Endpoint Security in Cloud Environments

Token theft - My favorite attack scenario and the one that always works in every environment. Token theft is the most successful attack in Entra ID, with a rate of success. As we know, the attackers’ and pentesters' favorite shortcut is in cloud identity. What’s often missed is that token theft is not just about stealing a cookie, a refresh token, or else. The real challenge for defenders is detection: - Attackers often replay tokens from different geographies or devices, and unless you track token linkage, it looks legitimate. - Microsoft recently introduced Linkable Token Identifiers, a critical piece of metadata that helps SOC teams correlate token issuance and token usage, exposing anomalies that were previously invisible. - Phishing campaigns are evolving from credential harvesting to device code phishing and token-stealing malware, which are harder to block at the perimeter. - Detection opportunities exist in subtle signals: unusual token refresh rates, overlapping sessions, impossible travel, and reuse of the same refresh token in different contexts. Here are some highlight tips to reduce the risk of token theft in Entra ID: - Leverage Linkable Token Identifiers: Collect and monitor the new Linkable Token Identifier fields in Entra sign-in logs. They allow you to correlate token issuance with later token use, exposing anomalies such as reuse from unexpected locations or devices. - Harden Endpoints Against Token Harvesting: Tokens are typically stolen from browsers, caches, or memory. Enforce device compliance, block unmanaged browsers, and use the proper detection to spot suspicious access to credential stores. - Reduce Token Lifetimes and Enforce Reauthentication: Shorten refresh token validity with Conditional Access session controls.  Detect Abnormal Token Use: Build detections for suspicious patterns such as impossible travel, refresh token use from multiple IPs, or sudden spikes in token refresh attempts. - Enable Token Protection: Use Microsoft Entra’s Token Protection to bind refresh tokens and session tokens to the device they were issued on. #security #cybersecurity #cloudsecurity

80,000 devices wiped in a single command. Not by malware - by a management tool doing exactly what it was designed to do. Earlier this month, attackers compromised Stryker's Microsoft environment and used Intune's built-in wipe command to erase nearly 80,000 endpoints. CISA issued an advisory within days. This one hit close to home for me. At Nerdio, we build tools that give IT teams powerful control over their cloud environments. That power is the whole point - manage thousands of desktops, apply policies at scale, automate what used to take hours. But every capability you give an admin is a capability an attacker inherits if they compromise that admin's credentials. We've thought about this a lot internally. The question isn't whether your management tools are powerful enough. It's whether the controls around who can use that power are strong enough. CISA's recommendations are straightforward: - Least privilege for every admin role - Phishing-resistant MFA on admin accounts - Multi-admin approval for destructive actions That last one is critical. No single admin should be able to wipe an entire fleet without a second person signing off. The inconvenience of an approval step is nothing compared to 80,000 bricked devices. If you're managing endpoints at scale take a hard look at your admin access model this week. The attack surface has shifted, and the tools you depend on most are the ones that need the most protection. #EndpointManagement #CyberSecurity #Intune #EUC

Are you prepared for the storm that may be brewing in your cloud environment?  With the right tools and strategies, you can secure your assets and fortify your defenses. Here’s your Advanced Cloud Security Audit Checklist using open-source tools:  ➡️ Cloud Resource Inventory Management   - Use CloudMapper to discover and map all cloud assets.   - Ensure accurate asset tracking for security visibility.  ➡️ IAM Configuration Analysis   - Audit IAM policies with PMapper to identify risks.   - Enforce least privilege access to minimize the attack surface.  ➡️ Data Encryption Verification   - Validate encryption protocols with OpenSSL & AWS KMS.   - Ensure data encryption at rest and in transit.  ➡️ Network Security & Vulnerability Assessment   - Scan security groups & NACLs using Scout2 or Prowler.   - Detect unintended access points and misconfigurations.  ➡️ API Security & Vulnerability Scanning   - Test API authentication with OWASP ZAP or APIsec.   - Identify API weaknesses and prevent unauthorized access.  ➡️ Cloud Penetration Testing & Vulnerability Scanning   - Continuously scan for vulnerabilities using OpenVAS or Nessus.   - Detect and remediate security flaws in cloud infrastructure.  ➡️ IaC Security Auditing   - Review Terraform & CloudFormation with Checkov.   - Detect misconfigurations before deployment.  ➡️ Logging & Cloud Activity Monitoring   - Aggregate security logs using ELK Stack or Wazuh.   - Perform anomaly detection to spot suspicious activity.  ➡️ Cloud Compliance & Regulatory Monitoring   - Automate security compliance checks with Cloud Custodian.   - Ensure adherence to GDPR, HIPAA, and SOC 2 standards.  ➡️ Audit Trail & Incident Response   - Monitor cloud logs using AWS CloudTrail or Google Audit Logs.   - Track administrative activity and detect threats early.  ➡️ MFA Enforcement & Audit   - Verify MFA settings across critical accounts.   - Enforce multi-factor authentication using MFA Checker.  ➡️ Cloud Backup & Disaster Recovery   - Perform integrity checks using Duplicity or Restic.   - Validate recovery point objectives (RPO) and test restores.  Follow Satyender Sharma for more insights !

Many organizations believe they’re secure because they’ve invested in security tools. Reality check: tools alone don’t stop breaches. Configuration, monitoring, and real operational process do. Some examples: Over the past years, I’ve came across environments running Microsoft security solutions like Microsoft Defender, Microsoft Sentinel, and Entra ID. The stack is powerful, but most of the risk I see doesn’t come from missing technology, it comes from incomplete implementation. A few technical examples that show up more often than expected: -Conditional Access policies exist, but legacy authentication is still allowed or MFA isn’t enforced for privileged roles or no break glass account process is configured. -Microsoft Defender for Endpoint is deployed, but protections like Attack Surface Reduction rules, Tamper Protection, or Network Protection are still in audit mode. -Microsoft Defender for Endpoint is still running on the MMA version for Server 2012R2/ 2016 and not migrated to Unified Agent. -MDE/ MDI Sensor versions are outdated -Microsoft Defender is configured, all not tested for Attack Disruption or Defender for Identity is not installed on all types of supported sensors. -Defender alerts are generated, but there’s no triage process, no incident ownership, and no response automation. -Privileged accounts exist outside Privileged Identity Management (PIM), with standing Global Admin permissions. More Defender examples in my blog: https://lnkd.in/e-9VjbPJ and https://lnkd.in/dEtk7rCB None of these are tooling problems. They’re operational ones. The Microsoft security ecosystem can be extremely effective when identity, endpoint, and cloud telemetry are connected/ correlated and actively monitored. But deploying the platform is only the starting point. Real security comes from continuously reconfiguring policies, keeping configurations up to date, tuning detections, implement new innovations,and turning alerts into actionable response workflows and don't forget, test the flows with simulations. 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐜𝐭𝐮𝐚𝐥𝐥𝐲 𝐛𝐞𝐠𝐢𝐧𝐬 𝐚𝐟𝐭𝐞𝐫 𝐭𝐡𝐞 𝐝𝐞𝐩𝐥𝐨𝐲𝐦𝐞𝐧𝐭 If the tools aren’t continuously tuned, monitored, and improved, they won’t deliver the protection they’re capable of. Action point: Review the existing environment and see of all new innovations and configurations are following the latest best-practice and the security is working (example Attack Disruption) #MicrosoftSecurty #MicrosoftDefender

ZTNA (Zero Trust Network Access) isn’t hype in 2026. it’s how the fastest teams are securing cloud apps in . The shift to ZTNA is hitting hyperspeed, leaving traditional VPN models behind. ⚡ While some are still debating it, modern security teams are already locking down access at cloud scale. 🛡️🌐 I've been watching this space for years. Old-school VPNs struggle when businesses scale and go hybrid. Many deployments still rely on a username + password & connect/disconnect model. Traffic crawls due to backhauling, and if an attacker gets the whole network is exposed. 🔄 ZTNA changes the game You only get access to the applications you need, and identity is continuously verified. No automatic trust ,every request is context-aware. Here’s what's really driving the shift: ✅ Access: Granular, per-application instead of full network access 🛡️ Security: Least privilege + micro-segmentation reduce lateral attacks ⚡ Performance: Direct cloud connections eliminate backhaul bottlenecks 📊 Visibility: Real-time monitoring, logging, and analytics ☁️ Scalability: Seamless across hybrid and multi-cloud environments Technical highlights of ZTNA: 🔐 Identity-Centric: SSO/IdP integration (Okta, Azure AD, Ping) — SAML 2.0/OIDC federation, MFA enforcement, JIT provisioning, SCIM sync 📱 Device Posture: Endpoint compliance before access — AV/EDR (CrowdStrike, Defender, SentinelOne), MDM (Intune/Jamf), OS patching, BitLocker/FileVault encryption, firewall status, root/jailbreak detection 🔄 Continuous Authentication: Risk-based session re-evaluation — UEBA anomalies, impossible travel detection, behavioral biometrics, session hijacking protection ⚙ Policy Engine: Context-aware access rules (who / what / where / when) — geofencing, time-based policies, app risk scoring, RBAC/ABAC 🔒 Micro-Tunnels: Encrypted application access — TLS 1.3 per-app proxies, mTLS authentication, stealth gateways, software-defined perimeter concepts 🌐 Cloud-Ready: Built for SaaS, IaaS, and hybrid — AWS ALB/NLB, Azure Private Link, GCP IAP, Anycast PoPs (<50ms), lightweight connectors The market momentum is real. Gartner continues to highlight ZTNA as a key component of modern Zero Trust architecture. So which pill would you choose to secure modern access? 🔴 Red pill — Traditional VPN 🟢 Green pill — Zero Trust Network Access #ZeroTrust #ZTNA #VPN #CyberSecurity #CloudSecurity #NetworkSecurity #InfoSec #GRC #ISO27001 #Cyber #Microsoft

🔐 Want to protect your cloud before threats take over? Use these elite cloud security platforms trusted by security teams, CISOs & DevSecOps pros: → SentinelOne Singularity Cloud AI-powered runtime protection for cloud workloads, containers, and VMs. → Prisma Cloud by Palo Alto Networks Cloud-native security with full-stack protection across multi-cloud & hybrid setups. → Microsoft Defender for Cloud Advanced threat protection and compliance monitoring across Azure, AWS, and more. → Tenable Cloud Security Continuously scans and prioritizes cloud vulnerabilities before attackers find them. → Qualys Cloud Security Comprehensive asset visibility with built-in vulnerability management. → Zscaler Cloud Security Zero-trust access control for users, apps, and workloads across cloud environments. → Lacework Behavioral-based security and compliance for modern cloud-native stacks. → AWS Security Hub Centralized dashboard for threat detection and compliance across AWS accounts. → Check Point CloudGuard Unified threat prevention and posture management across multi-cloud setups. → IBM Cloud Security Protects data, workloads, and identities in complex hybrid environments. → Cisco Secure Cloud Insights Visualize assets and vulnerabilities with contextual security intelligence. → Fortinet FortiCWP Monitors cloud activity for threats, misconfigurations, and compliance risks. → Sophos Cloud Optix AI-driven monitoring, alerting, and automation for multi-cloud security. → Google Chronicle Security Cloud-native analytics platform for high-speed threat detection and response. → Azure Security Center Native threat protection and hardening for Azure workloads. → CrowdStrike Falcon for Cloud Workload protection with world-class threat intelligence and EDR. → VMware Carbon Black Cloud Advanced workload and endpoint defense with cloud-scale visibility. Why Should Cloud Security Pros Care? ✅ These tools catch misconfigurations before attackers do ✅ They protect dynamic, multi-cloud workloads at scale ✅ Mastering them builds airtight, audit-ready cloud environments 🔁 Share this with your cloud security or DevSecOps team! ➡️ Follow Marcel Velica for more on Cloud Security, Threat Detection & DevSecOps Strategies!

Where SWG and CASB Fall Short, Kitecyber Excels! For years, Secure web gateways (SWG) and Cloud Access Security Brokers (CASBs) were seen as the ultimate solution for SaaS security. They promised control, visibility, and enforcement for cloud applications. But reality has caught up with the hype, and the verdict is clear: 1) SWG has several security gaps and limitations 2) CASB has simply failed as an effective solution Traditional in Network SWG Problems: 1. Traffic type limitations 2. File size limitations 3. Well known DLP gaps (encrypted files) 4. Can’t deal with end to end encrypted traffic, so lot of traffic is bypassed 5. Lack of complete visibility into SaaS apps due to split tunnel 6. Higher cost due to an inefficient architecture (man in the middle) 7. High complexity to setup and maintain CASB Problems: 1. Only used for limited SaaS apps 2. Complex API level configuration 3. Most apps bypass CASB as they can only handle a few SaaS apps. You can’t build a fronting proxy for so many SaaS apps. It simply doesn’t scale as a technology As a result most CASB players are either dead or have been merged with some broader solution as a feature. A Smarter Approach: Kitecyber’s Endpoint based SSE Solution If you notice, all access to SaaS apps, Gen AI apps, Phishing links, data leakage originate at the endpoint and not in the network. Endpoint devices have a lot more context as compared to an in-network device. At Kitecyber, we take a completely different approach to SaaS and Internet security by building this security at the endpoint and combining application posture, identity, and data security for complete protection. We advise our clients that baseline security measures are no longer enough. With BYOD adoption and remote work, IT needs a proactive way to monitor, analyze, and control SaaS usage—not just respond to breaches after they happen. Unlike traditional CASBs, Kitecyber protects users, not just pathways. All the traffic goes through us without any exception. Our solution secures SaaS app credentials while allowing IT to define sanctioned and unsanctioned SaaS applications. It also alerts IT whenever a new SaaS app enters the organization’s environment. Key Benefits of Our Solution: 1) SaaS App Discovery & Classification – Identify and manage all SaaS applications in use. 2) Risk Identification – Reduce your attack surface and enforce granular SaaS security policies with ease. 3) Comprehensive Security – Protect users, devices, and data—wherever they are. 4) SaaS Spend & Usage Analysis – Optimize SaaS costs and track usage trends. Want to assess your SaaS or Gen AI security posture and reduce risk? Let’s talk.

AI agents have quietly moved somewhere new. Your employees’ laptops. Developers are running AI clients and local MCP servers to connect LLMs to SaaS tools, code, and cloud environments. Powerful, fast, and usually invisible to security. That’s why Entro Security built a new integration with CrowdStrike. Using Falcon’s endpoint telemetry, Entro can now detect AI clients and MCP servers running on end-user machines and correlate that activity with identity context. What security teams get: • A clear inventory of which AI agents are running • Who owns them • What data and systems they can access In other words, we apply the same governance model used for non-human identities to local, agentic AI. The payoff: ✔ Turn scattered, local AI usage into centralized visibility ✔ Spot “shadow AI” early ✔ Put guardrails around how agents connect to enterprise systems Agentic AI isn’t slowing down. It’s moving closer to the endpoint. https://hubs.la/Q03ZQDBB0

Most security programs can tell you what controls they deployed. Very few can prove those controls stop the attack path that matters. That gap is where breaches happen. Here is what the modern identity attack path looks like, and why traditional measurement misses it. The attacker does not exploit a vulnerability. They phish, proxy, or register a malicious OAuth app. The user authenticates legitimately. MFA is satisfied. The attacker captures the session token (MITRE T1528). That token is now the credential. Tokens may remain valid after authentication depending on platform and revocation controls. If tied to a non-human identity or refresh token, access can persist indefinitely without explicit revocation (T1078). The attacker queries APIs instead of scanning networks, enumerating mailboxes, file stores, and identity relationships through legitimate interfaces. Using trusted integrations, they pivot across SaaS and cloud with no malware, just delegated access through paths the organization built (T1199). Data leaves via APIs expected to move data (T1537). Google’s Threat Intelligence Group detailed a campaign where attackers used compromised OAuth tokens from the Salesloft Drift integration to access Salesforce environments. Cloudflare confirmed the mechanics in their incident response disclosure. This is not a control failure. It is a measurement failure. Would your current program detect this? Most programs measure coverage: endpoints with EDR, identities with MFA, vulnerabilities patched within SLA. Coverage measures what you deployed. Exposure measures what an attacker can reach. These are fundamentally different. CTEM addresses this through five phases. Scoping must include OAuth tokens, non-human identities, and API credentials or the model has a blind spot where attackers target. Organizations often operate with triple-digit ratios of non-human identities to human users. Discovery must extend to that full population. Prioritization must reflect attack path context. A moderate misconfiguration chained with a stolen token and trusted SaaS integration reaches sensitive data faster than a critical CVE on an isolated server. Equally important is whether existing compensating controls already reduce exploitability. Validation is the phase most programs skip. Validation means testing whether controls stop token theft, consent phishing, and NHI abuse against your own defenses. Start by testing one identity attack path end-to-end: token theft, API access, lateral movement across a trusted integration. Mobilization turns validated findings into remediation with clear ownership, enriched context, and tracked execution. Without it, findings sit in queues and exposure persists. Not “Do we have controls?” But “Did we prove those controls stop the attack path that matters?” Views are my own #CTEM #ExposureManagement #IdentitySecurity #MITREATTACK #CISOLeadershipy