Is Cloud Security Still an Install and Forget Job? Interview with Raj Samani, Chief Scientist at Rapid7

Raj Samani, Chief Scientist at Rapid7 and a special advisor to the European Cybercrime Centre, discusses the nuances of cloud security, the evolving role of AI in cyber defence, and the vital importance of collaborative efforts in establishing effective cloud security. 
 
Given your extensive experience in cybersecurity and your role as Chief Scientist at Rapid7, could you elaborate on why cloud security is often perceived as an “install and forget” job, and what challenges this mindset poses in today’s threat landscape? 

This is unfortunately a prevailing misconception that we’ve seen in the industry for many years now, and it’s often been the root cause of attacks targeted at the cloud. Cloud environments are dynamic and constantly evolving. With new services, updates, and configurations being added regularly, a static security approach is never enough. The belief that initial security measures are sufficient overlooks the need for continuous monitoring and updating to address emerging vulnerabilities and threats. Moreover, the cloud creates additional complexity with the lack of transparency afforded compared to on-premise deployments. 

The misconception that cloud service providers operate on a shared responsibility model that takes care of security is also a considerable issue. Clearly defining the area of responsibility for each party becomes crucial, particularly as we consider the burden for data controllers to manage the processing of personal data across the supply chain. 

Even if you implement robust perimeter security measures, you can’t just sit back, switch off, and expect your cloud systems to take care of themselves. Attack tactics are continuously evolving, which can make your existing cloud security measures almost immediately ineffective. At the same time, there’s also the risk of insider threats and human error. 

So, cloud security should never be treated as a one-time task but a continuous process. It requires ongoing vigilance, rigorous authentication, constant monitoring, regular training, and adaptation to new threats. 

In your view, what specific vulnerabilities or shortcomings in cloud security practices contribute to cyber incidents, and how can organisations better address these issues?

We recently conducted a mid-year threat review at Rapid7 and found that a shocking 40 per cent of incidents in the first half of 2023 were a result of poor multi-factor authentication (MFA) practices, particularly on cloud-based remote access systems like VPNs, virtual desktop infrastructure (VDI), and SaaS applications.  

Our report very clearly highlights the critical need for robust MFA protocols. However, it’s not just about having MFA in place; it’s also about implementing it correctly. MFA push fraud is on the rise as threat actors take advantage of notification fatigue, suggesting that organisations need to look beyond traditional MFA methods. Solutions like number matching can mitigate this fatigue and enhance security. 

Beyond the vulnerabilities in access controls, around 11 per cent of incidents were linked to cloud misconfiguration. In a race to deploy cloud applications quickly, if you leave behind misconfigured elements such as unrestricted ports, unvetted third-party connections, or excessive permissions, you’re basically giving an open invitation to the threat actors. Balancing speed with caution and vigilance should be the key to effective cloud implementation. 

Additionally, more than a third of widespread threat vulnerabilities were exploited in zero-day attacks, emphasising the need for routine patch cycles and prioritising patching on high-value assets. This includes putting network edge devices, like VPNs and file transfer appliances, on a high-urgency patch cycle. 

The best way to address all of these vulnerabilities is to focus on the security fundamentals. Businesses should implement and harden MFA, continuously monitor for unusual access to cloud storages like Google Drive and SharePoint, and establish clear, measurable deadlines for routine patch cycles, focusing on both OS-level updates and actively exploited vulnerabilities.  

You have been involved in cybercrime cases. How do you see the role of cloud security evolving in the context of cybercrime investigations, and what improvements are needed to enhance the security posture of cloud environments?

Broadly speaking, when we consider the evolving threat landscape, we have to consider the constantly evolving tactics being leveraged by threat actors. It has been said that we are in a constant game of cat and mouse to stay one step ahead of their next move. 

I think a major concern going forward will be the misuse of commercial cloud service providers (CSPs). For example, threat actors are not always relying on infrastructure that has been known to host command-and-control servers and are increasingly leveraging CSPs to host malicious content. The reason behind this shift is clear: the growth of reputational feeds against known bad IPs demands a change in how attackers blend their malicious activities with legitimate services. 

To combat these threats, we have to reimagine our approach to cloud security. There’s a need for closer collaboration between cloud service providers, cybersecurity experts, and law enforcement agencies to effectively track and combat these evolving threats. For businesses, once they have the critical security fundamentals in place, they should look to implement more advanced detection systems, improve threat intelligence sharing among stakeholders, and continuously update and refine security protocols.

Your co-authorship of the “CSA Guide to Cloud Computing” indicates a deep understanding of cloud security. How can organisations transition from the traditional “install and forget” approach to a more proactive and continuous security model, and what are the key elements of the “assess, detect, respond, and automate” framework?

To move away from the “install and forget” mindset, businesses must first prioritise cloud security at the top of their security team’s agenda. This means making cloud security a continuous process, demanding a level of transparency against an often opaque deployment. Although the historical approach would be to drive periodic assessments such as audits of critical cloud resources, we have to consider frameworks that provide continuous cloud security assessments. This incorporates the key aspect of the “assess, detect, respond, and automate” framework, which is integrating real-time monitoring and analytics, enabling rapid detection and response to potential threats. 

“Assess” involves conducting these continuous assessments to identify risks against the deployment. This step is crucial for understanding the current security posture and planning improvements. “Detect” focuses on implementing advanced monitoring tools to identify potential threats and anomalies on the cloud in real time. Concurrently, organisations must have a robust incident response plan that can be rapidly activated in case of a breach or threat. This ensures minimal impact and quick recovery. 

There should also be a significant focus on training and awareness, ensuring that all employees understand the evolving nature of cloud threats and their role in maintaining security. At the same time, business leaders should look to make life easier for the security teams. Leveraging automation for routine security tasks can significantly improve efficiency and consistency, freeing up resources to focus on more complex security challenges. 

How can organisations leverage artificial intelligence and machine learning to enhance their cloud security measures?

The use of AI/ML within cybersecurity is not new; indeed, one can argue that the implementation of data science for driving stronger efficacy demonstrates how cybersecurity has been leading the charge well before it has become a mainstream topic. The demand to drive better detection is a perpetual challenge, particularly as we consider the evolving tactics by threat actors. This means investing in solutions that can detect and prioritise anomalous activities, as well as effectively distinguish between threats and genuine activities. This sharpens the focus on true threats, significantly reducing false positives and enabling security operations centre (SOC) teams to concentrate on active threat investigations and responses. 

It’s also important that businesses integrate AI and ML solutions for better cloud management, not just security. They should implement tools that can automate critical processes, such as adjusting configurations, right-sizing permissions and privileges, and streamlining collaboration across the SOC, engineering, and IT teams during incident investigations. Ultimately, the benefits of efficient management transition into better security. 

In advocating for constant monitoring as part of the security framework, how do you address concerns related to the potential impact on system performance and operational efficiency? What strategies can organisations employ to strike a balance between security and operational needs?
 
The best and perhaps the only way of balancing security and operational efficiency is by turning cybersecurity into a core business process. Organisations shouldn’t look at cybersecurity as an isolated responsibility; rather, it should come up in every single business process. There should be a centralised security strategy where cyber risk is collectively understood and managed by all stakeholders, from the CEO to the most junior team member. Every business component should work together like a well-tuned engine, balancing security needs with operational demands for optimal performance. 
 
CEOs play a pivotal role in achieving this integration of cybersecurity. They must lead the change, establishing security responsibility and accountability across the entire business. The key is open communication and a shared understanding between all parties. By engaging the entire workforce in cybersecurity, recognising it as a team game, and defining clear roles and responsibilities, organisations can decentralise cybersecurity. This approach not only improves security effectiveness but also aligns it with broader business objectives, ensuring operational efficiency. 

The notion of hackers lurking within networks for extended periods is alarming. What steps can organisations take to improve their ability to detect and respond to these prolonged threats in cloud environments?

A business’s detection and response capabilities often come down to how good its threat intelligence data is. The cyber domain is undoubtedly an ocean of threats, and you can’t possibly address every single one. So, the most practical approach is to address threats that are critical to your business and pose a high risk to your valuable assets. That’s why you need quality threat intelligence data, which will help to provide a deeper understanding of the tactics, techniques, and procedures (TTPs) used by attackers. 

Achieving this requires businesses to invest in tactics such as routine threat hunting for evidence of compromise, leveraging true actionable intelligence. This activity becomes a key component of continuous assessment within an environment, and it demands the integration of intelligence based on new findings and evolving attack patterns as well as ensuring that all relevant teams are trained to interpret and act on this intelligence effectively. 

As cloud security continues to evolve, what role do you see for collaboration between industry stakeholders, government agencies, and cybersecurity professionals in shaping effective security practices and policies? How can these collaborations contribute to a more robust defence against emerging cyber threats in the cloud?

The need for collaboration in cybersecurity is more critical than ever. This year alone, there have been several high-profile take-downs of dark web marketplaces and ransomware groups, such as PIILOPUOTI and Genesis Market, where collaboration between the private and public sectors helped the industry crack down on numerous malicious activities. Such collaborative efforts demonstrate that absolute anonymity for cybercriminals is increasingly a myth, and their activities on the dark web are not entirely risk-free. 

The key to effective collaboration lies in maintaining cross-industry transparency and communication. It’s about sharing information and working in unison to develop and implement effective security practices and policies. This synergy can significantly enhance our collective defence against emerging cyber threats in the cloud or anywhere else we conduct business. 

Executive Profile 

Raj Samani is a computer security expert with more than 25 years’ experience building a stronger, more resilient cybersecurity community through organisational leadership and industry activism. As Senior Vice President and Chief Scientist at Rapid7, Raj is responsible for extending the scope and reach of Rapid7’s research initiatives to further inform and equip business and government leaders. Raj has assisted multiple law enforcement agencies in cybercrime cases and is special advisor to the European Cybercrime Centre (EC3) in The Hague.