AWS S3 can be a security risk for your business
Along with the shift to the cloud and emergence of modern digital services and applications, new security concerns have emerged for organizations. More connectivity means more risk, and the greater the risk, the more protection is needed.
As the use of AWS’ Amazon Simple Storage Service (S3) increased, so have the content types that are stored and shared on it. AWS S3 buckets are now exposed via additional channels and APIs, which create new security blind spots that hackers are waiting to exploit.
Shared responsibility
It is a known fact that AWS takes no responsibility for what their customers put into their managed databases and how they use it. AWS takes responsibility for the security of the cloud. It’s up to each company to choose and implement the most efficient threat detection tools to ensure their data is properly secured in the cloud.
The following diagram presents this Shared Responsibility concept:
Changing use cases create new security risks
Let’s take an example from the insurtech space, where customers are uploading insurance claims, bills, and other files via an online application.
The insurtech vendor promises to its customers to provide responses within minutes, and the business process demands opening these potentially dangerous files and processing them in this time range. The company is essentially blind when it comes to files that originate from external sources, internal company assets, etc.
We can find similar scenarios across many industries such as finance, fintech, retail, manufacturing, enterprise software and more, with applications such as billing, payments, insurance claims, project management tools, collaboration apps and others. In each case, the mix of file types may vary depending on the business, but most files are deemed as high risk and should be properly scanned.
Content-borne threats include malware, ransomware, APTs, embedded malicious links, evasion attempts, and more which are well hidden in different file types including Word (.doc, .docm, .docx), Excel (.xls, .xlsx, .xlsm, etc.), PowerPoint (.ppt, .pptx, .pptm), Adobe (.pdf), archive files, text files, executables, and even email (.eml) files.
To detect these threats and intercept them quickly for modern services needs, a threat detection tool must be able to:
- Scan 100 percent of files dynamically and in a matter of seconds
- Not tamper with the files and change them in way
- Deliver high detection rates and low false positives, and not overtax the security team
Traditional tools dynamically scan files with sandbox technology. Sandboxes are slow and not designed for real-time and cannot be adjusted to support it. Because it could take up to 20 minutes to dynamically scan a file with a tool based on sandbox technologies, companies are forced to be selective concerning which files to scan. This increases the risk for the infiltration of malicious content, and this is what attackers are exploiting.
There are indeed fast tools that can statically scan content (e.g., a simple AV solution). Other tools use CDR (Content Disarm & Reconstruction technology). AV technology is dependent on what is already known while CDR tampers files and changes them. These limitations open S3 buckets to attackers using simple evasion techniques, which easily circumvent the detection methods of these solutions.
If there is no advanced dynamic scanning to augment core static capabilities, the organization cannot adequately detect potential threats that can infiltrate the S3 environment and harm the organization.
IT teams are stretched extremely thin and there is a lack of cybersecurity experts who are required to execute on the many tasks involved in managing and handling incidents.
SOC teams are looking to their threat detection vendors to assist and provide incident response services that can not only supercharge their team, but also work closely with the organization to ensure that threat detection service remains relevant – providing optimal results as the threat landscape quickly evolves.
Traditional services, although moving to the cloud, are not cloud native and not agile. Incident response is also a second thought and not built into the service. These two limitations result in security solutions whose results degrade and deliver false negatives, as well as false positives, posing more risk for the organization.
Recommendations
Modern enterprises and business application providers realize they must be vigilant about their security and realize that S3 bucket security is a blind spot due to the changing use cases and data workflows. At the same time, they are challenged by slow, complex, and outdated security solutions.
Companies should look for a cloud native solution that can dynamically scan 100 percent of their S3 content in seconds – both files and URLs at the CPU level, which identifies exploits by examining the entire execution flow to deterministically identify malicious activity. Another important element that companies should consider is access to an incident response team. Organizations must be savvy when selecting the right service for comprehensive S3 bucket protection at the speed and scale of their business.