Cyber criminals have become relentless in their attacks against cloud accounts. They use every trick in the book to compromise cloud accounts. After gaining access, they launch internal phishing, data theft and email fraud through such accounts. Of late, they have intensified brute force attacks to guess passwords and exploit weak authentication. Today, about 45% of all attacks are cloud-based. In 2022, about 80% of enterprises experienced at least one cloud-based attack. 

Cyber security experts have identified Big Data analytics as an effective way to identify and stop attackers. 

1. Unearth threat patterns 

Leveraging big data to protect cloud accounts involves advanced analytics. Machine learning algorithms analyse large volumes of data in real-time to unearth threat patterns. Adopt a four-step approach:

Step 1: Aggregate relevant data. This includes application log files, user activity, and network traffic data. Collect the data in real-time to enable immediate response to potential threats.

Step 2: Make the collected data analytics-ready. Cleanse and integrate the data into a unified format to make it analysis-ready. Integrate data from diverse sources into a central repository, or use APIs to connect different sources and ensure free data flow.

Step 3: Analyse the data. Subject the cloud traffic to analytics to ensure foolproof security. Two popular approaches include data loss prevention (DLP) and user behaviour analytics (UBA). DLP focuses on the data. UBA provides the context to evaluate user behaviour and focus on the user. 

Data loss prevention tools to control sensitive business information and enforce compliance. DLP tools understand data usage patterns and protect sensitive data from loss, leaks, and breaches. It looks out for transmissions that violate the usual patterns and blocks the same. Such an approach meets compliance mandated by regulatory authorities and internal company policies. 

The success of DLP depends on easy classification of the data. The DLP tool scans the data for sensitive information and blocks data transmission upon detecting it. But much of today’s enterprise data does not lend itself to easy identification as sensitive data.

User behaviour analytics fills in for such limitations. UBA identifies suspicious activity. 

The algorithms identify patterns of user behaviour associated with compromised accounts. Examples include the user logging in from unusual locations or trying to access sensitive data for which they do not have access rights. As a best practice, generate models representing normal behaviour and detect outliers.

Another analytics layer is Cloud security posture management (CSPM). CSPM monitors cloud services and infrastructure to highlight compliance and security gaps. CSPM tools detect and fix misconfigurations and incorrectly enforced policies. System admins use CSPM tools to visualise their cloud infrastructure in a single pane. 

Step 4: Identify the threat and take effective countermeasures. Identifying threats is useless without an action plan to overcome the same. Success depends on analysing the login event in near-real time to remove malicious actors before they cause damage. Without timely action, bad actors create hidden entry points and infiltrate at will later. 

Flag or lock accounts associated with suspicious activities for further investigation. For clarity and quick action, make sure the company policy details a recommended course of action. 

The best course of action depends on the unique circumstances surrounding the company and the account. For instance, a compromised system admin account may warrant the shutdown of the entire network. But changing the access credentials may suffice for an employee with no access to sensitive information. 

2. Enforce supporting actions

Data analytics is an effective way to stop cyber criminals from compromising cyber attacks. But relying on any one approach is risky. Today’s cyber criminals use sophisticated and innovative ways to breach cyber defences. Effective protection depends on a layered approach. Reinforce threat identification through data analytics through the following measures.

• Conduct network audits and penetration tests regularly. Granular audits, through SIEM and other forensics tools, pick up true positive alerts that the monitoring system may miss.
• Implement multi-factor authentication (MFA) to access cloud accounts. Co-opting biometrics into the mix makes access control more strong and safe. Granular access controls, including single sign-on (SSO), offload authentication tasks to the enterprise. Enterprises can maintain control of data access even with the data spread across multiple providers.
• Make sure the cloud service provider encrypts data at rest and in motion. Encryption offers additional protection in the worst-case scenario of attackers breaching the account. 

3. Use appropriate tools

The huge volume of traffic and sophisticated nature of threats make threat detection and remediation impossible using conventional network monitoring tools. The latest automated threat detection tools leverage data to correlate threat intelligence across known threat infrastructure, prior credential dumps, phishing attempts, brute-force campaigns, and other threats. 

Enterprises can place cloud access security broker (CASB) tools between the cloud service providers and users. These CASB tools interject enterprise security policies when enterprise users access cloud-based accounts.

CASB tools allow enterprises to govern cloud usage. It offers enterprises:

• · Visibility and control across managed and unmanaged cloud services.
• · Ability to enforce rules, to meet compliance and other requirements. For instance, healthcare providers can apply HIPAA rules, and retailers can apply PCI compliance rules. 
• Data security. Enterprises may enforce sophisticated data security mechanisms such as document fingerprinting, log contexts such as user, location, activity to data access, and more. 
• Threat protection through real-time scanning and remediating threats across internal and external networks.

Proofpoint is one good tool that fits the bill for most enterprises, big or small. The tool offers comprehensive protection, facilitating cloud gap analysis, anomaly detection, user analytics, access control, data encryption, mobile device management, cloud registry services, and more. 

Proofpoint’s CASB tool detects cloud account takeover attempts in real time and stops the threat actors in their tracks.

ProofPoint’s Brute-Force Attacks Detector monitors cloud activity and accumulates data on all logins. The centralised server processes billions of login events daily. It filters them through multiple detection systems to detect account takeover attempts. The proprietary algorithm matches each login event to a list of known brute-force IPs. On a positive match, it takes the recommended action. The system creates an up-to-date list of the IPs used worldwide to launch brute-force attacks. As the list gets updated, the tool gets better every day.

Proofpoint protects against insider threats that most security deployments cannot identify or stop. Today, 30% of data breaches are insider-driven, and the cost of such insider security threats has doubled over the last three years. Proofpoint’s advanced monitoring tools correlate user activity and data movement. It offers deep and accurate insights involving malicious actors. Empowered security teams can identify user risk and detect insider-led data breaches promptly. They can affect real-time security incident response.

Tools such as Proofpoint become effective by dint of their continuous learning capabilities. The underlying algorithms learn from the data it collects and the responses it makes. The models update based on the latest data and feedback. This way, the system identifies new threats and changes in user behaviour to protect cloud accounts from the latest and most persistent threats.

Read on for an insight into the top security best practices for hybrid and multi cloud models.