On-prem or Cloud? Lessons from the Microsoft Exchange AttackDownload Case Study
As I’m writing this blog, malicious actors are actively exploiting vulnerabilities in the Microsoft Exchange Server software. These were zero-day exploits, which means that even organizations that were diligent in their patching were vulnerable. So far the estimates are that more than 60,000 organizations have been compromised.
In the past, organizations that chose to retain on-premise infrastructure usually cite the perceived lack of control over the access to their apps and data, or custom needs that are not met by cloud services. Today, most of those issues have been overcome through the sheer abundance of choice and customization of cloud services, their distributed architecture, and the advanced security controls provided by technology such as cloud access security broker (CASB).
Most organizations, however, are not making the choice to leverage the cloud in order to gain access to the advanced monitoring and security provided by the cloud platform vendors themselves. Leading platform vendors spend considerably more time and effort monitoring for security issues, vulnerabilities and anomalous behavior than a single organization could when running similar applications on premise.
This latest Microsoft Exchange attack demonstrates the benefits of leveraging cloud applications. Microsoft dedicates an enormous amount of resources to ensure that their cloud platform is highly available and secure. No matter how well-resourced your organization may be, it’s nearly impossible and extremely costly to monitor, detect and respond to incidents as effectively as Microsoft, the vendor of the platform, will do.
What’s happening to Microsoft Exchange Server?
On March 2, Microsoft released patches to address the four zero-day vulnerabilities in the Microsoft Exchange Server that form an attack chain. The first of these takes advantage of the ability to connect directly to the Microsoft Exchange Server from the internet. When used together they can lead to Remote Code Execution (RCE), server hijacking, backdoor installations and data theft. It also opens organizations up to unknown malware deployment across their infrastructure.
Microsoft Exchange Server is one of most popular on-premise business applications. In a nutshell, it’s the server that supports an organization’s employees’ email, contacts and calendars. For many of these organizations, it’s the messaging infrastructure their business relies on.
Instant updates versus manual patching
One of the most significant burdens organizations running Exchange on premise are faced with is keeping the software up to date. This problem can be exacerbated by the unique environment of each Exchange’s deployment.
For cloud-delivered applications, the patching is performed by the cloud service provider and occurs on an ongoing basis. When patches are issued to address a vulnerability, your cloud app will be patched without you having to do anything. For on-premises deployments, the responsibility of patching falls on the security team in their organization.
Even if the organization is able to maintain their patching, they would have still been vulnerable. Software-as-a-service (SaaS) services eliminate this problem.
Organizations are on their own responding to this attack
In this case, proactive patching would not have saved you from the attack. Now you’re on the hook to figure out whether your organization has been compromised.
With Microsoft Exchange Server software, there are now tens of thousands of organizations scrambling to patch their servers and investigate whether the advanced persistent threat has taken up residence in their core infrastructure. As recommended by the DHS Cybersecurity and Infrastructure Security Agency (CISA), even if you have patched the vulnerabilities, you’re still vulnerable. You now need to hunt for all the places in the server that the attackers may have placed their hooks and investigate if they have moved laterally within your organization’s network to other machines. The incident response could take weeks, or even months.
Many small to medium-sized organizations don’t have a dedicated incident response team to hunt for these indicators of compromise and respond accordingly. Even for large enterprise security teams, this is a resource-intensive process to perform on their own. By contrast, incident response is part of a cloud service provider’s job. With tens of thousands of customers to support, they have the scale to monitor and respond to threats effectively.
Moving to the cloud is becoming a security requirement
Organizations utilize on-premise software because they want full control. But it actually increases their risks. Even the most well-resourced organizations will have a hard time performing the level of monitoring and maintenance, and detection and response provided inherently by SaaS apps.
Your business has now moved away from the premises and employees are connecting remotely. In this environment, it’s best to leverage the security inherently provided by SaaS vendors, ensure secure connection to those applications leveraging technologies like CASB and ZTNA, and having that entire security strategy directly integrated into endpoint security.
Cybersecurity is a massive challenge that can only be addressed at scale. Lookout built a cloud-delivered platform because we understand this is the only way to continuously protect your organization’s data, on any endpoint and in the cloud. Visit the Lookout Security Platform page to learn more.