See the Top Vulnerability Management Tools

Palo Alto Networks: Best for Cloud Workload Protection

Palo Alto Networks boasts a comprehensive product portfolio for protecting against cyberattacks — and the cybersecurity leader has brought that same comprehensive approach to its cloud security offerings.

Palo Alto Networks has one of the most comprehensive cloud native security platforms in the market in Prisma Cloud, with deep capabilities to help organizations manage workload security. The company’s solutions are designed to provide visibility and control over applications, users, and content, helping to reduce the risk of a data breach.

Key Features:

• Cloud native: The Prisma Cloud platform is a new approach that Palo Alto Networks defines as a Cloud Native Security Platform (CNSP).
• Broad protection: Prisma integrates components from multiple companies that Palo Alto Network has acquired in recent years, including evident.io, RedLock, PureSec and Twistlock, providing container and cloud workload policy, threat detection and control.
• Visibility: Full cloud workload visibility, including serverless functions, is a key differentiator for Palo Alto, with capabilities to secure an end-to-end cloud-native deployment.
• Cloud app protections: Vulnerability management and runtime protection against threats are other key features of the Prisma Cloud offering.

Pros

• Palo Alto has leveraged its many years of network security innovations in developing solutions for SASE, CNAPP, cloud-delivered security services, and more
• Protects hosts, containers, and serverless environments on any cloud platform
• Prisma Cloud maintains support for over 20 compliance frameworks
• Offers more than 700 pre-built cloud security policies

Cons

• Users report that Palo Alto solutions are pricey
• Support could be better

Pricing

Palo Alto Networks does not publish prices on its website, and buyers should contact the company for custom quotes tailored to their specific needs.

The company will consider various factors to provide an accurate quote, including the number of users, the type of product, and any additional features or services. Additionally, Palo Alto Networks offers various pricing models such as subscription, perpetual licensing, and metered usage to meet the different needs of customers.

See the Top Cloud Workload Protection Platforms

Symantec: Best for CASB

Symantec, one of the most recognizable names in cybersecurity, has been part of Broadcom since 2019. The company provides a data-centric hybrid security platform that helps enterprises protect their data, networks, applications, and devices from threats.

Symantec offers endpoint security, cloud security, email security solutions, and threat intelligence services. Symantec has multiple cloud security functions within its portfolio, including workload protection and the CloudSOC CASB.

Key Features:

• Workload protection: The Cloud Workload Protection suite can identify and evaluate security risks for workloads running in the public cloud.
• Compliance: Cloud Workload Assurance offers automatic compliance reporting and remediation, including the ability to benchmark security posture for a given configuration.
• CASB: The CloudSOC CASB is one of the leading cloud access security broker technologies, according to analyst firms Forrester and Gartner.
• Endpoints: Symantec endpoint security can detect, block, and remediate known and unknown threats across laptops, desktops, tablets, mobile phones, servers, and cloud workloads.

Pros

• Simplified and centralized management
• Prevents inbound and outbound web-based threats
• Provides automated cloud reporting, compliance, and remediation for IaaS
• Benchmark security postures and configurations against standards such as CIS, NIST, SOC2, ISO/IEC, PCI and HIPAA

Cons

• Technical support could be better
• User interface could be improved

Pricing

Symantec doesn’t list product pricing on its website, as it can vary widely depending on the size of the organization, number of licenses, and other factors. Customers should contact the company directly through its website or partners.

Tenable: Best for Vulnerability Management

Tenable provides cybersecurity software and services that help organizations better understand and reduce cyber exposure. It provides security solutions such as vulnerability management, compliance, and file integrity monitoring, and has also turned its vulnerability management expertise toward the cloud.

Tenable’s products include:

• Tenable.io, a cloud-based platform for managing security risk
• Tenable.sc, a cloud-based Security Center for visibility and threat response
• Tenable.ot for automated asset identification and classification
• Tenable.cs, a unified cloud security platform that provides organizations with continuous visibility and control of their cloud infrastructure

Tenable has a long history in the vulnerability management space, which now extends into the cloud to help organizations of all sizes protect their workloads.

Key Features

• Cloud protection: Tenable has multiple services on its cloud-based tenable.io platform, including web application scanning, container security and asset management.
• Vulnerability management: The key differentiator for tenable.io is identifying assets and vulnerabilities, giving organizations visibility into their cloud risk.
• Configuration management: The ability to identify potential misconfigurations is also an important feature.
• Broad coverage: Tenable has assessed over 72K vulnerabilities with over 147K plugins.

Pros

• Easy to deploy
• Clear and easy-to-navigate dashboard
• Users find the interface friendly
• Transparent pricing

Cons

• Reporting could be improved
• Support could be better

Pricing

Tenable is generally pretty open about pricing, from its Nessus vulnerability scanning product up through its cloud offerings. Tenable also offers a free trial for all its products, so you can try them before you commit to a plan. Tenable pricing plans include:

Tenable.io vulnerability management

Tenable.io vulnerability management’s pricing plan is based on the number of assets you need to monitor: The more assets, the more you will pay. The minimum number of assets for the Tenable.io vulnerability management plan is 65.

• 1 Year (65 assets) – $2,934.75
• 2 Years (65 assets) – $5,722.76
• 3 Years (65 assets) – $8,364.04

Tenable.io web app scanning

• 5 FQDNs – $3,846.35

Trend Micro: Best for Hybrid Cloud Security

Trend Micro is a global leader in hybrid cloud security and provides an integrated and automated approach for protecting data, users, and applications, no matter where they are located. Trend Micro Hybrid Cloud Security solutions provide protection across on-premises and cloud environments.

Trend Micro offers advanced security capabilities such as cloud workload protection, network security, file storage protection, application security, and open-source security. It also provides visibility and control over the entire IT environment, allowing organizations to identify, assess, and remediate threats.

Trend Micro is well positioned as a leader in hybrid cloud security, helping organizations to unify policies across both on-premises and public cloud deployments.

Key Features:

• Integrated security: The Trend Micro Cloud One platform integrates workload, storage, network security, and compliance capabilities.
• Hybrid workloads: The workload security feature is a key differentiator for Trend Micro, as it extends the same policy and protection to multiple deployment modalities, including on-premises, private and public cloud workloads.
• Patching: Trend Micro also provides virtual patching for vulnerabilities to help limit risks as rapidly as possible.
• Templates: Security can be codified with templates aligned with leading security standards and deployed with simple AWS CloudFormation templates.

Pros

• Offers runtime protection for workloads, including virtual, physical, cloud, and containers
• Users find the solution easy to scale
• Efficient support
• Secures cloud file and object storage services

Cons

• Users report that the solution can be pricey
• Reporting functionality could be improved

Pricing

Trend Micro does not advertise its prices online and prefers that customers contact its sales team to discuss pricing and tailor a solution to the customer’s needs.

However, Trend Micro offers a 30-day free trial of its solutions, so customers can try the solutions before they purchase.

VMware: Best for Multi-Cloud Environments

VMware is a leading provider of virtualization and cloud computing solutions. The company has used that leverage to assemble an impressive array of cloud security solutions to help organizations protect their data and infrastructure in the cloud.

VMware has a global network of SASE points of presence (PoPs) that secure cloud applications and workloads, aligning security and performance. The virtualization pioneer has multiple capabilities for cloud security, including its secure state and CloudHealth products.

Key Features:

• Integrated security: VMware acquired CloudHealth in 2018 and expanded it in 2019 to provide deeper integration with VMware workloads alongside the public cloud.
• Compliance: CloudHealth provides cloud governance features to help organizations align security and regulatory compliance.
• Configuration security: VMware Secure State delivers multi-cloud security posture management that focuses on configuration security.
• Risk assessment: Secure State is particularly good at providing insights into security risks due to connections between cloud objects and services, which can represent a great deal of risk to an organization.

Pros

• Offers visibility, control and compliance
• Reduces CapEx by as much as 75%
• Advanced security for private, public and hybrid cloud workloads

Cons

• The interface could be improved
• Pricey

Pricing

The exact price of VMware products can vary depending on your business’s specific needs and requirements. To get an accurate quote, contact sales directly.

Netskope: Best Overall Cloud Security

Netskope is a cloud security company that provides organizations with enhanced visibility, control, and protection of their cloud applications. The company offers an integrated suite of cloud security solutions built to secure enterprise cloud-based data, applications, and users. Netskope is one of the highest-valued private cybersecurity companies — and has used its funding to assemble an impressive array of cloud security offerings.

Netskope’s core products include security service edge (SSE), next-gen secure web gateway (SWG), cloud access security broker (CASB), private access for zero trust network access (ZTNA), data loss prevention (DLP), remote browser isolation, SaaS security posture management, and IoT security. Netskope’s analytics engine also gives visibility into user behavior and suspicious activity across the cloud environment.

Key Features:

• Intelligent SSE: Netskope consolidates the capabilities of SWG, CASB and ZTNA to provide comprehensive security across the web, SaaS and public cloud and data centers.
• Analytics and insights: It provides visibility into enterprise cloud usage and identifies potential security risks.
• Compliance: Netskope helps enterprises meet compliance requirements by enforcing data loss protection, access policies, and encrypting sensitive data.
• Performance: Offers 99.999% uptime and availability as well as latency SLAs for traffic processing.
• IoT security: Netskope provides visibility into all enterprise-connected devices and secures them via context-driven classification, risk assessment, segmentation, and access control.
• SSL/TLS inspection: Monitors encrypted web traffic and cloud services for potential data theft, malware, and advanced threats, such as cloud phishing and payload hosting.

Pros

• Provides visibility into enterprise cloud application usage and risks
• Netskope zero trust principles enable remote employees to access the web, cloud, and private applications securely
• Provides continuous monitoring to detect user behavior anomalies, app risks, and unknown data movement
• Reduced attack surface
• Strong SASE offerings

Cons

• The customer support process could be improved
• Users report that Netskope solutions can be pricey

Pricing

Netskope doesn’t reveal the price of its products. Potential buyers can request a demo to explore product capabilities and contact sales for custom quotes.

Zscaler: Best for Advanced Threat Protection

Zscaler is a cloud-based security company that protects users, data, and applications from cyberattacks. Its services cover the full spectrum of security needs, including network security, web application firewalls, intrusion prevention, malware protection, zero trust and data loss prevention, to secure access for remote users and compliance with industry regulations. Zscaler provides SWG, ATP, cloud sandboxing, and CASB services to protect users, devices, and data from cyber threats. Detection, deception technology and ease of use are just a few features praised by users.

Key features

• Contextual alerts: Provides alerts that give insight into threat scores, affected assets, and severity.
• AI-powered phishing detection: The solution detects and blocks patient-zero phishing pages using advanced AI-based detection.
• Browser isolation: With Zscaler internet access, you can create a virtual air gap between users, the web, and SaaS to mitigate web-based attacks and prevent data loss.
• Segmentation: Zscaler private access connects users directly to private apps, services, and OT systems with user identity-based authentication and access policies. It also allows direct connection to IIoT/OT devices for remote operators and admins.

Pros

• AI-powered advanced threat protection
• Broad cloud security platform
• Strong deception technology
• Ease of use

Cons

• Reporting feature could be improved
• Users report that the solution can be pricey

Pricing

Potential customers should contact the Zscaler sales team for custom quotes.

How We Evaluated the Top Cloud Security Companies

In evaluating the cloud security market, we examined the breadth and quality of each vendor’s products and services, customer reviews, analyst reports, market traction and growth, independent test reports, pricing, and more.

Understanding Cloud Security Technologies

When considering cloud security products, it’s important to recognize and understand the different categories of solutions that are available to help organizations reduce risk and improve security. Among them are:

• Cloud access security brokers (CASB): A primary category of cloud security solutions is cloud access security broker (CASB) platforms, which monitor activity and enforce cloud access security policies. For more on CASB vendors, see our guide to the top CASB vendors.
• Cloud workload protection platforms: Cloud workload protection technologies (CWPPs) work with both cloud infrastructure and virtual machines, providing monitoring and threat prevention features.
• Cloud-native platforms: Cloud-native application protection platforms (CNAP or CNAPP) combine cloud security posture management (CSPM) and CWPP in a single, unified solution to provide visibility and security control management across all cloud functions.
• SaaS security: Multiple types of security technologies are also delivered as a service from the cloud, to help secure both on-premises and cloud workloads.

It’s also important to note that each of the major public cloud providers (Amazon Web Services, Google Cloud Platform and Microsoft Azure) also have their own native cloud security controls and services that organizations can enable. Understanding your responsibilities on these platforms under the shared responsibility model of cloud security is critically important.

Choosing a Cloud Security Company

With the wide variety of options available for users, it can often be a confusing and time-intensive task to select an appropriate offering. When looking at cloud security, there are several key considerations:

• Scope: It’s important to understand what’s at risk and what the organization is trying to protect. Often one or more services will be needed to protect an entire cloud deployment.
• Policy Integration: Making sure that a given cloud security solution can integrate with existing policy systems, whether they are on-premises or in the cloud, is important for enabling a uniform policy for an enterprise.
• Multi-Cloud Protection: The ability to work across multiple cloud providers and different types of deployments is important, since few organizations want to be locked in to any one vendor or cloud.

Bottom Line: Cloud Security Companies

As companies increasingly store and process critical data and assets in the cloud, it’s important that they have the right cloud security tools to secure those assets.

Cloud security companies give businesses the security solutions to meet those needs, ranging from risk assessment, auditing, data encryption, user authentication, access control, and more. They can also advise on how best to secure cloud systems and protect data.

Read next: 12 Cloud Security Best Practices

This updates a March 11, 2021 article by Sean Michael Kerner.

The post 10 Top Cloud Security Companies in 2023 appeared first on eSecurityPlanet.

Members of Laminar Labs’ research team recently found that one in five public-facing cloud storage buckets contains personally identifiable information (PII) – and the majority of that data isn’t even supposed to be online in the first place.

The information uncovered by the researchers includes physical addresses, email addresses, phone numbers, driver’s license numbers, names, loan details, and credit scores.

“Because this data contains such highly sensitive information as loan details, Bitcoin addresses and conversations about unemployment benefits, we believe that this data has the potential to put the organizations to whom the information belongs at risk,” Laminar Labs said in a statement.

“Organizations cannot properly protect data they do not know is exposed,” the company added. “And in the shared responsibility model, keeping this data secure is the responsibility of the organization that owns the buckets in which the data resides.”

Also read: Cloud Bucket Vulnerability Management

A Data-Centric View

According to Laminar, the sensitive data found online includes the following – it’s quite a list:

• A file containing PII of people who used a third-party chatbot service on different websites, including names, phone numbers, email addresses, and messages sent to the bot (such as people seeking unemployment benefits)
• A file containing loan details – names, loan amounts, credit scores, interest rates, and more
• A participant report for an athletic competition, including names, physical addresses, zip codes, email addresses, and medical information
• A VIP invite list, including names, email addresses, and physical addresses
• A file with names, Ethereum and Bitcoin address information, and block card email addresses

Companies need to know what publicly exposed sensitive data is in their environment, Laminar said. Still, doing so can be harder than it seems, since non-public Amazon S3 buckets can contain specific files and objects that are public – and conversely, buckets that are intentionally public, like hosted websites, can contain PII placed there by mistake.

The answer, according to Laminar, is a data-centric view rather than an infrastructure-centric one, cataloging all data in your cloud environment to ensure that sensitive information is kept private while public files remain accessible.

Also read: Cloud Security: The Shared Responsibility Model

A Pervasive Privacy Problem

Several other companies have warned of similar issues, such as UpGuard, which has detected thousands of breaches related to misconfigured Amazon S3 security settings over the past four years – including 1.8 million personal records from a database of Chicago voters, 14 million Verizon customer records, and GoDaddy trade secrets and infrastructure information.

“As long as S3 buckets can be configured for public access, there will [be] data exposures through S3 buckets,” UpGuard chief marketing officer Kaushik Sen wrote in a blog post earlier this year.

The Mitiga Research Team also recently found hundreds of databases containing PII exposed via the Amazon Relational Database Service (RDS). While RDS snapshots can be used to back up data, those snapshots can expose a range of highly sensitive information.

As the researchers noted in a blog post, “a Public RDS snapshot is a valuable feature when a user wants to share a snapshot with colleagues, while not having to deal with roles and policies. In this manner, the user can share the snapshot publicly for just a few minutes… What could possibly happen?”

Also read: CNAP Platforms: The Next Evolution of Cloud Security

Assume the Worst

Among the data the Mitiga researchers found exposed between September 21 and October 20 of this year was a MySQL database with about 10,000 rows recording car rental transactions, including names, phone numbers, email addresses, marital status, and rental information.

Another MySQL database contained information on about 2,200 users of a dating app, including email addresses, password hashes, birthdates, links to personal images, and private messages.

The researchers recommend leveraging AWS Trusted Advisor to assess your security posture, using CloudTrail logs to check for historical use of public snapshots, and separately checking for all currently available RDS snapshots.

“We think it’s not an overstatement to assume the worst-case scenario – when you are making a snapshot public for a short time, someone might get that snapshot’s metadata and content,” the researchers wrote. “So, for your company and, more importantly, your customers’ privacy – don’t do that if you are not 100% sure there is no sensitive data in the content or in the metadata of your snapshot.”

The risks of publicly exposing personal data are two-fold. The first is loss of customer confidence. And the second can be costly fines under data privacy regulations like GDPR and CCPA – see Security Compliance & Data Privacy Regulations for important compliance information on those laws and China’s new data privacy law too.

The post One in Five Public-Facing Cloud Storage Buckets Expose Sensitive Data appeared first on eSecurityPlanet.

Of the 15 MSSPs that participated in MITRE’s first-ever security services testing, only three failed to report attack techniques in all 10 of the evaluation steps, and in two of those cases it was because the test didn’t successfully execute because of a web shell failure.

While the sample is small – by some estimates there are roughly 10,000 MSSPs – it nonetheless should be reassuring to MSSP customers that the vendors charged with defending their networks have demonstrable cybersecurity expertise. As there are few measures of security effectiveness, and none better than MITRE, it would benefit information-starved security buyers if more service providers participated in future rounds.

Ashwin Radhakrishnan, general manager of MITRE Engenuity’s ATT&CK Evals, said in a statement that the organization decided to evaluate MSSPs because of their growing importance.

“More than half of organizations use security service providers to protect their data and networks,” Radhakrishnan said. “We wanted to research how they are employing threat-informed defense practices for their clients. We don’t rank the vendors in our evaluations. Organizations, however, can use the Evals to determine which service providers may best address their cybersecurity gaps and fit their particular business needs.”

See the Best Managed Detection and Response (MDR) Services and the Top MSSPs

MSSP Tests Look At Reporting, Not Detection

MITRE is best-known for its endpoint security product evaluations, but there are some important differences between the organization’s product and services evaluations.

The MSSP evaluations examined how vendors performed under techniques that simulated attacks from the OilRig Iranian threat group, which was chosen because of its “evasion and persistence techniques, its complexity, and its relevancy to industry,” MITRE said.

The evaluation examined the MSSPs’ ability to report ATT&CK Techniques across 74 techniques and 10 steps, from initial compromise through lateral movement, exfiltration and cleanup.

An important emphasis in the new tests is on the word “report” rather than the detections measured in MITRE’s endpoint tests. MITRE purple teamers evaluated whether an ATT&CK Technique was reported or not, rather than whether it was detected by the service provider, MITRE said.

“In many cases, the service provider may have detected the ATT&CK Technique under test but chose not to report it to MITRE Engenuity because they believe it is unnecessary information, or they believe it can be implied or assumed by other information provided to MITRE Engenuity,” MITRE said on the MSSP evaluation’s overview page. “In order for an ATT&CK Technique to be considered Reported, the activity provided to MITRE Engenuity must contain sufficient context to explain the activity. Things like raw telemetry with no added analysis provided by the service provider were not considered Reported.”

That means the data provided by the tests isn’t as clear as it is in the product evaluations. So while we’ve recorded below the number and percentage of techniques reported by the MSSPs, as always it’s important to dig into the data and find what’s relevant for your organization’s needs.

In a blog on interpreting the results, Radhakrishnan noted a number of important considerations, among them:

• Not all techniques are equal: “A service provider reporting on Process Discovery might not have the same value as a service provider reporting on Credential Dumping due to the severity of the action.”
• Not all procedures are equal: “Process Discovery (T1057) via Command-Line Interface (T1059) can be detected with most process monitoring. Process Discovery via API (T1106) would need API monitoring. A service provider could have reported one, but not the other.”

The Results

With those significant caveats, here is some basic data from the evaluations.

Only one MSSP – BlackBerry – failed to report any findings on one of the 10 steps, the five techniques where the attackers download and install a web shell on the Exchange Web Server (EWS) for persistence. BlackBerry found plenty in the other 9 steps, however.

Palo Alto Networks and NVISO couldn’t participate in a handful of the 74 techniques, which couldn’t be executed because of a web shell failure.

And a 16th vendor, Trend Micro, did not have its results published after inadvertently finding “sensitive information.”

“Although Trend Micro participated and completed testing for this inaugural round, after an unintended situation, Trend Micro promptly and responsibly shared that their team had found sensitive information to MITRE Engenuity,” Radhakrishnan told eSecurity Planet. “Based on the agreement between MITRE Engenuity and Trend Micro, MITRE Engenuity did not publish Trend Micro’s results.”

So with those caveats, here are the raw numbers and percentages of the 74 attack techniques reported by the MSSPs:

The post MSSPs Fare Well in First MITRE Evaluations appeared first on eSecurityPlanet.

Exactly which responsibilities the cloud vendor absorbs depends upon the type of solution. While cloud security offerings provide a wide spectrum of choices, there are three generalized situations to compare against on-premises data centers: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).

For each model, the cloud provider hands off different segments of the security responsibilities to the customer. Customers that fail to understand their obligations will likely leave security gaps exposed for attack.

Cloud providers continue to enable more stringent default security for their tools and may also offer tools to support a customer’s security obligations. However, ultimately the customer will hold the full risk and responsibility for proper implementation of their security obligations.

Also read: CNAP Platforms: The Next Evolution of Cloud Security

Shared Security Model: Cloud Provider Responsibilities

Customers of every type of cloud solution benefit by offloading operations and security functions associated with bare-metal infrastructure. Key cloud providers state their obligations differently but generally cover the same parts of the security stack:

• Amazon Web Services (AWS): “AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.”
• Microsoft Azure: Instead of providing a statement in words, Azure displays a table illustration of shared and non-shared responsibilities in which Microsoft shows it fully bears responsibility for physical hosts, physical networks, and the physical data center.
• Google Cloud: With far more detail than AWS or Azure, Google Cloud emphasizes both shared responsibility and a shared fate for security. Its table illustration also goes into more detail and notes Google’s responsibility for hardware, boot, hardened kernel and interprocess communication (IPC), audit logging, network, and storage and encryption of data.

Cloud providers generally will be expected to manage the security and reliable availability of the cloud itself, which encompasses the following security functions:

• Physical Security: Access to the buildings, the server rooms, and the server racks.
• Hardware: Access to the bare-metal hardware of the servers, network cards, storage hard drives, fiber optic or Ethernet wiring between servers, and power supplies.
• Drivers, Firmware, Software: Cloud providers bear responsibility to secure, test, and update the software and code that supports the firmware and the basic software infrastructure of the cloud. This responsibility does not extend to software that customers install on cloud devices.
• Virtualization Layers: Cloud providers determine the type of virtualization used to create the cloud solution and the security between the solution and the server. The cloud provider will ensure that customers cannot see each other’s infrastructure or access the underlying infrastructure hosting the cloud solution.
• Network: The cloud provider ensures security for the networking infrastructure supporting the functioning of the cloud and encrypted interservice communications. This does not apply to customer-created networks or connections.
• Provider Services & Software: Cloud providers may offer a range of services such as databases, firewalls, artificial intelligence (AI) tools, and application programming interface (API) connections. The cloud provider will be responsible for testing and securing these tools as applications, but the customers will be responsible for the settings and how they are used.
• Storage and Encryption: When a customer’s data is inactive or sitting at rest on a hard drive in a cloud provider’s server rack, the cloud provider will be responsible for encrypting and securing that data. However, the customer must secure that data when the environment is active.
• Audit Logging and Monitoring: The cloud provider will be responsible for creating and monitoring the log files that track the use of the cloud infrastructure itself.
• Operations and Availability: Cloud providers are responsible for redundancy and maintenance to keep the cloud environment running. Cloud providers also will be responsible for compliance, certification, security, and incident response related to the cloud infrastructure.

Shared Security Model: Shared Responsibilities

Cloud providers secure the cloud, but customers secure what goes in it. When in doubt, consider the service or the access. The one who built the service will generally be the one responsible for securing it. Similarly, if the customer is able to access and change the security parameters, then they will be responsible for those settings and that layer of security.

IaaS-specific responsibilities

IaaS cloud providers deliver computing environments configured for a specific operating system (OS), such as Linux, Windows Server, Windows PC, and macOS. PaaS and SaaS customers will not be responsible for these security controls because they will be generally handled by their cloud solution or not applicable. IaaS customers take on security layers not required by other cloud customers, including:

OS hardening

The cloud provider might include the OS license in the purchased instance, but the customer bears the responsibility to configure the OS to their needs, and that includes hardening the device for security. Vulnerability testing, patching, and updates also are the responsibility of the IaaS customer. The Center for Internet Security (CIS) provides access to hardened images, CIS Controls and CIS Benchmarks as guidance for deployments.

Network, firewall, and web application firewall (WAF) hardening

IaaS customers bear the responsibility to control the inbound, outbound, and lateral traffic for their cloud-based IT infrastructure (virtual servers, routers, networks, etc.). Most cloud implementations will use virtual versions of gateways, routers, and firewalls that can be deployed in a standardized fashion, but customers still bear the responsibility for their setup, integration, and monitoring.

Customer virtualization

Customers will often launch Kubernetes containers or virtual machines (VMs) within their own environment and will be wholly responsible for their security.

Also read: Cloud Bucket Vulnerability Management

Audit logging and monitoring

The IaaS customer will be responsible for creating and monitoring the log files that track the use of their cloud-based infrastructure. Some reports may be available through the cloud providers, but those reports generally will not encompass virtual machines, containers, or other infrastructure installed by the customer in the environment.

Operations

Customers are responsible for redundancy and maintenance to keep the infrastructure they installed optimized and running. Customers also will be responsible for compliance, certification, security, and incident response related to the cloud infrastructure.

IaaS and PaaS responsibilities

PaaS cloud providers provide more extensive and standardized IT infrastructure, so PaaS customers can focus on developing applications or other dedicated functions enabled by the PaaS platform. IaaS customers will also be responsible for these layers of the security stack that relate to resources installed within the cloud infrastructure.

SaaS customers will not be responsible for these security controls as they are either embedded into their solution or not applicable. Both PaaS and IaaS customers will be responsible for:

Applications logic & code

Even if the cloud provider provides the hardened platform, the customer is responsible for the programs and code installed, running, or communicating on that platform. If the cloud provider provides the code, then they will harden and secure the code itself, but the customers will be responsible for modifications, settings, connections, and access.

Network, API, firewall, and WAF hardening

IaaS and PaaS customers can bear the responsibility to control the inbound, outbound, and lateral traffic associated with installed programs and applications. IaaS customers may have more traditional network configurations than PaaS customers, but PaaS customers can still integrate their cloud applications into their private networks and must secure that traffic.

Malware defense

IaaS customers bear the responsibility to monitor cloud devices for infection, detect attacks in progress, and perform incident response. Cloud providers or traditional anti-malware providers may offer solutions to solve this problem for IaaS customers for an additional fee.

Both IaaS and PaaS customers must monitor their applications, databases, websites, and other installed resources for signs of attack or malicious activity such as unauthorized access, data exfiltration, and distributed denial of service.

Data protection

The cloud provider provides the secure container, but the client needs to make sure the data is secured within that container. Clients should enable controls such as encryption or data loss prevention (DLP) tools to ensure the integrity of data hosted in the cloud as well as to mitigate the risk of data theft.

IaaS and PaaS cloud customers will similarly need to provide network traffic protection controls, such as encryption, integrity, and monitoring, to monitor data in use within the cloud and between the cloud and other resources.

Also read: Exfiltration Can Be Stopped With Data-in-Use Encryption, Company Says

Shared Security Model: Customer Responsibilities

All cloud customers, including SaaS customers, will need to handle security functions fully within their control:

Content

Customers will be fully responsible for securing the storage, transfer, and backup of data to their cloud environment. Data classifications for specific security profiles or compliance obligations will also be the customer’s responsibility.

Data backup

SaaS cloud providers will often be responsible for the integrity and availability of data at rest. However, SaaS providers do not police if changes to that data are authorized or intentional. Customers that accidentally delete or allow attackers to corrupt their data may find the SaaS provider backup does not roll back sufficiently to recover the data. Customers are responsible for the frequency, security, and integrity of their own backups.

See the Best Backup Solutions for Ransomware Protection

Identity and access management (IAM)

Cloud customers bear the ultimate responsibility to establish user identities, verify identities, classify them for access, and verify their access and use of the cloud environment. Customers also bear the responsibility for monitoring and analyzing access for compliance and security purposes.

See the Best Identity and Access Management (IAM) Solutions

Audit logging and monitoring

Cloud providers may provide access to log files that track access to the level of cloud services provided for SaaS, PaaS, IaaS, licensed cloud tools, or other provided cloud architecture. Customers will be responsible for reviewing those provided logs as well as establishing any additional log files they might require for installed PaaS and IaaS infrastructure.

Access security controls

Cloud customers determine the password requirements and multi-factor authentication (MFA) controls suitable to verify access or identity to cloud resources.

Awareness & training

Customers must provide training to their staff to ensure their staff understands how to securely use the cloud environment (SaaS, PaaS, or IaaS) and what anomalies might indicate environmental compromise.

Mind the Security Gaps

Although the concept of shared responsibility provides overall guidelines for what security cloud providers will include within their solutions, customers ultimately will bear the bulk of the risk for failure. Customers should trust, but also find ways to test and verify that the cloud provider continues to hold up their end of the bargain.

Gartner anticipates that, through 2025, 99% of cloud security failures will be the customer’s fault and that 90% of organizations will inappropriately share sensitive data when they fail to control public cloud use effectively. Fortunately, many vendors also offer solutions to help manage cloud security and integrate those solutions with existing IT infrastructure.

However, even when selecting a third-party tool to manage cloud security, security managers need to be aware of where gaps might exist to ensure the tool covers those gaps.

See the Top Cloud Security Companies & Tools

Gaps in coverage

Customers should assume responsibility for any possible shared security until they verify that the cloud provider covers it sufficiently. Customers should review service-level agreements (SLAs) and do vulnerability and penetration testing on their own infrastructure. Only if the cloud provider’s security proves to be sufficient can the customer consider dropping potentially redundant and overlapping solutions.

Keep in mind that the visibility and control points will be different on the cloud, and there will be an adjustment period as security teams new to the cloud learn the variances.

Gaps in cloud implementation variance

Customers with multiple cloud providers cannot assume their security stack will be identical from cloud provider to cloud provider. Some gray zones may be interpreted differently by different vendors, and security should be verified across the entire security stack for each implementation.

Organizations should also regularly check security controls over time or when putting data into different regions. Different regulations may enable or prevent the cloud provider from providing security controls in different jurisdictions. Cloud providers may also implement changes and updates that affect existing security controls and open gaps or cause tool failures.

Gaps in default security

Although cloud providers may provide security, customers may intentionally choose to implement different or redundant security solutions to further mitigate risk. For example, a cloud provider might provide encryption keys for cloud-hosted data, but the organization may decide to use their own keys to improve security.

Gaps for incident response

Incident response teams have their favorite go-to data and tools to investigate, mitigate, and recover from attacks on local infrastructure. Some of this data will be available from cloud infrastructure and some tools will work fine as well. Others require adjustments.

Security teams need to work with operations teams to enable sufficient alerts and logs for potential incident investigation. Simulations should also be run to verify that their planned investigation and incident response methods work sufficiently for the cloud environment.

See the Best Incident Response Tools

Gaps in monitoring

IaaS servers, PaaS applications, and SaaS can be easily started by employees, who might forget to inform security. Security teams need to actively monitor for network traffic to resources that may have escaped inventory to ensure their monitoring strategy can encompass them.

Tools like CASB are one way for IT security teams to monitor such “shadow IT” applications.

Gaps on the periphery

Strong implementation of cloud security does not make an environment immune from compromised credentials, hijacked endpoints, or insider threats from users. Organizations must still secure their users, peripheral devices, and other non-cloud resources.

Understanding Cloud Provider and Customer Responsibilities

Moving resources to the cloud can save enormous operational, financial, and time resources. However, the cloud is not a magic bullet that solves all problems.

The cloud provider will provide a very secure foundation, but the customer is still responsible for knowing what they are building on the cloud infrastructure, whether IaaS, PaaS, or SaaS, and how to secure what they build. Understanding the Shared Security Model is the first step to building a security stack that will protect the organization against risks and adversaries for the long run.

Read next: Top Secure Access Service Edge (SASE) Providers

The post Cloud Security: The Shared Responsibility Model appeared first on eSecurityPlanet.

In the race to offer comprehensive cybersecurity solutions, the product known as network detection and response (NDR) is a standalone solution as well as a central component of XDR.

Whereas older solutions like antivirus, firewalls, and endpoint detection and response (EDR) have long focused on threats at the network perimeter, the intent of NDR is to monitor and act on malicious threats within organization networks using artificial intelligence (AI) and machine learning (ML) analysis.

Edward Snowden and the NSA breach of 2013, as well as dozens of other nightmares, point to the growing threat of inside threats for a universe of IT environments. Today, both outsiders with the right social engineering skills and disgruntled personnel pose risks to sensitive data when network architectures fail to implement microsegmentation and advanced network traffic analysis (NTA).

This article looks at the top network detection and response solutions in the budding sector, what NDR is, and what to consider in a NDR solution.

Also see the Top Network Monitoring Tools

Top Network Detection and Response Solutions

• Bricata
• Cisco
• Darktrace
• Exeon
• Extrahop
• Gigamon
• Vectra

Cisco

Almost 40 years after its start in Silicon Valley, Cisco remains one of the top IT and cybersecurity solution providers in the world. The Cisco Secure portfolio is massive, including next-generation firewalls (NGFW), MFA, vulnerability management, and DDoS protection. Alongside analytics solutions for cloud, malware, and logs, Cisco acquisition of Lancope in 2015 led to the development of its NDR solution, Cisco Secure Network Analytics. Built to detect and act on network threats faster, Cisco SNA is deployable as a cloud-based service, virtual machine, or on-premises appliance.

Cisco Secure Network Analytics Features

• Detection for signature-less, insider, and encrypted malware threats.
• Group-based policy adoption and reports to audit and visualize communications.
• The AnyConnect Network Visibility Module (NVM) for endpoint telemetry data.
• Malware analysis without decryption for advanced encrypted threats.
• Integrations with Akamai, Exabeam, Google, LogRhythm, Radware, and Sumo Logic.

Darktrace

Celebrating a decade in 2023, Darktrace was one of the fastest growing cybersecurity startups with a more turbulent ride since its listing on the London Stock Exchange in 2019. The Darktrace stack of solutions covers hardening, detection, and response for hybrid IT environments, including the vendor’s NDR solution, Darktrace DETECT, for applications, email, zero trust, operational technology (OT), and more. Today, the Cambridge, UK-based company puts artificial intelligence first in its security services for over 7,400 businesses in 110 countries. 

Darktrace DETECT Features

• Self-learning AI to understand, secure, and optimize network interactions.
• Analyze thousands of metrics for known and unknown malware techniques.
• Integrations with AWS, Cisco, Fortinet, Microsoft, Okta, Rapid7, and ServiceNow.

ExtraHop Networks

Launched in 2007, ExtraHop’s success as a AI-based cybersecurity vendor led to its acquisition in July 2021 by Bain Capital for $900 million. Hailing from Seattle, Washington, the ExtraHop Reveal(x) 360 offers a unified threat intelligence platform for hybrid and multi-cloud IT environments. ExtraHop’s three core NDR solutions cover cloud security, network security, and IT operations. Whether it’s AWS, Google Cloud, or Azure, ExtraHop offers clients cloud-native security and comprehensive visibility into cloud workloads. 

ExtraHop Reveal(x) Features

• Monitor sensitive data and workloads to prevent data breaches.
• Detects lateral movement and software supply chain attacks and vulnerabilities.
• Behavior and rule-based analytics to detect and respond to known and unknown threats.
• Identify threats and unusual activity faster to respond and remediate vulnerabilities.
• Integrations with Check Point, Citrix, CrowdStrike, IBM, Palo Alto Networks, and Splunk.

Vectra AI

Started in 2012, Vectra already stands out among the NDR marketplace, offering managed detection and response (MDR) and its threat detection and response platform. The San Jose-based company solutions span attack surfaces for all major cloud services, data centers, and Microsoft 365, with specialized threat management for ransomware, supply chain attacks, data breaches, and account compromise. Companies have plenty of integrations to choose from for tools like EDR, SIEM, threat intelligence, and Secure Access Service Edge (SASE).

Vectra Threat Detection and Response Platform Features

• Capture public cloud, SaaS, identity, network, and EDR data for analysis.
• Multiple AI modeling techniques to audit network workloads.
• Threat and risk prioritization to inform administrator action and investigation.
• Automated and manual response options for securing networks in real-time.
• Integration with AWS, Azure, Juniper, Pentera, SentinelOne, VMware, and Zscaler.

Bricata

Launched in 2014, Bricata is another vendor specializing in NDR capabilities and successful enough to catch the attention of OpenText, who acquired the Maryland based vendor in November 2021. While OpenText continues its acquisition spree (notably, acquiring Micro Focus this week), Bricata’s next-generation NDR platform continues to give security administrators visibility into user, device, system, and application behavior inside networks. In addition to real-time context and alerts, Bricata offers clients advanced forensics and threat hunting tools to make the most of investigations and remediation actions.

Bricata Next-Gen NDR Features

• Software-based and hardware agnostic with consumption-based pricing.
• Signature inspection, ML-based malware conviction, and anomaly detection.
• Automated analysis for threats with prioritized workflows to respond fast.
• Extract and store metadata for investigations and future use.
• Technology partners with Cylance, Elastic, Garland, OISF, Proofpoint, and Splunk.

Gigamon

Started in 2004, Gigamon has long been in the network visibility game with a portfolio today consisting of traffic intelligence and cloud, network, and data center visibility. Within its network security stack, Gigamon ThreatINSIGHT is the company’s cloud-based NDR solution for high-fidelity adversary detection and response. Evidence of Gigamon’s strength as an NDR solution includes being a connector for almost every other top NDR pick. Their larger technology alliance partners is extensive with 60 of the best vendors for managing network performance, vulnerabilities, and cloud infrastructure. Previously a publicly traded company (NYSE:GIMO), Gigamon was acquired by private equity for $1.6 billion in 2016.

Gigamon ThreatINSIGHT Features

• Inspection of encrypted traffic and lateral movement for any device, network, and flow.
• Omnisearch triage and investigation with up to 365 days of network metadata.
• Ongoing detection tuning and QA with the Gigamon Applied Threat Research (ATR) unit.
• Sensor and traffic diagnostics via the Gigamon technical success and SaaS Ops teams.
• Integrations with AWS, Cisco, CrowdStrike, FireEye, New Relic, Nutanix, and Riverbed.

Exeon Analytics

Another budding NDR vendor, Exeon offers advanced security analytics to protect IT and OT environments. Launched in 2016 from the campus of the Swiss Federal Institute of Technology, the Zurich-based company’s ExeonTrace seamlessly analyzes security-related log data from existing infrastructure. With comprehensive visibility, Exeon can help client’s identify data leaks, misconfigured devices, shadow IT, and unusual services. While Exeon mentions the ability to connect SIEM, EDR, and IDPS systems, the list of connectors wasn’t immediately available. 

ExeonTrace Features

• Fast deployment which doesn’t require sensors or agents.
• AI-based threat scoring to prioritize investigations.
• Insight-driven visualizations including a global map of traffic sources.
• Network log data analysis for lightweight solution vs. data-heavy traffic mirroring.

Honorable Mention NDR Solutions

What is Network Detection & Response?

Network detection and response (NDR) solutions complement tools like EDR and SIEM to analyze and detect malicious network traffic. In the next generation of network traffic analysis (NTA), NDR solutions offer AI and ML-based techniques to evaluate the latest signature-less attacks and unusual traffic patterns. When threats are detected, NDR solutions alert administrators to act or automate pre-configured preventative measures.

NDR Features

• Cognitive modeling to monitor and analyze tactics, techniques, and procedures (TTP).
• Real-time and historical view of traffic for investigating suspicious behavior.
• Context-driven visibility, advanced analytics, and IoC identification for threat hunting.
• Built-in advanced detection with ability to fine-tune configuration management.
• Integration with EDR, SIEM, SOAR, and other network security solutions.

Network Security and NDR

NDR is a complementary network security tool, joining a handful of other critical systems for an enterprise cybersecurity architecture:

• Cloud security
• Endpoint detection and response (EDR)
• Intrusion detection and prevention systems (IDPS)
• Network traffic analysis (NTA)
• Next-generation firewalls (NGFW)
• Security information and event management (SIEM)
• Security orchestration, automation, and response (SOAR)
• User and entity behavior analytics (UEBA)

In 2015, Gartner Research Director Anton Chuvakin introduced the conceptual framework for what would become the “SOC visibility triad”. In a 2020 retrospective, Chuvakin explains how logs (via SIEM), endpoint data (via EDR or XDR), and network data (via NTA and NDR) are critical to security visibility.

How to Choose a NDR Solution

As an emerging security solution, NDR shouldn’t be the first priority for companies building out their cybersecurity infrastructure. That said, the above network detection and response solutions offer plenty for enterprise organizations with well-established cybersecurity postures.

While NDR vendors offer opportunities to bundle other network security tools, including robust portfolios from vendors like Cisco and Sangfor, a top consideration remains ease of integration with existing security systems for SIEM and EDR. Because most organizations aren’t starting from scratch, NDR vendors must strive for interoperability with the leading network security products.

In a crowded marketplace of cybersecurity solutions, NDR is yet another that is on the rise. Only time will tell how niche an audience it will serve. Keep an eye on how the NDR sector evolves in the years to come and whether it survives as a standalone solution and market or gets absorbed by more comprehensive frameworks like XDR.

The post Top Network Detection & Response (NDR) Solutions appeared first on eSecurityPlanet.

CISA noted that Basic authentication is simple and pretty convenient but unsecured by design. It’s relatively easy for any motivated attacker to intercept the data that is often transmitted in plain text or encoded with reversible algorithms such as base64.

Basic Auth exposes servers and other endpoints to MITM (Man In The Middle) and password spraying attacks. And it’s incompatible with multi-factor authentication (MFA) systems, so admins might be discouraged from enabling it.

In contrast, Modern Auth that relies on OAuth 2.0 or Microsoft Active Directory Authentication Library uses tokens that expire quickly and cannot be reused elsewhere.

While CISA released its guidance for government agencies, all organizations are urged to switch to Modern Auth before October 1, when Microsoft has said that Basic Authentication will be turned off for all protocols.

Also read: OAuth: Your Guide to Industry Authorization

How to Migrate Exchange Authentication

CISA recommends implementing an authentication policy for all Exchange Online mailboxes and disabling Basic authentication:

1. Navigate to the M365 Admin Center’s Modern Authentication Page: https://admin.microsoft.com/#/homepage/:/Settings/L1/ModernAuthentication.
2. Ensure turn on modern authentication for Outlook 2013 for Windows and later is checked. This is the default setting.
3. Uncheck every protocol under Allow access to basic authentication protocols.
4. Click Save.

Orgs can configure a Conditional Access policy that applies specifically to legacy authentication clients and blocks access:

The CISA announcement is actually a reminder, as the Microsoft Exchange team has been disabling Basic auth in tenants that weren’t using it since 2021. Indeed, this obsolete authentication has been held responsible for massive leaks in plain text.

Because many orgs are still using it, Basic auth is now deprecated, and customers will have to migrate one way or another.

Customers can set their Authentication Policies to control the migration (e.g. date and time). Otherwise, the Exchange team “will randomly select tenants, send 7-day warning Message Center posts (and post Service Health Dashboard notices), then we will turn off Basic Auth in the tenants.”

Read next: Top Secure Email Gateway Solutions

The post CISA Urges Exchange Online Authentication Update appeared first on eSecurityPlanet.