Illuminating Ransomware, Insider Threats, and Third-Party Risk

New digital communication applications are more vulnerable to digital attack since they are often cloud based and sit outside the traditional perimeter defense structure. These applications are a critical part of organizations’ infrastructure; they improve operational agility, connect multiple regions or teams, and reduce costs. But they are also outside an organization’s control. This is particularly true for social media, which became a critical communications tool during the pandemic.

Many government organizations focus mainly on the endpoint, but that requires waiting for malware to enter the device and move through your network. Organizations need new approaches to combat the most common threats—third-party risk, ransomware, and insider threats—at the source in the cloud.

Attack Surfaces

Business communications risk stretches across both public and non-public surfaces. The public attack surface is anything that can be accessed via a publicly accessible browser, like Chrome, Firefox, or Safari. The pandemic has made it easier for citizens to reach government through social media, but bad actors can use a Facebook wall to post a comment with a malicious link embedded. Today’s attacks are also multi-channel, using social media to groom targets and then pointing them to fake websites.

Safeguard Illuminating Ransomware Blog Embedded Image 2021One small municipality exemplifies the challenges that government organizations face. The city moved its operations online during the pandemic and its Facebook account essentially became a switchboard, going from about two posts per month to over 550 per month. But city employees were faced with the dilemma of keeping citizen communications secure when they were not really equipped to handle that level or kind of communication.

Nonpublic attack surfaces include enterprise instances of tools like Microsoft Teams, WebEx, Slack, or Zoom. Because collaboration tools tend to be attached to parts of your network, these accounts are much closer to your data systems and allow for lateral movement into your network. Organizations must protect communications from malicious activity while also defending the assets or files that transit in those communications.

Threat actors understand where the data is, and they are focusing on collaboration tools. There is sensitive information in those communications, and they move at a volume and velocity that is outstripping email. One organization that generated around 60,000 Slack messages per day pre-Covid shot up to over 160,000 messages per day. But, like many other organizations, it does not provide Slack with the same protections that would apply to email.

Therefore, it is critical that an organization’s security layer be as flexible as these applications—both public and non-public. Since these applications can be accessed via desktop, mobile app, or browser, your security layer needs to follow those methods of entry.

Gaining Visibility

Visibility is a critical component of security; you cannot detect and respond to events you cannot see.

Your organization should be able to answer basic questions:

  • What kind of data security controls are in place?
  • How are employees collaborating outside of email?
  • Do you have visibility into third-party cloud applications?
  • How can you respond to malicious content, insider threats, or data loss?

For maximum visibility, your security also needs to be portable. Your security layer should be present no matter where the end user is located–and it should be transparent to them. Ideally, they should not be required to go through several login screens; that encourages users to find their way around security measures. Any security scheme will fail if it does not account for the way people want to work and communicate.

Cloud Native Defense

The best security approach is a cloud native defense which is designed to intercept and stop risks in the cloud; it provides cloud-to-cloud defense instead of waiting for risks to transit to the endpoint. With a cloud native approach, you could stop a threat in LinkedIn before it has a chance to compromise your device. However, that security layer should play nice with the rest of your tech stack. You need to layer on to accounts—with the ability to extend your security policies and controls regardless of device or network.

A cloud native approach can be enabled by machine learning (ML) risk analytics. One educational institution had 125,000 messages in its first ten days of working in Microsoft Teams, an indication of the volume and velocity challenges facing organizations. Security teams simply cannot review that number of messages and keep them secure. The solution was a cloud native framework for ML, which highlighted almost 2000 instances of inappropriate content among the messages. The ML risk analytics could also prioritize the truly worrisome messages with full contextual analysis of an entire thread—so the security team knew where to focus its efforts.


View our presentation to learn more about your agency can better protect its presence in the cloud from the most common security risks.

Related Articles