In this week’s Whiteboard Wednesday, Meg Donlon, senior product marketing manager on Rapid7’s InsightIDR team, discusses a common challenge today: detecting compromised cloud service accounts. As more organizations move to cloud infrastructures and SaaS software, it’s important that security teams have visibility into the user accounts accessing them.
Welcome to this week’s Whiteboard Wednesday. I’m Meg Donlon, senior product marketing manager on the InsightIDR team. Today, let’s talk about a type of threat that nearly every organization with cloud services faces: attacks on user accounts.Show more Show less
As more organizations move to cloud infrastructures and SaaS software, it’s important that security teams have visibility into the user accounts accessing them. The established techniques that are well known on prem are still really dangerous since cloud services are built for anywhere, anytime access.
In fact, hijacked cloud accounts, or cloud “account takeover attacks”, are on the rise. The recent Verizon DBIR noted an increase in the use of stolen credentials to access cloud-based email servers. And these suspicious authentications are also a repeat top offender on our Rapid7 Quarterly Threat Report as well.
So why is this? In addition to the growing adoption of cloud infrastructure and software:
So what can you do to protect your cloud accounts?
Once you have the appropriate logging turned on, you can begin sending that information to your SIEM. Some of the alerts and data you’ll want to look at include:
Once you have logs and centralized visibility inside of your SIEM, we suggest promoting awareness around compromised cloud accounts to your employees. To increase your defenses on the front lines, educate your employees on spotting phishing attacks, the importance of strong passwords, and what can happen when cloud accounts are compromised.
Want to learn more about staying protected with Rapid7? InsightIDR, our cloud SIEM, is built for your modern network to fully ingest data from cloud services and infrastructure, as well as your on-premises and remote environment. You’ll be able to reduce the risk of phishing and quickly identify when stolen credentials are used across your network.
That’s it for this week’s Whiteboard Wednesday. We’ll talk to you next time.