Symantec Aims to Reveal Cloudbleed Risks

Though Cloudflare, the company behind the Cloudbleed security incident, has been actively working to mitigate the impact of the vulnerability, Symantec has a new tool to help detect vulnerable applications.


What is the actual impact and risk of the Cloudbleed security incident? That's a question that is still being answered by Cloudflare and third party security vendors like Symantec alike.

On Feb. 23, the so-called Cloudbleed security incident was first publicly disclosed by Google Project Zero and Cloudflare. A week later, Cloudflare has attempted to quantify the impact of its information disclosure incident and security vendor Symantec now has a new capability to help its customers identify potential Cloudbleed risks.

The Cloudbleed security issue was a set of vulnerabilities in Cloudflare's systems that enabled the unintentional leakage of data. Before the flaws were identified and corrected by Cloudflare, the company now estimates that the vulnerability was triggered 1.2 million times, mostly by search engines. To help reduce risk, Cloudflare has worked with search engines to purge approximately 200,000 URLs that might have inadvertently cached the leaked Cloudflare data. To date, Cloudflare has no indication that any of its customers have been compromised or exploited due to the Cloudbleed incident.

Marc Rogers, Head of Information Security at Cloudflare, told eWEEK that he suggests that organizations use the information Cloudflare has already publicly published in conjunction with what organizations knows about their application architecture, to help determine what information could have been exposed.

While Cloudflare has been publicly posting about the incident, security vendor Symantec is now offering its customers an additional layer of mitigation by helping to further identify potential areas of risk. Symantec now offers its customers a Cloudbleed analysis analysis capability that makes use of the company's CloudSOC and ProxySG technologies.

The first part of Symantec's effort involved mapping all of the vulnerable Cloudbleed URLs. Deena Thomchick, Senior Director, Cloud Security at Symantec explained that Symantec's cloud research team cross referenced the IP addresses and URLs used by cloud applications in its Symantec Global Intelligence Network (GIN) database, to IP addresses and URLs owned by Cloudflare via a DNS lookup.

"This cross reference was important because cloud applications don't typically publish all of their URLs and in some cases an application may only be using Cloudflare's services for a small portion of their URLs," Thomchick told eWEEK

Thomchick explained that Symantec's CloudSOC Audit analyzes logs to discover cloud applications and potential Shadow IT applications, being used by members of the organization and it provides a risk analysis of those applications.

"We don't know if an exploit used data obtained by Cloudbleed but we can inform our customers that the risk exists to them because they were using these applications before Cloudbleed was discovered," she said. "What we know is that for a period of time, private data may have been exposed, cached or otherwise saved."

Cloudbleed Impact

Though Symantec is only publicly announcing the Cloudbleed analysis capability today, it was actually made available to some customers earlier this week. So far, Thomchick said that Symantec has had very positive feedback from customers. One customer discovered that six of the 58 cloud applications used in their organization over the last thirty days were at risk to Cloudbleed. She noted that another organization showed 12.5 percent of their several thousand applications were at risk.

The whole process of correlating Cloudbleed related IP addresses to potentially vulnerable applications is a complicated one. Thomchick said that there were over four million URLs susceptible to Cloudbleed and it isn’t practical to expect organizations to manually sift through and identify where they may have had exposure from that data.

"What organizations need is to identify the applications that members of their organization use to identify if they were at risk of compromise and get some remediation in place," she said.

Symantec mapped the four million URL to specific applications. Each cloud application consists of many URLs, with dependencies on other cloud applications for services such as content delivery. Of the over 21,000 applications in Symantec's database, Thomchick said that Symantec found that over 2,000 of them used Cloudflare in some form or fashion.

Symantec is making the Cloudbleed risk detection available today to all Symantec CloudSOC Audit customers, with no additional cost. Automated Cloudbleed mitigation will be available for Symantec's ProxySG customers later this month.

"CloudSOC Audit and ProxySG are complimentary in that CloudSOC Audit performs the discovery and forensics while ProxySG performs the enforcement and notifications," Thomchick said. "Non-ProxySG customers can take advantage of the discovery and forensics from CloudSOC Audit, and then manually apply policies on their proxy products."

For organizations that are worried about potential risks, there are a number of things that can be done to mitigate any potential impact from Cloudbleed. Thomchick said that Symantec considers password updates to be possibly the most important first remediation step to take.

"We also always recommend enabling 2-factor authentication when available because with 2-factor authentication an account can’t be broken into even if the password has been compromised," she said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.