Security monitoring can help your IT security team find threats lurking in plain sight among your legitimate network activity. In fact, you can even automate your security monitoring to alert you when it recognizes a threat without the need for direct threat hunting.
However, do you know what to look for with your security monitoring? What threats require constant vigilance? Above all, what are the telltale signs of these digital threats?
With the help of AT&T Cybersecurity, which offers security monitoring insights into Office 365 and Amazon Web Serviceswe share the top 6 threats!
1. Improper Platform Setup
No one can overstate the dangers of improper rig setup. Indeed, platform misconfiguration is one of the most recurring dangers for businesses of all sizes in the cloud.
For those unaware, platform misconfiguration happens in hybrid or cloud environments. In these cases, the storage or compute configurations of cloud server instances make them vulnerable to breaches.
A classic example: if a user can access your AWS S3 bucket from their browser, this demonstrates a platform misconfiguration. Unfortunately, this problem remains pervasive among companies migrating to the cloud.
Your security monitoring should look for any signs of misconfiguration, either on the cloud itself or by examining its access settings.
Speaking of what…
2. Unauthorized Access
With unauthorized access, SIEM, security monitoring and identity management work together to keep your business secure. Above all, remember this: it doesn’t matter what kind of security protocols you have in place if a hacker has stolen credentials. If you don’t monitor unauthorized access or stolen credentials, hackers win every time.
Additionally, stolen credentials and unauthorized access can end up creating more lasting and devastating damage in the long run. This could lead to financial theft, intellectual property theft and even network destruction,
Therefore, your security monitoring must look for unauthorized access. In particular, it should look for multiple failed login attempts, unusual access request times or locations, and unusual behavior during login.
3. Insecure APIs
Basically, APIs enable automated transfers and usage of data between disparate services. In a cloud environment, APIs contribute to digital scalability and efficiency across cloud and hybrid environments.
However, APIs can encounter the same problem encountered by S3 buckets: misconfigurations. Specifically, a misconfigured API can cause data traffic to move to more vulnerable network areas, to unauthorized users, or into the hands of hackers.
Thus, your security monitoring solution should look for any anomalies in the data traffic output from the APIs. In addition, it must look for any user modifying the configuration rules of your APIs; anyone doing so without permission poses a threat to your organization.
4. Dangerous admin actions
Of course, all privileged user activity must be subject to strict security monitoring at all times. No exceptions. Any discrepancy in behavior or in access requests must trigger security protocols to guarantee the authenticity and good intentions of users.
Power user accounts can do much more than regular user accounts. They can completely alter your business processes, access proprietary information, and potentially steal your finances without your legacy solutions noticing. Imagine what a hacker or insider threat could do with that power.
As such, your security monitoring should look for all attempts to escalate privileges, role changes, and changes to access rights; these are serious red flags. Additionally, your security monitoring should alert you if it detects new user creations, repeated user deletions, and configuration changes.
In particular, note how configuration changes keep popping up as a major warning sign of threats.
5. File access and sharing
File sharing doesn’t just happen through APIs. They happen through everyday business processes and there are so many that most people can’t keep track of them all. However, your security monitoring solution must. Imagine how easily hackers could interrupt or disrupt your file sharing protocols; they could obtain sensitive assets with relatively little effort.
Therefore, your security monitoring solution should monitor major or minor policy changes to your infrastructure or network components. Additionally, it should monitor changes in user access to files, deleted files, and configuration changes.
6. Malicious actors or malware
As we come to the end of our list, we need to recognize an often overlooked truth in modern cybersecurity. Sometimes the thing you need to watch out for is, in fact, the obvious villain.
Attacks based on absolute access continue to increase. However, traditional malware such as ransomware continues to see jobs. Additionally, less traditional digital threats such as fileless malware are growing in popularity. Finally, known bad actors still use old-fashioned communication techniques to exploit commercial networks.
Your company’s security monitoring should keep an eye out for signs of known bad actors and send immediate alerts if it discovers evidence. Of course, this may seem simple. Yet the simplest things often end up being the most overlooked.
Thanks to AT&T Cybersecurity white papers on Office 365 and AWS security monitoring to help you with this article. If you want to learn more, check out our own SIEM resources: Buyer’s guide and Map of suppliers!