The last decade has seen tremendous democratization of IT and with it the rise of diversity amongst cloud environments. Most security companies have vilified the spread of IT services across a large number of vendors, but this diversity isn’t something we should fight. Rather, our research with CISOs indicates that while an increased number of vendors complicates security practices, the democratization of IT enables an innovation-led culture and the use of specialized, cost-effective cloud services, which helps businesses long term.
While we shouldn’t fight cloud diversity, organizations do need to actively manage and monitor dynamic resources spread across a diverse set of providers and be continually monitoring for new ShadowCloudTM assets so they can be actively discovered, tracked, and placed in a managed security state. This is an approach we call Continuous Inventory, where both top-notch discovery and continual monitoring is key to keeping pace with the rapid rate of change of your cloud environments.
There are several approaches to wrapping your hands around what assets you have in the cloud which we will go over below:
- Traffic Monitoring: In this mode all traffic exiting egress points in a corporation are monitored for destination into a set of known cloud environments. This works really well for catching issues in real-time, however it can be noisy and these systems only catch traffic where you’ve properly configured your egress points across an entire organization. For many large organizations this may not ensure 100% coverage nor would it cover infrastructure stood up by 3rd parties or those employees working from home not tunneling through corporate infrastructure. And as we know, developers/devops and marketing whom we see produce many of the unknown assets for our customers want to move quickly to get their job done and will spin up infrastructure with the least path of resistance and many times forget about it.
- Integrations: In this model, companies integrate all their internal signals into a single point where various software like ActiveDirectory, Endpoint Protection, VPN, CMDB, and other software meet in a single data model. While traditional SIEM products do something similar they don’t normalize this into a single source of truth for asset management. These models work well if you have thorough integrations but they also suffer from the garbage-in, garbage out paradigm. They are unlikely to do as well with assets spun up by 3rd parties, remote workers, and unsanctioned assets. Integrations are a necessary part of contextualizing information from some of the other discovery methods described herein so you can take action on them.
- Cloud Monitoring Tools: In this model a set of api integrations into the primary cloud providers provides deep insight into the assets spun up in those environments. Many of these tools are interacting with the cloud environment configuration not really assessing what’s actually going on with the host itself. These go very deep to find risks in known cloud providers using configuration data, however they often fail to find shadow accounts in those known providers and unknown cloud providers, or what we call ShadowCloudTM.
- Internet Wide Perspective: At Censys, we take a different approach to the models we went over above. We look at the entire Internet through years of academic research done at the University of Michigan that allows us to discover, track, and monitor every device publicly exposed to the Internet. In fact – tooting our own horn – we see over 40% more of the Internet than our nearest competitor. This is key to finding all the long-tail stuff out there which is where all the risks are hiding in the shadows. Using an algorithm we’ve spent years developing, we are able to use this data along with other datasets to associate or attribute the assets that belong to an organization. Think names, certificates, WhoIS data, acquisition databases, etc. The algorithm uses our Universal Internet Datasets to pivot off everything we find to build a graph of an organization. The neat thing is we see not only infrastructure spun up from within the organization but we are also able to find infrastructure spun up by 3rd parties, workers from home, and even infrastructure attackers have spun up to impersonate your organization. It will find infrastructure not seen through integrations and traffic monitoring alone. Finally, it allows us to do cool research across multiple companies and the Internet!
ShadowCloud is the norm. In a representative sample of over 50 large organizations, we found the top public and private cloud providers supplying a mixture of IaaS, PaaS, SaaS, and CDN’s. We were able to associate our sample’s attack surfaces with the following cloud service providers:
Shocking, right? And this list gets even longer but this is a good sample. Some of those might even cause significant compliance headaches. We hear our customers typically know the top 3-5 cloud providers, but are astonished to find they have a long tail of cloud providers as part of their attack surface. Our research shows that this long tail of unknown cloud instances most often contains some of the highest risks for data leakage and unauthorized access.
We believe a combination of asset discovery, using some of the best of breed techniques described above, combined with an Internet-wide perspective, is the only approach to find all of your assets and their risks. Attack surface management is about discovering all of your external assets and their risks, but most importantly to provide visibility into the rapidly increasing and dynamic cloud ecosystem. At Censys, we are the attack surface management for those migrating to the cloud and looking to baseline your externally facing assets to get your shadow cloud in a managed state.
Reach out to us and we will be ecstatic to dig in with you on what your cloud long tail looks like — chances are you might be very surprised.
