How Misconfigurations Threaten Your Cloud Security: The Big Interview with Bernard Montel, EMEA Technical Director, Tenable

With public cloud spending expected to grow 20% and reach $679 billion in 2024, more and more companies — from SMBs to enterprises  — are sending their business up into the sky.

But if you are asking for customer trust in your service, it comes with the great responsibility to secure your data and be precise in allowing access to it.

But the initial cloud setup is an often-overlooked part of the process — allowing critical vulnerabilities caused by simple misconfigurations and software weaknesses which can lead to a breach that puts your company on the front page of newspapers worldwide.

We asked Bernard Montel, EMEA Technical Director of Tenable, which handles cybersecurity exposure management for 40,000 companies and government agencies, to talk us through cloud security configurations  — and why companies need to shift from reactive threat detection to proactive cloud security.

About Bernard Montel

Bernard Montel

With over 20 years in the security industry, Bernard Montel is the Technical Director and Security Strategist at Tenable. His expertise includes cryptography, Identity and Access Management, and SOC domains. Bernard has published numerous articles and is regularly invited to speak about cybersecurity, providing insight into current threats, cyber risk management, and cyber exposure.

Before joining Tenable, Bernard held the position of EMEA Field CTO for RSA, where he played a leading role within its Threat Detection & Response department. He has significant experience advising large and medium-sized organizations on cybersecurity best practices.

Advertisements

Bernard holds a Master of Science in Network and Security and a Master 2 degree in artificial intelligence (AI).

Key Takeaways

  • The shift from reactive threat detection to proactive cloud security is needed to protect businesses.
  • The hacker trends that are currently at the forefront include the persistence of ransomware attacks, the importance of safeguarding Active Directory, and the potential rise of software supply chain attacks.
  • Misconfiguration and excessive privileges are common vulnerabilities in cloud migration, and they are often overlooked and can lead to security breaches.
  • To progress from reactive to proactive cloud security, businesses must understand their infrastructure, prioritize what matters, and adopt the right mindset  — similar to preventive medicine for health.

The State of Cybersecurity in 2024

Q: What hacker trends should businesses be preparing for?

A:  When discussing hacker trends, I think it’s important to consider three key elements.

Firstly, yesterday’s attacks are still very relevant today — and then I look at what we can expect in the short term and the longer horizon.

We know ransomware will continue to be a big issue, and businesses will need to ensure they protect Active Directory given that, at the heart of nearly all attacks, is a compromised identity that allows threat actors to infiltrate infrastructure unchallenged.

Software is ultimately running everything in the world, with open source hidden in everything, and I think we’ll see a rise in software supply chain attacks like the SolarWind attack [a deep and broad, potentially state-sponsored 2022 attack which was potentially the largest cybersecurity attack of its kind].

Thinking longer term, if generative AI becomes the new user interface to business apps, we will begin to see copyright and compliance issues and problems around data exfiltration.

Q: Companies are increasingly migrating to cloud-based solutions. Where do you see the most common vulnerabilities there?

A: As organizations increasingly move their data and workloads to the cloud, securing cloud identities and entitlements has become one of the most complex problems to solve.

Identities are the keys to accessing cloud resources; if compromised, they enable attackers to access sensitive data and systems. Ironically, almost all cloud permissions are overprivileged.

Misconfigurations combined with overextended or unused privileges are still very common. A few years ago, I read about an experiment in Palo Alto where they purposely misconfigured a workload on AWS and then waited. It took five minutes for that misconfiguration to let the bad guys in.

 

Misconfiguration is usually the most significant vulnerability in this area. We’ve seen customers with 10,000 AWS accounts. How can you have 10,000 accounts?

Once a Hacker Has Access, What Can They Do Next?

Q: If simple misconfigurations and excessive privilege cause most cloud breaches, how do you help them proactively identify and rectify these issues? 

A: The complexity of IT infrastructure — with its reliance on multiple cloud systems, numerous identity and privilege management tools, and various web-facing assets — presents numerous opportunities for misconfigurations and overlooked assets.

The infamous Capital One breach began with a software vulnerability exploited by the attacker to get onto the web.

However, once they were in, amongst other privileges, the role associated with the WAF instance had S3 bucket privileges. They could capture an authentication token to talk to S3 buckets. They also had the privilege to decrypt the data. So it’s a combination of these things that kills you regarding breaches.

We use an attack path analysis and exposure management to analyze what a hacker would do. We don’t just focus on misconfiguration vulnerabilities because there are often too many. We focus on what matters and what hackers can leverage if not addressed.

‘Prevention is Better than a Cure’

Q: What should businesses do to progress from reactive threat detection to preventative cloud security posture management?

A: In cybersecurity, 80, maybe 90% goes to reactive security.

An attack often begins with the phrase, “I have been breached, and I need to react.” It’s like going to the emergency department. But it’s too late if you go to the ED because you’re sick.

You want the discipline to eat vegetables, go to the gym, and take preventive medicine.

It’s the same idea when looking for vulnerabilities, weaknesses, and exposure in our cloud. A Tenable study of cybersecurity and IT leaders, conducted by Forrester Consulting in 2023, found that nearly six in 10 (58%) respondents said their cybersecurity team is too busy fighting critical incidents to take a preventive approach to reduce their organization’s exposure to attacks.

We recognize that prevention is better than cure, but to achieve that, from a security stance, you have to understand your infrastructure. Only then can you take proactive steps to address what matters, armed with the tools and the right mindset.

Tips for Staying Ahead of the Hackers

Q: One of your cloud security posture management (CSPM) solutions focuses on continuous discovery and assessment. Can you tell me more about the future of a proactive approach to dealing with managed and unmanaged cloud accounts? 

A: There is so much automation in the cloud. Everything has an application programming interface (API) and is programmable. But within five minutes, you can be breached and not react to everything, so you need greater awareness.

Once again, contextualization and prioritization are the only ways to focus on what is essential.

You might be able to ignore 95% of what is happening, but it’s the 0.01% that will put your company on the front page of the Guardian newspaper.

Vulnerabilities can be very intricate and complex, but they become severe when they combine with toxic combinations (a mix of access privileges that create unintended levels of risk) that can generate attack paths.

Technologies are dynamic systems. Even if everything was “OK” yesterday, today, someone might do something, such as change a configuration by mistake, for example, with the result that several doors become aligned and can be pushed open by a threat actor.

Identity and access management in cloud environments is highly complex, especially in multi-cloud and hybrid clouds. Having visibility of who has access to what is crucial. Cloud Security Posture Management (CSPM) tools can help provide visibility, monitoring, and auditing capabilities based on policies, all in an automated manner.

Additionally, Cloud Infrastructure Entitlement Management (CIEM) is a cloud security category that addresses the essential need to secure identities and entitlements and enforce the least privilege to protect cloud infrastructure. This provides visibility into an organization’s cloud environment by identifying all its identities, permissions, resources, and relationships and using analysis to identify risk.

Looking forward, harnessing the power of generative AI could help explain how these combinations of vulnerabilities and misconfigurations could work together to lead to a breach.

That said, while AI is a powerful tool, it is not 100% reliable, meaning it can and should be used to inform potential problems to humans, who then decide if and what action is needed.

Advertisements

Related Reading

Related Terms

Advertisements
Neil C. Hughes
Senior Technology Writer

Neil is a freelance tech journalist with 20 years of experience in IT. He’s the host of the popular Tech Talks Daily Podcast, picking up a LinkedIn Top Voice for his influential insights in tech. Apart from Techopedia, his work can be found on INC, TNW, TechHQ, and Cybernews. Neil's favorite things in life range from wandering the tech conference show floors from Arizona to Armenia to enjoying a 5-day digital detox at Glastonbury Festival and supporting Derby County.  He believes technology works best when it brings people together.