Comprehensive Credential Compromise Protection for Mid-Market CIOs

Cloud App security is a major item that CIOs need to really pay attention to moving forward. How often do you ask yourself this question, ‘Is Cloud App Security for You?’ In this clip of my conversation with Shannon Emmons, Sr. Product Manager at SonicWall, she shares her expertise on this topic.

API based security is a big deal for SonicWall and is a part of many of their solutions. The SonicWall Cloud App Suite is a powerful way to secure your cloud and SaaS apps, such as Box, Office, Dropbox, Salesforce. It is also a major thesis for RedZone Technologies as a part of cloud security moving forward. As you listen to this  section, think about the question at hand, Is Cloud App Security for You?

RedZone Technologies’ goal is to help businesses secure their networks and keep their data safe. We offer a broad range of  progressive IT security programs, tools and solutions to give our customers peace of mind.  Contact my team today: (410) 897-9494 | myteam@redzonetech.net.

The full transcript of this conversation can be found below:

Shannon:   Here’s a story I like to share. One of my former executives, mentored me quite a bit, and one of the things that he taught me, and I always come from a very customer focused approach, but one of the things that he did teach me was focusing on the customer outcome. What’s the value for the customer? Because nobody cares about your next new widget if it doesn’t solve a problem. That’s true. I mean it’s absolutely true.

Bill:            Instead of looking for a solution, looking for a problem to solve.

Shannon:   Exactly. I always look at, what can we bring to the customer and make their lives easier. Having worked in this space for a long time, I’ve seen the challenges that administrators face with multiple products and bolted-on technologies and pieced together infrastructures. When I look at products and we look at business requirements as a whole within SonicWall, we look at how we make this easiest for the customer and still solve the problem in the least amount of steps for them.

Bill:            That’s interesting. I didn’t think about that from that perspective. You’re right, sometimes the software vendors have solved it by glue-ware, like we’re just going to glue these two technologies together and call it our new system.

Shannon:   Yes, I love cloud’ified technologies.

Bill:            Cloud’ified. That’s another good one. Let’s talk about Cloud App Security. In particular, the problem that a CIO would have with users that want to use Box, Dropbox, whether or not they’re asking for permission or not. They’re using Dropbox, OneDrive, they’re using SharePoint teams. I just left the Microsoft conference and from Satya all the way down, they’re talking teams, like SharePoint was their big mother load many years ago. Teams is that for them moving forward, like literally the reps are being compensated, they want subscript, they want what are they calling it? Work load or subscriptions or something like that, they want more people on teams. How does SonicWall fit in with helping a CIO be able to have data on their organization proliferate, move into teams, move into other SaaS apps like Box and how does that work and what problems does SonicWall solve?

Shannon:   Yes, that’s a great question. One of the things that we see across the SaaS industry, and as customers make their migration to cloud, security is oftentimes an afterthought, right? Particularly when you look at things like Box or Dropbox or some ad hoc, app of the day. Somebody needed it at that point in time and now they’ve used it and your IT staff may know, or they may not know. You may have company data out there that you may or may not know about. It’s at risk for a breach, data exfiltration, threat space. One of the things that we at SonicWall focus on for cloud security product is that the staff’s protection space. If you’re using multiple SAF apps, so if you’re using something like Office 365 Suite and Box and Dropbox or eventually Slack or eventually Salesforce, in most cases in organizations, they are managing those policies and that data in threat space differently.

Some people assume that the cloud service providers are responsible for taking care of protecting them from threats and they’re not. They’ll call it out in their contracts. It’s never in big red print like we show right in slides, but the customer is responsible for protecting that data. If their admins are using multiple SaaS products, they increase their risk because all the products look and feel different. They all have different security controls. Most of them don’t include advanced threat protection by default, they’re not correlating events or getting a cohesive view across their SaaS space into what’s being used, logging activity, data that’s out there. They don’t know if it’s compliant. We really focus on a holistic approach. When we talk about protection for Office 365, we talk about the Suite. We talk about your email, your OneDrive, your SharePoint, Teams will be coming online soon.

Ironically, I don’t think I’ve met a person yet who really likes SharePoint. It’s good that Microsoft is kind of making a push for something else. But collaboration tools are becoming more and more hot in the market and in the threat space, you can transmit files back and forth. You can share different data that are stored in the cloud, most times. How do you protect that? We focus on the Suite protection in addition to other SaaS applications that you’re using. You get a combined view, you get consistent policies, right? That reduces your risk. Everything looks and feels the same. There is no mind-mapping for administrators on what does this DLP policy look like versus in SharePoint or Box or Slack.

Bill:            Let’s talk about policies for a second, just so everybody understands how you’re defining it, because I thought it was interesting. We had someone ask me about a DLP, which is just as a rough… We look at porter packages of zero, really easy security, to ten hard security like DLP. There’s nothing about zero.

Shannon:   No, it’s not.

Bill:            It’s nine or ten. It’s hard. I loved your answer to that question and part of it had to deal with policy, but maybe you can answer where you guys fit in the DLP world and what example of the policy would be.

Shannon:   Absolutely. In the context of DLP for SaaS protection, what we provide today is a very easy to use compliance-based DLP. What that means is you don’t need to have data classification in process. You don’t need to be working on it. We provide you compliance-based templates like SOX templates or intellectual property templates, PII, PHI, HIPAA, things along that nature. You can enable these templates with a simple check mark. We use regular expressions and we do powder validations, account number checking, different formats. We use a series of key words. This implementation right now is not customer configurable beyond checking or unchecking the templates, so you can’t do the granular rules. But we also find that a lot of people get very overwhelmed-

Bill:            That’s what kills it.

Shannon:   Yes, exactly. With a robust DLP solution and then they’re overwhelmed. They don’t use it. Then they’re either sending sensitive data to the cloud and they don’t know it and they’re at risk, or they’re in breach of compliance, or they just stopped using the SaaS app and that’s a load on them, too – because we want them moving to these better infrastructures, these more updated apps, and we want to help them embrace that.

Bill:            If I’m a sales rep then I’m just supposed to come up with a simple situations of a sales rep that might be a remote worker, headquarters in DC, using Salesforce, and the cloud app security. For some reason they have a document there they want to ingest into Salesforce and someone has, and maybe it’s a legal contract or maybe it hits one of the triggers. What happens to that file? Like does it just get lost? If it’s on its way into Salesforce from that sales rep’s laptop, does it come from exchange. Let’s say they are using an exchange product from Microsoft 365, how does that whole file interaction happen? What goes on there.

Shannon:   In the context of Salesforce, which is something we’re looking at in the future, the way that it would work is similar to what we did with Office 365. We’re API based technology, so we sit within the SaaS app itself, you can install our event collector to monitor activities, right? Monitor those files. Then we install a protection app as well into the SaaS space. When an end user uploads a file from their desktop or their phone or whatever into the SaaS app, the SaaS apps, default security controls will engage.

Whatever base AB they provide or bays for email anti-phishing or whatever, they’ll engage. Everything they send up is scanned and that comes off as clean by the SaaS provider, we pick it up and we run it through all of our advanced algorithms – the advanced threat protection, if it’s a file and an email attachment, or anti-phishing technology, anti-spam technology – just depending on what type of data it is. But one of the advantages is that we sit within that SaaS space. We protect the data within the space versus it coming from a laptop or a phone or what not. As soon as it hits the APIs for the SaaS provider, we’ll engage our scanning technology.

Bill:            It’s like a shim client of some sort. Right? It’s like a shim that sits in that… Because their vendors opened up that API, it allows you to engage with that as the document goes in. Is it looking at the whole document or is it looking at just the email itself?

Shannon:   No, it will look at the whole document. If it’s just a straight file upload, we’re going to pick up the file and we’ll scan it with ATP. Then, if you’ve got DLP enabled, the actions that we take on the file are dictated by the customer. If a customer has configured their policy, they want to quarantine the file, they want to send it to a vault, something of that nature – or that maybe they want to do nothing, they just want to alert on it. They have that flexibility to make the best business decision from them. In the context of email, what we do is when the email comes in to say Office 365, if it’s got an attachment, not only are we scanning the email, we scan the emails for anti- phishing of course, and also impersonation threats. We also do advanced URL scanning, not just within the body of emails but within the attachments themselves as well. That attachment will get scanned by our capture ATP. In addition to just your regular email scanning.

Bill:            Yes, we had a lot of questions about logins and login failures and then, when you’re in, data exfiltration out, maybe you could talk to that a little bit and talk about like, you also called an account takeover. Okay.

Shannon:   Yes. One of the concerns that we have in the SaaS app space is credential compromise. I think on a personal level, almost everybody that you talked to has had their credentials compromised in some way. I think that statistic for 2017 was 2.3 billion. Those accounts are sold in the dark web for less than a dollar, each with a guaranteed password, which is frightening. If you’re an organization, you’re using SaaS apps and you get compromised credentials for one of your users, that’s an infiltration point into your environment. It’s an infiltration point to your data. Maybe it’s customer data, maybe it’s employee data, that data can be exfiltrated.

One of the things that we provide, in addition to the DLP where you can prevent sharing from external information is account takeover prevention. We give you visibility into your user behaviors that fall outside of their established normals.

We built a unique profile for every single user that uses that SaaS app. We use tons of different data points, right? What kind of device do they login from? Is it a managed device, is it unmanaged, do they come in through VPN, do they login from a specific continent, how much data do they upload and how much data do they download. We build that profile and we maintain it. It evolves going forward and then anything that deviates that from that we bring to your visibility.

One of the things that I demo typically is geo-suspicious activity. I can simulate logging in from multiple continents within a very short period of time into my Office 365, and then the alert that the admin gets is suspected credential compromise and it will give me the IP addresses and a map of the location.

You can go down to within three blocks of where the IP address is. It alerts the admin that they need to look at this. That will evolve going forward because not every anomaly is malicious. You, as an administrator, want to investigate and confirm. Is that malicious behavior? But we’re going to give you that quick visibility. We’ll give you as much information as we can. If you’re using multiple SaaS apps, we’re going to correlate that activity across them. You don’t have a singular app view. We know what your users’ behaviors are in each of the SaaS apps they’re using.

Bill:            Now how was that going to be different, if someone logs in like with active directory? Well for Microsoft, if they’re logging in through AD and using MFA and conditional access, for example, where would you pick up there? I guess that’s purely a Microsoft question. But maybe, it’s logging into Amazon as well, but there’s potentially a domain control and then, how do you integrate? This is my question. Is it completely separate or is it are you looking for different parameters because you’re wedged into the SaaS app itself.

Shannon:   We do it a couple of different ways. One, we’ll try failed logins. If they’re not getting through your AD, we get that event from the SaaS app itself and we’ll report a failed login attempt. Some people don’t find that valuable. They want to know when somebody gets in. Where we pick up from the potential compromised account visibility perspective is when the user logs in. If they’ve already gotten through your AD or your single sign-on, you’ve got a big problem, right? They’ve already breached that. Now we can see the login activity, we can see the user behavior and then we bring you into that visibility. You have to look at it in two different aspects, failed logins we know about and we’ll report them. We’re not going to necessarily call those out as a potential compromise.

We give you the data to look at, I had a customer last week that actually asked me to look at some of their data for them. They had an exorbitant amount of Geo suspicious login activity for failed logins, especially for a 60-employee company. They had 800 plus logins over a seven-day period of time from like all over the globe – and they’re in England and I think Scotland. Yes, they were like, this is not right. But they were concerned that somebody was attempting to get in. That was their approach. They hadn’t gotten in yet, but we were bringing the visibility that somebody was attempting to get in, so it was something they could be in-tune with and they could be on the lookout for.

If somebody does get in through your other authentication mechanisms, we are there to alert you that you’ve got this type of suspicious activity. Maybe it’s somebody pulling down large data. All of a sudden Susie started logging in at 2:00 a.m., she’s never done that before or she’s logged on and logged off. Maybe all of a sudden multifactor authentication has suddenly become disabled, things like that.

Bill:            Well, that’s interesting. What about if there’s an unusual, like a download of information or if someone’s logged in in an authorized way, but all of a sudden they normally consume an average of 10 MEGs and now it’s 25 to 30, is that a possibility?

Shannon:   It is a possibility. It’s something that we would want to alert you to because it would fall outside of their established norms. When the behavior deviates and it’s all AI based, it’s not customer configurable, today. We look to do some additional workflows in the future around that. There is the potential that it could be valid behavior, but we’re going to bring it to your visibility and let you make the determination so that you can be aware because it is pretty abnormal for somebody who uploads 10 MGs a day or downloads 10 MGs a day to all of a sudden, pull down a 70 MG file. Maybe it’s from a different location they haven’t accessed before. This is all what we would just call general weirdness, right? It’s suspicious and you want to be on the lookout.

Bill:            How do you build from the AI and machine learning (ML)? We talked about this today, that we’re trying to build that automated threat response so that we can confidently tackle a cloud architecture. What are your thoughts about that? When do you think the CIO would truly be at a point where they can feel confident treating their cloud architecture? Just like it used to be in the old-fashioned data center.

Shannon:   Wow. That’s a great question. Let me think about that one. I’m a suspicious person by nature. I’ve worked in cybersecurity probably far too long. I would never feel comfortable about anything that’s outside your organization. What I would say is this, once you’ve used a tool for several months, you build a level of comfort. Anything that’s AI based or ML based, there are going to be some nuances off-the-bat because it has to learn the environment. It has to learn the behaviors to figure out what your space looks like. There’s going to be some tweaks that are probably needed with any technology. We heard somebody today that was speaking about a time when they were using a different technology on their end points, they had a lot of false positives. Then when you look at their scenario, what they were doing, which James pointed out, was they’re actually doing hacker-like activity.

AI was working and machine learning was working. A lot of times we think those nuances are kind of painful, but generally when we look at them, they’re actually simulating some type of bad behavior. Do take the change and say, I’m not going to report this, or do you err on the side of caution? I think you have to get comfortable with a tool for a couple of months in your environment before you can feel really, really good and secure about your deployment.

RedZone Technologies’ goal is to help businesses secure their networks and keep their data safe. providing a broad range of IT security techniques and programs to provide our clients with peace of mind knowing they can deter threats. Contact my team today: (410) 897-9494 | myteam@redzonetech.net.