When we founded McAfee (formerly Skyhigh Networks) five years ago, we recognized that security was the biggest barrier to cloud adoption. But we also saw the promise of cloud to transform how organizations conduct business. We wanted to turn security into the biggest driver of cloud adoption so that organizations adopt cloud not only because it enables faster time to market, higher productivity, and lower cost compared with on-premises applications running in the datacenter, but also because cloud is more secure. We built McAfee Security Cloud to make this vision a reality, helping launch the Cloud Access Security Broker (CASB) market in the process.
Data is your most valuable asset
Today, data moves faster than ever. The advent of cloud has eroded national borders and the corporate perimeter. Employees access data from the home and office, when on-network and off-network, and using managed and unmanaged devices. Data sharing and collaboration are now a click away. At the same time, in every industry data is becoming an organization’s most valuable asset. Take Caesars Entertainment as an example. The company owns over 50 resorts worldwide, including the famous Caesars Palace in Las Vegas. Yet their most valuable asset, valued at over $1 billion, isn’t one of their resort properties, it’s the data from their customer loyalty program that tracks every interaction with every customer.
Today’s cloud security challenges
Despite advancements in cloud security, enterprises still face a number of challenges.
More than half of enterprises today use more than five security tools that generate alerts. The growing number of alerts is leading to “alert fatigue” among overwhelmed security analysts who miss the signal because of all the noise, who ignore alerts because there are too many to properly review. Cloud is making the alert fatigue problem worse due to the massive volume of events and violations that occur within cloud services. Today, at the average enterprise there are 387 cloud incidents each month for every analyst in the SOC (Security Operations Center). 10.1% of organizations plan to hire more SOC analysts to deal with this problem, but with the number of alerts growing exponentially, hiring more SOC analysts cannot be the answer.
The typical incident remediation process requires SOC analysts to manually review each alert. But SOC analysts lack essential context for what happened, which requires them in many cases to contact the end user to understand the incident. This is problematic because there is a small SOC team in relation to thousands of end users in the enterprise who generate an increasing flood of incidents through their cloud usage. The problem is frustrating for end users as well, because when they unintentionally violate a policy and a remediation action is automatically taken (e.g. quarantine of file) it interrupts their work and they must wait until the SOC analyst tries to resolve it.
Email is changing
Even in today’s cloud world, email is still the killer app. Exchange Online has grown rapidly in the past three years as Microsoft pushes migration to cloud email for existing customers. Between 2016 and 2017, the number of on-premises Exchange Server enterprise mailboxes in use decreased by 46% as more customers moved to the cloud. Today, Exchange Online is the number one most popular enterprise cloud service by user count. But while the popularity of email remains, the nature of sharing is changing. In the cloud, Office 365 users also upload and share data in OneDrive, SharePoint, Microsoft Teams, Yammer, etc.
In the on-premises era, 64% of enterprises deployed an email data loss prevention (DLP) solution to prevent sensitive data from leaving the enterprise. However with information leaving the enterprise in a variety of ways in Office 365, enterprises wanting to enforce DLP policies for on-premises email must contend with these new cloud-native sharing methods. They also must recognize that email itself is changing. Before, email DLP solutions scanned the message payload, including any attachment. As attachment sizes have increased, Exchange Online has introduced capabilities to automatically attach large files via OneDrive, bypassing email DLP.
Real-time vs complete coverage
Today, cloud security solutions enforce controls across data in the cloud via two methods: inline and API. With an inline mode, enforcement occurs in real time as data moves from the end user to the cloud service. However, sitting inline doesn’t offer complete coverage. Sitting inline only gives visibility and control over data in motion, not data already resident in cloud services. The inline deployment mode also doesn’t cover data created natively in the cloud, because the contents of a file being edited live within an application cannot be inspected when sitting inline. And inline inspection breaks apps that rely on pinned certificates, a security feature being rolled out by more cloud providers to prevent man-in-the-middle attacks.
Cloud service providers have made APIs available for security providers to inspect content, monitor activity, and enforce controls. The API deployment mode offers complete coverage, both for data that users upload and also data at rest within the cloud service. This mode also supports data created natively in the cloud, and all applications including certificate pinned apps. However, there is one major drawback of APIs: they’re not real time. APIs are delayed by 5-20 minutes, which is actually a much bigger problem than it may seem because 21% of files are accessed within 5 minutes of being shared. Once the data is accessed, the horse has left the barn, so to speak, so enforcing controls on the data at that point is too late.
A leap in innovation
Today, we’re announcing three breakthrough innovations that address these challenges.
Autonomous Remediation automates the work that security analysts perform to remediate low-severity incidents. Our automation approach puts the end user at the center because, 1) the user has context for the incident, 2) cloud adoption is about increasing end user productivity, and 3) there are more end users than SOC analysts. When a user violates a policy, McAfee sends a coaching message to the user so they can correct the incident. Let’s say the user is editing a spreadsheet in Excel Online and she adds a credit card number, violating a DLP policy. McAfee detects the violation and surfaces an alert in Excel Online, while simultaneously sending the user a coaching notification to remove the credit card number. Once the user has fixed the violation, the alert is marked as resolved.
Observed performance of Autonomous Remediation at enterprises shows that end users, on average, resolve 97% of incidents on their own, and end users resolve, on average, one incident per month. The impact on SOC analysts is more pronounced. The volume of cloud incidents requiring review drops from 387 per SOC analyst per month to 12. This frees SOC analysts to monitor high-level dashboards showing incident volume and resolution, and to focus investigations on high-severity incidents end users are not able to resolve. End users benefit from a better experience too, since they no longer have to wait for IT’s response to continue working. Over time, real-time coaching also shifts user behavior, reducing the overall number of incidents being generated.
Cloud Email DLP
Solving the cloud email challenge requires a unique, cloud-native deployment architecture. Sky Gateway – Email Mode is a new deployment mode that extends McAfee’s DLP coverage to cloud-based email. This new deployment mode covers all elements of the email: the metadata (e.g. subject, recipient), the message body, the attachment, and any cloud attachments (e.g. files attached to Exchange Online emails via OneDrive). Our cloud-native architecture focuses on enforcing policies in the cloud, not between the end user and the cloud. Therefore, McAfee’s solution covers all email protocols, all devices (managed and unmanaged), no inline breakage (caused by sitting inline between the user and the cloud), and no endpoint agent.
Another key advantage of McAfee’s Cloud Email DLP is that it enables enterprises to enforce one sharing policy across all of Office 365 – not just in Exchange Online, but also across OneDrive, SharePoint, Microsoft Teams, etc. When enterprises adopt Office 365, they adopt a suite of applications, not just email. By leveraging a unified policy across all of Office 365, enterprises can also use a single remediation workflow for all Office 365 incidents. Out of the box, our email DLP solution supports Autonomous Remediation, which significantly reduces the volume of email DLP violations requiring manual review by SOC analysts and of IT help desk calls from users who are unable to send an email they need to do their job.
Finally, we’re bringing innovative technology to market that resolves the tradeoff enterprises previously had to make between real-time enforcement and complete coverage. Lightning Link is a new deployment mode, as significant as today’s CASB inline proxy and API modes, that we think is going to be a game changer for enterprise cloud adoption. Lightning Link connects directly to cloud services from the same datacenters, delivering real-time enforcement of policies before the action is fully executed within the cloud service. It delivers the complete coverage enterprises experience with an API deployment mode, with the real-time nature of being inline. It’s inline-like enforcement without the friction of being inline.
All three features announced today, Autonomous Remediation, Cloud Email DLP, and Lightning Link are available now in McAfee Security Cloud. They are part of our broader vision for securing your data, your most valuable asset, wherever it goes in the cloud. They are all cloud-native: designed for the interactions, scale, speed, and flexibility of the cloud. This is security that accelerates business. To learn more about McAfee’s Cloud-Native Data Security capabilities, visit the overview page here.
About the Author
Categories: Cloud Security