Cybersecurity vendor Sophos is making a pair of announcements today. First, they have released a new report that documents the speed and persistence with which cloud honeypots were attacked in a simulation. Secondly, Sophos has released a new solution designed to increase protection against the force and pace of these cloud attacks. Sophos Cloud Optix is designed to provide much greater visibility into these environments, and in particular, to highights gaps and flaws that these attacks can exploit.
The report, Exposed: Cyberattacks on Cloud Honeypots was prepared to document details on the degree of these attacks that typically lead to breaches, independent of focusing on a specific breach.
“The reason we produced this report was that it was hard to find impartial and non-brand name research,” said Richard Beckett, Senior Product Marketing Manager at Sophos. “The reports that are out there focus on ‘why Brand X has suffered a breach.’ The need for this kind of report is something that partners started to talk to us about.”
At its most basic level, the report says that the extent of these attacks is extremely high, making it a certainty that new devices in the cloud will be identified and attacked almost immediately, looking for weaknesses that can be exploited. Sophos set up honeypots, designed to attract cybercriminal attacks, so that the attacks can be studied, in 10 of the most popular AWS data centres in the world, including California, Frankfurt, Ireland, London, Mumbai, Ohio, Paris, Sao Paulo, Singapore, and Sydney. The honeypots were then monitored over a 30-day period.
“They weren’t set up with anything juicy – just to mirror what is going on,” Beckett said.
The study found that the cloud servers in each honeypot were hit by an average of 13 attempted attacks per minute, per honeypot. The Sao Paulo honeypot was attacked within 52 seconds of going live, and the average length of time before a honeypot was attacked was 40 minutes. More than 5 million attacks were attempted on the network of honeypots in the 30-day period.
“This is what links to the breaches,” Beckett said. “Cybercriminals are continuously scanning for vulnerabilities. This emphasizes the importance of visibility in the cloud infrastructure, so you aren’t leaving any open doors. A lot of the attack data does relate to well-known brands, although we are not publicizing those. The report is there to say that there is a big problem.”
Enter Sophos Cloud Optix. It is an agentless solution that incorporates the AI-powered technology Sophos acquired with Avid Secure, which Sophos acquired in January 2019. It provides intelligent cloud visibility, automatic compliance regulation detection and threat response across multiple cloud environments.
“Before acquiring Avid, we had Intercept X for Server which gave us visibility into AWS workloads,” Beckett said. “That’s where we were before. Sophos Cloud Optix gives full coverage of the public clouds, at a deeper level of detail. It gives us the ability to jump a lot higher. You can now break down into hosts and databases, and see what’s patched, what’s unused, and thus wasting money. It layers inbound and outbound traffic, and goes further to show where traffic is going now and where it COULD go. That is very valuable. It brings in compliance components which we didn’t have before with Intercept X for Server. Avid hooks into the APIs to get accurate visibility of what you are running in the network, so you can manage compliance. It then alerts you to issues that need remediation.”
Another plus of the new technology, Beckett emphasized, is that it was built with artificial intelligence capabilities designed to avoid ‘alert fatigue.’
“It is designed to show one root cause, instead of many aggravating alerts, so that you have one thing to fix instead of 200 alerts,” he stated. One company, Shutterfly, went from 280,000 alerts to 700 alerts when they switched Avid on.”
For Sophos’ channel partners, who are the entire route to market, Sophos Cloud Optix provides an answer for the problem that the report documents.
“The biggest piece here for partners is that many organizations are unaware of the gaps,” he said. “It shows dangerous anomalies like the S3 bucket being set to open, or ports being open in MongoDB, which wasn’t designed for the cloud. It lets them identify what assets are communicated with the public internet, to show, them, for example, that MongoDB has a direct line to the internet, so they can close the back door. Otherwise, everything looks like a VM, so they might not be able to see it. This is a great opportunity for partners to go in and tell customers what they have running in the cloud and see weaknesses they may not know where there. Once they know where the gaps are, they can address issues.”