Professional Documents
Culture Documents
Introduction 3
Key Takeaways 5
Most notably, the research suggests that cryptojacking will become a serious issue in public cloud environments and
the primary attack vector will be compromised account credentials. In order to get ahead of cybercriminals tomorrow,
organizations need to make a concerted effort towards instituting stringent user access policies and vigilantly
visibility and user activity monitoring, it makes organizations even more vulnerable to breaches, Tesla being a recent
victim.
power in an organization’s public cloud environment. The nefarious network activity is going completely unnoticed due
With GDPR coming into effect in a few months, organizations are under the gun to identify and address these issues as
quickly as possible.
organizations to address vulnerability management in the cloud. Unfortunately, organizations are unable to leverage their
standalone on-premise tools to achieve this since they were not designed for cloud architectures.
compromises
(Simple Storage Service) buckets, there were also a few prominent
AWS account. They used these credentials to login into the AWS
40% around access hygiene. The findings indicate that we can expect
advised to lock away root user access keys and create individual
keys, they discovered that 40% of them had not been rotated in
have overly permissive access than is necessary for the role which creates greater exposure. In the event of an account
compromise, rotating access keys will ensure that the window of opportunity available to hackers is finite.
Further investigation by the RedLock CSI team determined that 16% of organizations have users whose accounts have
potentially been compromised. In addition to closely managing access, organizations must also be vigilant about monitoring
user activities within their public cloud environments to detect insider threats or account compromises.
Tips
4. Establish user and access key behavior baselines, and monitor for deviations to detect account
takeovers or malicious insider activity.
Tesla.
of organizations had network intrusion detection solutions in place. The RedLock CSI
cryptojacking activity within
their environments team decided to analyze the implementation of this best practice
across organizations.
Key Findings
most staggering statistic was the fact that 80% of resources are
traffic at all. Best practices dictate that outbound access should be restricted to prevent accidental data loss or data exfiltration
Upon closer examination, the team discovered that 8% of organizations had cryptojacking activity within their environments.
While this is a small percentage today, we anticipate this will rapidly increase as this technique gains popularity amongst the
hacker community.
The Tesla incident highlights the need for a holistic approach to security in the cloud. A combination of configuration, user
activity, network traffic, and host vulnerability monitoring is necessary to detect advanced threats in public cloud environments.
Tips
2. Monitor ingress and egress network traffic for any suspicious activities.
GDPR readiness
storage services. With General Data Policy Regulation (GDPR)
services to the public. The good news is that the violation trend is
slowing; last year this number was 53% in October and 40% in
of CIS compliance checks fail 44% of HIPAA requirements, and 32% of SOC 2 best practices.
Tips
1. Ensure cloud resources are automatically discovered when they are created.
2. Implement policy guardrails to ensure that resource configurations adhere to industry standards such as CIS,
SOC 2, PCI, and HIPAA.
3. Integrate configuration change alerts into DevOps and SecOps workflows to automatically resolve issues.
Meltdown
widespread impact -- virtually affects all modern high-end
Key Findings
83%
are receiving traffic from suspicious locations, suggesting
of vulnerable hosts November 2017, indicates that 15% of these hosts are actually
are receiving exhibiting activity patterns associated with instance compromise
suspicious traffic
or reconnaissance by attackers. The notion of vulnerability
management has been around for a long time and in light of the
The crux of the issue lies with the fact that while most
of vulnerable hosts
organizations have existing investments in third party vulnerability
flagged as compromised by
Amazon GuardDuty scanning tools such as Qualys and Tenable, they are unable to
Tips
1. Correlate vulnerability data with resource configuration data to identify vulnerable hosts.
2. Correlate network traffic data to determine whether the vulnerabilities are actually network exploitable
and prioritize remediation accordingly.
environments. The RedLock Cloud 360™ platform takes a new AI-driven approach that correlates disparate security data
sets to provide comprehensive visibility, detect threats, and enable rapid response across fragmented cloud
environments. With RedLock, organizations can ensure compliance, govern security, and enable security operations
The RedLock Cloud Security Intelligence (CSI) team consists of elite security analysts, data scientists, and data
engineers with deep security expertise. The team’s mission is to enable organizations to confidently adopt public cloud
by researching cloud threats, advising organizations on cloud security best practices, and frequently publishing out-of-
The CSI team has discovered millions of exposed records that contain sensitive data belonging to dozens of
organizations ranging from small businesses to Fortune 50 companies. The team notifies the affected organizations and
Report Methodology
The data in this report is based on analysis across the public cloud environments monitored by RedLock, which
comprises of over twelve million resources that are processing petabytes of network traffic. In addition, the team also
Raymond Espinoza
To learn more:
Call: +1.650.665.9480, Visit: www.redlock.io
© 2018 RedLock Inc. All rights reserved.