80-percent of security alerts come from users repeating the same mistakes
Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, published Volume 7 of its Unit 42 Cloud Threat Report. The report looked at more than 1,300 organisations. It analysed the workloads in 210,000 cloud accounts, subscriptions, and projects across all major Cloud Service Providers (CSP), providing a multifaceted view of cloud security to security leaders and practitioners.
As the MyGovCloud Initiative, part of Malaysia’s Digital Economy Blueprint (MyDigital), aims to drive digital transformation in the public sector by targeting 80% storage usage of cloud computing this year, the rate of cloud migration is expected to continue to surge. However, this also means that threat actors are on the lookout to exploit common issues that arise in cloud environments, such as misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities, and malicious open-source software packages.
“The complexity of managing hybrid and multicloud environments, paired with the fast evolution and growth of cloud workloads, continues to create significant opportunities for adversaries to gain a foothold in the cloud,” said Steven Scheurmann, Regional Vice President, ASEAN at Palo Alto Networks. “As organisations store and manage more data in the cloud, the attack surface grows exponentially, often in unknown or improperly secured ways. Threat actors have become adept at exploiting common, everyday issues in the cloud, which is why, unlike previous reports that examined a single threat, this report zooms out to look at the bigger, more expansive problem.”
Some of the key findings from the report include:
- Cloud users repeat common mistakes, which trigger most security alerts. In most organisations’ cloud environments, 5% of the security rules trigger 80% of the alerts. Organisations have a small set of risky behaviours in their cloud workloads, such as unrestricted firewall policies, exposed databases, and unenforced MFA. Prioritising remediation of these issues can maximise security investments.
- Security alerts take too long to resolve. It takes an average of 145 hours (6 days) for security teams to resolve an alert, providing a lengthy window of opportunity for potential adversaries.
- Sensitive data in the cloud is at risk. Sensitive data is found in 66% of storage buckets and 63% of publicly exposed storage buckets, and is vulnerable to insider and external threats. The lack of insight into stored information makes it difficult to protect sensitive data from being accidentally leaked.
- Leaked credentials are pervasive and central to cloud breaches. 83% of organisations have hard-coded credentials in their source control management systems, and 85% have hard-coded credentials in virtual machines’ user data. Credential access continues to be a common tactic across all cloud threat actors.
- MFA is not enforced for cloud users. 76% of organisations don’t enforce MFA for console users, and 58% don’t enforce MFA for root/admin users, making console access susceptible to brute-force attacks.
- Attacks on software supply chains are on the rise. More than 7,300 malicious OSS packages were discovered in 2022, impacting tech giants and other organisations.
- Managing code dependencies is challenging. 51% of codebases depend on over 100 open-source packages, and only 23% are directly imported by developers. Vulnerabilities are introduced by non-root packages, which can pose risks to the entire cloud infrastructure.
- Unpatched vulnerabilities are a low-hanging fruit for attacks. 63% of codebases in production and 11% of public cloud hosts have high or critical unpatched vulnerabilities, posing risks to the entire cloud infrastructure.
Organisations should expect the cloud-native attack surface to expand as threat actors find new ways to target cloud infrastructure misconfigurations, APIs, and software supply chains. To enhance security against these threats, the industry will see a shift towards cloud-native application protection platforms (CNAPPs) that provide comprehensive capabilities throughout the application development process. This prediction is underscored by Gartner, which reported a 70% jump in client inquiries regarding CNAPPs from 2021-2022.
Steven Scheurmann, Regional Vice President, ASEAN, at Palo Alto Networks, shared that cloud-ready security measures such as the Zero Trust approach must be implemented to help businesses identify and neutralise threats in real-time.
“As cloud usage increases in Malaysia and around the world, threat actors take advantage of undiscovered weaknesses and vulnerabilities in this technology to attack organisations.” With an average of 145 hours for teams to resolve a security alert, these malicious attackers have enough time to compromise the shared software supply chain and ambush large numbers of victims simultaneously. Therefore, it’s significant to contain these threats from the very start by eliminating implicit trust and continuously verifying access at every stage to mitigate the impact of threats.
Download a copy of the “Unit 42 Cloud Threat Report, Volume 7.”
Additional Resources
- Gartner® Market Guide for Cloud-Native Application Protection Platforms – Palo Alto Networks
- Unit 42 Cloud Threat Report, Volume 6 – Palo Alto Networks
- The State of Cloud-Native Security Report 2023 – Prisma Cloud
- Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram.
About Unit 42
Palo Alto Networks Unit 42 brings together world-renowned threat researchers, elite incident responders, and expert security consultants to create an intelligence-driven, response-ready organisation that’s passionate about helping you proactively manage cyber risk. Together, our team serves as your trusted advisor to help assess and test your security controls against the right threats, transform your security strategy with a threat-informed approach and respond to incidents in record time so that you get back to business faster. Visit paloaltonetworks.com/unit42.
About Palo Alto Networks
Palo Alto Networks is the world’s cybersecurity leader. We innovate to outpace cyberthreats, so organisations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we’re committed to helping ensure each day is safer than the one before. It’s what makes us the cybersecurity partner of choice.