Thank you to the RedLock team for sharing their Cloud Security Index report findings at the May 22nd AWS Chicago user group!

1. Cloud
Security
Trends
+ 14 Tips to Fortify
Your Public Cloud Environment
Published by the RedLock CSI Team
May 2018 Edition
Cloud Threat Defense

2. Introduction
Key Takeaways
01 - Account compromises fueling new attack vectors
02 - Cryptojacking goes mainstream
03 - Effective compliance must be omnipresent
04 - Beyond the specter of “Spectre” and “Meltdown”
About the Report
Ready to Take Action?
3
6
7
9
11
13
15
16
© 2018 RedLock Inc. All rights reserved. 2
Table of
Contents

3. 3© 2018 RedLock Inc. All rights reserved.
Introduction
This edition of RedLock’s Cloud Security Trends
marks the report’s one year anniversary, and it’s
been a sobering year in terms of public cloud
breaches, disclosures and attacks. This report
highlights key learnings from these incidents along
with research by the RedLock Cloud Security
Intelligence (CSI) team to shed light on the trends
that we can expect this year.

4. 2016
Oct
Dec
2017
Jan
May
Oct
Oct
Nov
Jun
2018
Feb
Apr
Jan
51%
25%
24%
- Major companies impacted:
Uber, OneLogin, Tesla, Aviva, Gemalto
- RedLock research results:
On average, 27% of organizations
experienced potential account compromises
- Major companies impacted:
Deep Root Analytics, FedEx, Under Armour
- RedLock research results:
On average, 51% of organizations publicly
exposed at least one cloud storage service
- Major companies impacted:
Tesla, Gemalto, Aviva
- RedLock research results: 25% of
organizations currently have cryptojacking
activity in their environments
- Major companies impacted:
MongoDB, Elasticsearch, Intel, Drupal
- RedLock research results: 24% of
organizations have hosts missing
high-severity patches in public cloud
Account Compromises
Risky Configurations
Cryptojacking
Vulnerabilities
27%
4© 2018 RedLock Inc. All rights reserved.

5. 5© 2018 RedLock Inc. All rights reserved.
The absence of a physical network boundary to the internet, the risk of accidental exposure by users
with limited security expertise, decentralized visibility, and the dynamic nature of the cloud increases
an organization’s attack surface by orders of magnitude. The shared responsibility model of cloud
security clearly outlines the respective responsibilities of cloud service providers and their customers.
The RedLock CSI team would like to remind you that your organization’s obligations in the shared
responsibility model include:
* Monitoring and remediating resource misconfigurations
* Detecting and remediating anomalous user activities
* Detecting and remediating suspicious network traffic
* Identifying vulnerable hosts

6. KEY1. Account compromises fueling new attack vectors
While organizations are ramping up security efforts to deter malicious actors from stealing credentials
and access keys, new threats are always at-hand, such as those presented via Instance Metadata APIs.
2. Cryptojacking goes mainstream
Unfettered access to expensive and high-powered public cloud compute resources is leading to
increased cryptojacking attacks.
3. Effective compliance must be omnipresent
Confidential data is moving to the cloud and organizations must prove compliance. Employing
additional controls such as encryption and security frameworks, such as NISF CSF and CIS, still need to
be operationalized.
4. Beyond the specter of “Spectre” and “Meltdown”
Vulnerability management at scale is extremely complex in the cloud and is a key requirement of GDPR.
Organizations need to consider how they will address the issue for their public cloud environments.
6© 2018 RedLock Inc. All rights reserved.
Key Takeaways

7. 01
7© 2018 RedLock Inc. All rights reserved.
Account
compromises
fueling new
attack
vectors
43%
20%
27%
of access keys have not been
rotated in the last 90 days
of organizations are allowing
root user activities
of organizations with potential
account compromises
Relative to last year, we have seen mixed trends
with respect to account compromises.
Organizations are becoming more knowledgeable
and implementing best practices to avert cloud
account compromises, but new attack vectors
continue to present themselves.
In addition to finding leaking credentials in GitHub
repositories, unprotected Kubernetes
administrative interfaces, and public Trello boards,
the RedLock CSI team found yet another attack
vector - public cloud instance metadata APIs.
Public cloud instance metadata is data about your
instance that can be used to configure or manage
the running instance. Essentially, an instance’s
metadata can be queried via an API to obtain
access credentials to the public cloud
environment by any process running on the
instance.
The overarching trend, however, is clear; account
compromises will continue to evolve and
organizations must be vigilant and take steps to
defend against these threats.
Key Findings
The most concerning finding from the CSI team
was that organizations’ need to do a much better
job managing their access keys, as 43% of them
had not been rotated in over 90 days. This is a big
concern because access keys tend to have overly
permissive access, thus creating greater exposure.
It is a security best practice to rotate access keys

8. 8© 2018 RedLock Inc. All rights reserved.
Tips
• Eliminate the use of root accounts for day-to-day operations
• Enforce multi-factor authentication on all privileged user accounts
• Implement a policy to automatically force periodic rotation of access keys
• Automatically disable unused accounts and access keys
• Implement user and entity behavior analytics solutions to identify malicious behavior
01significantly to this broader understanding.
Additional investigation by the RedLock CSI team
determined that 27% of organizations have users
whose accounts have potentially been
compromised. This result is up from our February
2018 trend report that showed 16%. This negative
trend underscores that cloud security remains a
porous environment.
on a more frequent schedule to limit exposure
should they fall into the wrong hands.
The CSI team also found an encouraging trend;
only 20% of organizations are allowing the root
user account to be used to perform activities -
down significantly from 73% last year. This trend
indicates organizations are getting the message
about managing root user accounts and
RedLock’s CSI reports have contributed
Account
compromises
fueling new
attack vectors

9. 9© 2018 RedLock Inc. All rights reserved.
85%
25%
of resources do not restrict
outbound traffic at all
of organizations had
cryptojacking activity within
their environments
Despite the recent ups and downs of
cryptocurrency valuations, interest in illicit
cryptomining remains high. Even with the recent
disclosures by RedLock’s CSI team on
cryptomining at Tesla, the practice of stealing
cloud compute resources to mine cryptocurrency
seems to have accelerated. One possible
explanation for this, according the team, is the
ransomware market is becoming saturated and
overpriced, and hackers are setting their sights on
new revenue streams - in this case cryptojacking.
Another reason cryptojacking continues to
proliferate is that attackers are using advanced
evasion techniques when mining
cryptocurrencies. The CSI team detailed some of
these creative skills including in it’s blog post.
Key Findings
Surprisingly, 85% of resources associated with
security groups do not restrict outbound traffic at
all. This reflects an increase from one year ago
when that statistic was 80%. The research found
an increasing number of organizations were not
following network security best practices and had
misconfigured or risky configurations. Industry
best practices mandate that outbound access
should be restricted to prevent accidental data
loss or data exfiltration in the event of a breach.
In terms of cryptojacking, the team discovered
that 25% of organizations had cryptojacking
activity within their environments up from 8% last
02
Cryptojacking
goes
mainstream

10. 10© 2018 RedLock Inc. All rights reserved.
Tips
• Implement a “deny all” default outbound firewall policy
• Monitor north-south and east-west network traffic to identify any suspicious activities
including cryptojacking
• Monitor user activity for any unusual or abnormal behavior, such as unusual attempts to spin
off new compute instances
02quarter. The team forecasted that cryptojacking
would increase as it gained traction in the hacker
community, but this rapid, dramatic growth was
still unexpected.
The rise of cryptojacking and seemingly misuse of
security groups highlights the need for a holistic
approach to security in the cloud. A combination
Cryptojacking
goes
mainstream
of configuration, user activity, network traffic,
and host vulnerability monitoring is necessary
to detect advanced threats in public cloud
environments.

11. 03
11© 2018 RedLock Inc. All rights reserved.
Effective
compliance
must be
omnipresent
49%
30%
23%
of databases are not
encrypted
of CIS compliance
checks fail
of organizations fail NIST CSF
compliance assessments
2018 continued 2017’s trend of significant data
exposures resulting from cloud misconfigurations.
FedEx and MyFitnessPal (Under Armour) both
reported millions of exposed consumer records
resulting from unsecured cloud storage services.
Given the prevalence of cybersecurity standards -
NIST CSF, CIS, PCI, SOC2, HIPAA and soon GDPR
(General Data Policy Regulation), organizations are
under pressure to ensure compliance across their
cloud environments.
The RedLock CSI team assessed the preparedness
of organizations based on fundamental security
best practices and the results suggest optimism
and disappointment. Moreover, the results
underscore that organizations must do better in
all areas, as spotty compliance is not compliance
at all.
Key Findings
The RedLock CSI team’s analysis uncovered some
positive news; there is a growing trend to encrypt
databases. A year ago, the team found that 82%
of databases were not encrypted. Today that
number stands at 49% - a 67% improvement in
one year. As discussed in previous RedLock CSI
reports, encryption is an important technique that
could help meet the pseudonymization
requirement for GDPR and should be enforced as
a security best practice.
A broader assessment against industry
compliance standards revealed that on average

12. 12© 2018 RedLock Inc. All rights reserved.
Tips
• Ensure cloud resources are automatically discovered when they are created, and monitored for
compliance across all cloud environments.
• Implement policy guardrails to ensure that resource configurations adhere to industry standards
such as NIST CSF, CIS, SOC 2, PCI, and HIPAA.
• Integrate configuration change alerts into DevOps and SecOps workflows to automatically resolve
issues.
regarding their compliance goals and intentions.
The speed of cloud innovation is accelerating, with
cloud providers adding hundreds of new features
each year and developers are leveraging those
features to add new apps on a continuous basis.
In the end, it may just be that organizations are
lagging behind in their quest to maintain
compliance and ensure security in this fast paced
environment.
03
Effective
compliance
must be
omnipresent
organizations fail 30% of CIS Foundations best
practices, 50% of PCI requirements, and 23% of
NIST CSF requirements. Compared to last year’s
analysis, improvements are inconsistent and still
point to the fact that organizations have a lot of
work to do to make compliance a reality across
their cloud environments.
These disappointing results do not necessarily
indicate that organizations are disingenuous

13. 13© 2018 RedLock Inc. All rights reserved.
24%
39%
of organizations have
hosts missing critical patches
in public cloud
of vulnerable hosts flagged
as compromised by Amazon
GuardDuty
We are now a few months into the reality of living
with the Spectre and Meltdown vulnerabilities,
and now understand their longer term impacts
and the technology providers are releasing
solutions. For example, Intel announced changes
to the Xeon and Core processors specifically
designed to guard against these vulnerabilities.
Amazon, Microsoft, and Google promptly patched
and updated their environments to ensure a safer
operating environment.
But as proactive as the industry has been, it’s only
a matter of time until we face the next global host
vulnerability threat. Accordingly, the RedLock CSI
team assessed host vulnerability management in
the cloud to determine the state of affairs.
Key Findings
The research revealed that 24% of organizations
have hosts missing high-severity patches in public
cloud, which seemingly confirms data from the
February 2018 report that 83% of vulnerable hosts
were receiving suspicious traffic from the internet.
While many organizations have traditional
vulnerability scanning tools made for on-premise
data centers and networks, organizations are
unable to map the data from these tools to gain
cloud-specific context. For example, identifying
cloud resources that are communicating with
outside IPs or suspicious IPs in an ephemeral
environment is a problem traditional vulnerability
scanning tools were not designed to solve.
04
Beyond the
specter of
“Spectre” and
“Meltdown”

14. 14© 2018 RedLock Inc. All rights reserved.
Tips
• Correlate vulnerability data with resource configuration data to identify vulnerable hosts.
• Correlate network traffic data to determine whether the vulnerabilities are actually network
exploitable and prioritize remediation accordingly.
• Correlate vulnerability data with cloud configuration and network traffic data to identify the riskiest
assets, and determine whether the vulnerabilities are actually exploitable from the internet.
04Vulnerability management at scale is extremely
complex in the cloud and is a key requirement of
GDPR. In this dynamic environment, it is often
hard to pinpoint specific questionable cloud
resources, or understand the real exploitability
and risks associated with them. Traditional
vulnerability scanning tools fall short on delivering
actionable results to users. Further, host
vulnerability data needs to be correlated with host
configurations in the cloud that can help identify
the business purpose of the host and help
prioritize patching.
RedLock’s integration with Amazon GuardDuty, a
threat detection service launched in November
2017, indicates that 39% of these hosts are
actually exhibiting activity patterns associated
with instance compromise or reconnaissance by
attackers. This is an increase of 160% is about 6
months. This increase may be explained by the
broader acceptance of GuardDuty since its launch;
however it also indicates that organizations need
to be more proactive with vulnerability
management in the cloud.
Beyond the
specter of
“Spectre” and
“Meltdown”

15. 15© 2018 RedLock Inc. All rights reserved.
About the Report
ABOUTAbout the
Report
RedLock CSI Team
RedLock enables effective threat defense across Amazon Web Services, Microsoft Azure, and Google
Cloud environments. The RedLock Cloud 360™ platform takes a new AI-driven approach that correlates
disparate security data sets to provide comprehensive visibility, detect threats, and enable rapid
response across fragmented cloud environments. With RedLock, organizations can ensure compliance,
govern security, and enable security operations across public cloud environments.
The RedLock Cloud Security Intelligence (CSI) team consists of elite security analysts, data scientists,
and data engineers with deep security expertise. The team’s mission is to enable organizations to
confidently adopt public cloud by researching cloud threats, advising organizations on cloud security
best practices, and frequently publishing out-of-the-box policies in the RedLock Cloud 360™ platform.
The CSI team has discovered millions of exposed records that contain sensitive data belonging to
dozens of organizations ranging from small businesses to Fortune 50 companies. The team notifies the
affected organizations and publishes security advisories to raise awareness about the issues.
Report Methodology
The data in this report is based on analysis across the public cloud environments monitored by
RedLock, which comprises of over twelve million resources that are processing petabytes of network
traffic. In addition, the team also actively probed the internet for vulnerabilities in public cloud
environments.

16. ACTIONReady to
Take Action?
Get a Free Risk Assessment
Get started in minutes and obtain a free risk assessment across your cloud footprint without hindering
agile development. It will provide the following insights:
Are there any resources with risky configurations?
Are there unpatched hosts in your environment?
Have there been any network intrusions?
Are there any insider threats?
Have any accounts been compromised?
More information: https://info.redlock.io/cloud-risk-assessment
Download Cloud Security Buyer’s Guide
Download the Cloud Security Buyer’s Guide to get 20+ tips based on the NIST Cybersecurity
Framework and manage risks across your public cloud computing environment.
More information: https://info.redlock.io/lp-nist-csf-cloud-security
16© 2018 RedLock Inc. All rights reserved.

17. “With RedLock, we have full visibility so we can be sure our
cloud environment is secure, risk is reduced and any threats
that do present themselves can be remediated right away”
-
David Pace
Global Information Security
Western Asset Management (WAM)
To learn more:
Call: +1.650.665.9480, Visit: www.redlock.io
© 2018 RedLock Inc. All rights reserved.
RedLock and RedLock logo are registered US trademarks of RedLock Inc.
RedLock Cloud 360 is a trademark of RedLock Inc. All other registered trademarks are the properties of their respective owners.