03/28/2022 | News release | Distributed by Public on 03/28/2022 13:54
Security incidents involving a cloud account takeover can be very costly for today's enterprises. A recent Ponemon Institute study found that companies lose $6.2 million annually from cloud account compromises. Things are getting worse, too: 50% of respondents in the same Ponemon study said the volume or frequency of cloud account compromise incidents has increased over the past 12 months.
The growth of cloud storage, the rise of remote work and greater use of cloud applications for anytime-anywhere workforce collaboration are all helping to increase attackers' interest in targeting cloud accounts. Malicious actors know that sensitive data is there for the taking, resting in cloud storage applications or moving between cloud and web applications.
There is additional upside for attackers who succeed at cloud account compromise. Following a cloud account takeover, attackers can potentially use the account (and often do) for data exfiltration, business email compromise, and lateral movement (including sophisticated social engineering). These extended campaigns can lead to more account compromises and greater data and financial loss for organizations.
Active Directory, across on-premise and in the cloud, is ubiquitous as the identity provision technology in any large enterprise. This is a gateway to Office 365 apps and more, which are core to how work gets done in many organizations. Okta Identity Cloud is a very popular secure cloud single sign-on (SSO) solution for users to access the IT-approved applications they need to be productive, including when they are working remotely. These enterprise applications are known as federated applications.
While this method of user authentication is convenient, it also makes a user's credentials for an enterprise Office 365 or Okta account a top prize for attackers. Account compromise in this case means gaining the keys to a very powerful gateway. If a malicious actor has access to an enterprise user's cloud account credentials for Office 365 or in Okta, they can also then access all the other enterprise applications using those same credentials.
And, if the enterprise doesn't enforce multifactor authentication (MFA) to increase the security of user accounts, getting to those apps and data is even easier for an attacker following an account takeover.
Organizations can better protect their users from the risk of an account compromise in thousands of applications in the Office 365 and Okta environments.
Proofpoint CASB detects and remediates suspicious logins in near-real time based on our integrations with Proofpoint Emerging Threat (ET) Intelligence, Proofpoint Targeted Attack Protection (TAP) and CASB proprietary threat intelligence and user behavior analytics.
Figure 1: Attack sequences within Proofpoint CASB simplifies hunting for threats by correlating initial access with post-access malicious activity with high confidence.
This unique threat context comes from:
This means that we can protect your users when they log in via the Okta SSO, even if the identity provider isn't Okta. This is most commonly the case with customers using Okta for SSO and Microsoft Active Director as their identity provider.
General cloud security guidance:
Now, let's move onto our recommendations if you use a CASB, especially Proofpoint CASB:
Figure 2: CASB detection and remediation rules for Okta-federated applications to protect from account takeovers
Threat hunting scenarios based on potentially risky user administrative and risky single sign-on activity:
More detailed instructions are available to Proofpoint customers on our Communities portal.
Proofpoint CASB supports dynamic and policy-based detection, remediation and real-time access prevention of suspicious logins into cloud apps using the breadth of our deployment models-CASB API, adaptive access controls and forward proxy.
With our comprehensive and adaptive controls, Proofpoint can protect any application used in modern enterprises today from account compromise and takeover attempts.
To learn more about how Proofpoint CASB can protect your cloud accounts from account compromise and other threats, read more here.