Blog

How Can CISOs Effectively Tackle Shadow IT Apps and Reduce Risk in The Cloud?

Bartosz Urban | October 2, 2019

In the Internet of Things (IoT), enterprise access to the cloud has increased in population, a blessing that allows for more flexibility and productivity around the world. With everything stored online and cloud apps independent from most restrictions, as they do not require installation and are accessible 24×7 from virtually anywhere, operations are becoming more and more efficient. This comes at a price though—the number of entry points ready to be abused by malicious actors is soaring, thanks to the constant connectivity.

One of the biggest problems for organizations is the sheer number of things happening in the cloud. The ever-growing ecosystem, with new tools and additions creeping in from everywhere, is difficult to control. According to the 2019 Symantec Cloud Security Threat Report, CISOs (Chief Information Security Officers) that took part in the survey believe their organizations use 75% less cloud apps than they do in reality. Loss of visibility means that whatever happens with those apps, they cannot see—and turning a blind eye to three-quarters of the cloud network movement is a risk no one should be complacent with.

What harm can shadow cloud apps do? In a recent example, a major PDF browser plugin was a subject of a leak in which almost 25 million data records (including names, location and password hashes) were stolen and put up for sale on a hacker forum. We tend to think of small plugins doing basic tasks as innocuous, and many organizations lack company-wide policies regarding what their employees can or cannot install inside their browsers.

Times are changing—entire industries are undergoing transformations happening thanks to the growing trend of IT and OT convergence, and it is difficult to achieve full understanding of required processes just yet—especially with insufficient insight into the network. Many businesses do not employ any visibility tools that control what comes in and comes out, making it easier to actually control what kind of apps have access to our cloud assets. Visibility tools also gather valuable data for analysis and future reference, so organizations can learn and track movement patterns. Based on this data, any unusual traffic would raise immediate suspicions, enhancing response time and contributing to a better cybersecurity strategy. Employing new tools requires resources—including proper training and budgeting—and it’s important to see those as a crucial investments.

Change doesn’t come easy, and it doesn’t come cheap. The biggest bottleneck in upgrading security measures is usually the mindset of the people responsible—we are more stubborn than we would expect ourselves to be. CISO’s need to think like developers—the surroundings are constantly mutating, and so are the risks we face. To address this challenge, our methods must evolve. Educating ourselves and staying in the know is a key factor in keeping up with cyberthreats, especially when we know very little about the new resources on the cloud.

This doesn’t mean that security officers need to be the brains behind everything—the “data deluge” that is created every day from network traffic and connected devices is simply too much for anyone to handle. Most of it is just business as usual, or background noise. That’s why it’s important to employ technology-enabled solutions that know exactly what to look for and will alert us to any abnormalities. If a new app is installed on our corporate cloud, its traffic will register as a deviation from the regular usage—and we can start gathering information on how it behaves normally, and what is considered “safe” in this context. This can prove very useful in a shadow attack scenario that may come in the future.

Last, but not least—once we get over the initial hurdles, we need to spread the awareness further—it’s important to be vigilant in our actions and support others in doing the same. CISOs are responsible for the safety of their organizations and employees, so it’s important to remind everyone to stay in an open mindset—be aware of what you’re doing online, embrace new ways of securing yourself and keep yourself up to date. Malicious people waiting to attack us are not wasting their time, so neither should we.

There are multiple frameworks that act as a checklist of good practices and a source of knowledge when it comes to dealing with cyber risks. By standardizing the risk language internally, reviewing your cyber risk insurance strategy and setting clear goals, it’s easier to effectively assess risk and prepare for possible threats. FAIR Institute, a non-profit professional organization dedicated to advancing the discipline of measuring and managing information risk, provides their know-how for effective risk management, and Forescout supports their methodology as an open and structured framework for communicating risk and prioritizing mitigation plans.

This article is just a brief introduction and an excerpt from a recent webinar presented by Forescout with Jack Jones, Chairman of the FAIR Institute and Gaurav Pal, CEO of stackArmor. Watch a 5-minute snippet of that webinar here: