Netskope – The Dark Side
Of The Cloud

27 Feb 2020

Netskope’s February 2020 Cloud & Threat Report (brought to you, in true Sesame Street-style by Netskope Threat Labs), details how cloud-enabled threats and the shifts of sensitive data into and across the cloud are occurring and complicating the security posture of organisations.

Put slightly more simply, your IT systems need to be more secure. The attackers are on the hunt for your data and they don’t seem to be slowing up.

Combined with the elevated risks of increasingly mobile and remote users accessing public and private apps in the cloud, there is no question that new security architectures and approaches are required.

That notwithstanding, legacy defences are now no longer able to keep up. It’s like taking a flick-knife to a gunfight. More or less pointless. In Netskope’s own words, you’re ‘providing a red carpet entry for cloud-enabled threats.’


The Headline Stats


The report’s headline stats are as follows:

  • Almost 90% of enterprise users are active in managed and unmanaged cloud services and apps
  • 44% of threats leverage cloud services across various kill chain stages
  • One in five users move data laterally, including between managed and unmanaged cloud services, plus company and personal instances
  • More than half of data policy violations come from cloud storage, collaboration, and webmail apps
  • On average, a third of enterprise users work remotely


Cloud-Enabled Threats Are On The Rise


As we continue to make you aware of, cybercrime is in many cases exceptionally well-funded and organised and like we are continually looking for increasingly clever ways to prevent attacks, they are looking – and finding – increasingly clever ways to attack, cue the watering hole attack.

The idea behind a watering hole attack is that in order to insert malware into a business, the attacker must ‘stalk’ an individual or group by putting the malware onto a site they trust (a watering hole), as opposed to inserting it into an email. The trouble is that it’s hard to insert malware into ‘major’ sites such as or so they look for smaller, less secure sites – watering holes – frequented by employees of the company they target.

The three main website categories targeted are content servers, online ads and personal sites and blogs.

Attackers are blending into the mainstream and the majority of the cloud threats are in the top 5 cloud service and app categories: Cloud Storage (27%), Webmail (12%), Collaboration (9%), Social (7%), and Consumer (3%).

Since digital transformation has accelerated cloud app usage in the enterprise where 89% of users are active, cloud apps are the new watering holes. By targeting these holes, success rates increase and detection decreases. Phishing and malware delivery remain the most popular cloud threat techniques and it’s no surprise that the most popular cloud service apps are the ones targeted with the highest frequency –

  • Office 365 One Drive For Business
  • Box
  • Google Drive
  • Microsoft Azure
  • GitHub

To prove how far cybercriminals have extended their reach, in the last two quarters of 2019, Netskope Threat Labs detected cloud threats across a staggering 1,600+ cloud services and apps and they say that security defences for a handful of the major apps is no longer enough:

‘Only decoding managed and unmanaged cloud services and apps in the thousands for threat and data protection defences fully addresses the challenge posed by attackers with the shift into the Cloud Kill Chain.’


Sensitive Data Is On The Move


A good strategy for cloud-enabled companies is to approve specific account instances of cloud apps to store sensitive data. However, and this is a big HOWEVER, Netskope research shows users are moving sensitive data across multiple dimensions among a wide variety of cloud services and apps including personal instances and unmanaged apps in violation of organisation policies with the majority of data policy violations happening in cloud storage, collaboration and webmail apps. The most common are:

  • Outlook
  • MS Office 365 OneDrive for Business
  • MS Office 365 Sharepoint
  • Box
  • Gmail
  • Google Drive
  • com
  • Egnyte
  • Microsoft OneDrive
  • Amazon S3

Perhaps most importantly, it’s the type of data that’s being moved (and detected by data policy violations) that is of the greatest concern and they relate to privacy, healthcare and finance:

  • Personally Identifiable Information (PII)
  • General Data Protection Regulation (GDPR)
  • Protected Health Information (PHI)
  • Payment Card Information (PCI)
  • Source Code
  • Passwords, Credentials, and Keys

The report goes onto say that at least 20% of enterprise users move data laterally between cloud applications and that data crosses any number of boundaries including between cloud app suites, between managed and unmanaged apps, between app categories and between app risk levels with close to 40% of that data being categorised as sensitive.

Data of all sorts is being moved into the cloud at uncontrollable rates by people (through no fault of their own) who often have little or no appreciation of the risk impact to their organisation and therefore it necessitates better monitoring, controls and governance and is leaving all but the most secure businesses vulnerable to data exposure and outright theft (and the massive financial implications that come with data breaches).

As we say over and over again – make sure you’re secure. Talk to us and we’ll help you. That’s what we’re here for.


The Inverted Network


Cloud-enabled organisations exhibit three trends that invert the traditional network – an increasing use of public cloud services, more remote workers and the migration of private apps and data to the cloud.

In the top three categories of cloud storage, collaboration and webmail, on average a single business uses 285 distinct cloud services and apps and in total the average enterprise uses 2,145 distinct cloud services and apps with the top 10 being:

  • Google Drive
  • YouTube
  • Office365 One Drive for Business
  • Facebook
  • Gmail
  • Office 365 Sharepoint
  • Outlook
  • Twitter
  • Amazon S3
  • LinkedIn

With more and more people working remotely –

  • 33% of users in an enterprise on any given day
  • The top 10% of organizations for remote work see more than 80% of their workforce working remotely
  • On average, each mobile user works from eight different locations…
  • … with the top 10% of remote users working from at least 18 locations

This trend demonstrates an increasing demand on legacy VPNs and puts into question the availability and reliability of those defences to protect remote and mobile workers. The evolution of Zero Trust Network Access and highly available cloud native defences provides a more secure and lower risk alternative.

The report also notices a trend for businesses moving internally developed apps and data to public cloud providers like AWS, Azure, and GCP. By doing this, one needs to ensure that these shifts meet regulatory standards and do not open up new security vulnerabilities.

The report says ‘a network transformation is occurring, with users more mobile and apps and services in the cloud. With it, enterprise security is transforming as well— focusing on securing data wherever it lives and updating the Zero Trust networking model for the cloud era.’


What Does Netskope Recommend?


In terms of best practice –

1. Inspect and decode all web and cloud traffic for malicious threats, such as cloud phishing and malware delivery. Ensure inspection of the content, instance, and activity to detect and block threats regardless of origin.

2. Implement cloud DLP capabilities to secure your data that is moving to the cloud and moving laterally between cloud services and apps. Establish DLP policies and rules with granular activity-level controls, application instance awareness, and adaptive behavioural analytics, alongside known regulatory compliance DLP policies.

3. Empower your workforce to work from anywhere through a flexible, scalable private access solution and protect them no matter what device they are using through a combination of cloud-native inline and API-based security defences.

Contact us today on or call 020 7078 0789 and we’ll talk cloud and email security, communications platforms, cutting-edge IT solutions or who’s the best Bond, Sean Connery, Roger Moore or Daniel Craig?


Koncise Solutions

Go Back