SlideShare a Scribd company logo

Silver Lining: An Everyman's Journey to Cloud Security - Sven Skoog, Monotype

Download as PPTX, PDF
Alert Logic
Alert Logic

Presented at the Cloud Security Summit (Boston) by Sven Skoog, Monotype Senior IT Manager.

Technology
1 of 13
SILVER LINING An Everyday Security Primer (…and More) An Everyman’s Journey to “Cloud Security” Sven Skoog (sven.skoog@monotype.com) 15 Dec 2016
setting the stage – our enterprise, its players – monotype: typography (fonts), branding, emoji, mercantile imagery – monotype: 500-700 staffers, $200M revenues, 14 offices, 10 countries – a split personality: 130-yr-old typesetters + 13th grade app-developers – a split personality: 50% cloud, 50% on-prem (more like 60%-40% now) – homogeneous defenses? (same safeguards local vs. cloud? different?) – budgetary + staffing concerns given 1600 nodes, ~8-9 administrators? – can virtual (venue-agnostic) defenses replicate on-prem protections? – given off-premise compute/storage, is an on-site SOC even necessary?
first line of defense – sensors and instrumentation – arguably the most crucial day-to-day function: is bad_thing happening? – alert logic sensors (“threat manager”) use a snort-like packet engine – alert logic sensors (“threat manager”) are updated w. signatures daily – alert logic sensors (“threat manager”) use daily bad-actor attributions – alert logic sensors (“threat/log manager”) will notice repetition, volume – incident 9036498 (cryptowall ransomware/trojan on workstation(s)) – incident 13486144 (low-and-slow SQL injection attempts, monthly)
example – sensors and instrumentation
bringing up the rear – forensic logging and consolidation – log storage is the scut-work no sane-minded admin really wants to do – logs are cumbersome, space-consumptive; they overflow, they break – logs obey murphy’s law… the precise one(s) you need are often missing – alert logic collector (“log manager”) is a one-line agent or log directive – alert logic collector (“log manager”) can store locally, or in the cloud – alert logic collector (“log manager”) uses tamper-proof hash for validity – alert logic collector (“log manager”) will escalate on ‘risky’ patterns – alert logic collector (“log manager”) will escalate on repetition/volume – incident 13340004 (new domain admin added in late-afternoon) – incident 13416288 (privileged admin acct repeatedly locking itself out)
example – forensic logging and consolidation
getting out in front – web app-query (layer 7) inspection – layer 3 access-control rules are well and good, but more is needed – each web app differs, app-firewalls need constant tuning-and-training – alert logic web-firewall (“wsm”) can be deployed as appliance or VM (…in fact, it can sit atop a traditional amazon elastic load-balancer) – alert logic web-firewall (“wsm”) can passively monitor, or actively block – alert logic web-firewall (“wsm”) can be customized by you, or by vendor – 30-to-90-day break-in period; watch + gather queries, then advise rules – garden-variety incident (plain-vanilla nmap scan from outside) – slightly-more-sophisticated incident (PHP parameter walkthrough)
example(s) – web app-query (layer 7) inspection
automating the machine – rent-a-SOC (?!?) – enterprise goal #1: reduce tier-zero ground clutter, but do not ignore it – enterprise goal #2: ensure daily (shift-by-shift) event review, escalation – enterprise goal #3: crowd-source current attack signatures, bad actors – enterprise goal #4: maintain off-site forensic events/logs for later use – enterprise goal #5: do all of this in a (hopefully) cost-effective manner – alert logic SOC will alert/call/email to 3+ different personnel chains – alert logic SOC will perform realtime event response + daily log review – alert logic SOC will annul/suppress/whitelist items you don’t care about – alert logic SOC will do it all at 20% to 40% of equiv. organic cost (4+ FTE) – i‘ll appeal to your continued patience with one or two more examples…
example(s) – automating your rent-a-SOC (?!?)
example(s) – automating your rent-a-SOC (?!?) (250 MILLION events per day?!? a single team just can’t keep up…)
final thought – meta-insights made possible by the cloud (?) – i‘ve already made reference to “crowd-sourcing threats, bad actors” – also a notion of “meta-access” (amazon cloudtrail, roles, api invocation) – also a notion of “asset tracking” (new VM, using template(s)… or not) – how about a ‘cyber weather forecast’ showing my posture v. the world? – how about a ‘cyber weather forecast’ showing attack trends over time? (…14-yr-old script kiddie crawling my amazon cloud is boring) (…14-yr-old script kiddie who progresses to my webmail is HUGE) – alert logic’s newest service (Cloud Insight) will watch meta-properties – alert logic’s newest service (Cloud Insight) will alert you on deviations – and that’s only a taste of things to come…
thank you – sven.skoog@monotype.com (781.970.6112)

Recommended

The New Economics of Cloud Security
The New Economics of Cloud SecurityThe New Economics of Cloud Security
The New Economics of Cloud Security
Alert Logic
 
Alert Logic: Realities of Security in the Cloud
Alert Logic: Realities of Security in the CloudAlert Logic: Realities of Security in the Cloud
Alert Logic: Realities of Security in the Cloud
Alert Logic
 
Introduction to Security in the Cloud - Mark Brooks, Alert Logic
Introduction to Security in the Cloud - Mark Brooks, Alert LogicIntroduction to Security in the Cloud - Mark Brooks, Alert Logic
Introduction to Security in the Cloud - Mark Brooks, Alert Logic
Alert Logic
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
Alert Logic
 
Cloud Security Architecture - a different approach
Cloud Security Architecture - a different approachCloud Security Architecture - a different approach
Cloud Security Architecture - a different approach
EC-Council
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
Alert Logic
 

Recommended

The New Economics of Cloud Security
The New Economics of Cloud SecurityThe New Economics of Cloud Security
The New Economics of Cloud Security
Alert Logic
 
Alert Logic: Realities of Security in the Cloud
Alert Logic: Realities of Security in the CloudAlert Logic: Realities of Security in the Cloud
Alert Logic: Realities of Security in the Cloud
Alert Logic
 
Introduction to Security in the Cloud - Mark Brooks, Alert Logic
Introduction to Security in the Cloud - Mark Brooks, Alert LogicIntroduction to Security in the Cloud - Mark Brooks, Alert Logic
Introduction to Security in the Cloud - Mark Brooks, Alert Logic
Alert Logic
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
Alert Logic
 
Cloud Security Architecture - a different approach
Cloud Security Architecture - a different approachCloud Security Architecture - a different approach
Cloud Security Architecture - a different approach
EC-Council
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
Alert Logic
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Alert Logic
 
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
CCI2018 - Azure Security Center - Stato dell’arte e roadmapCCI2018 - Azure Security Center - Stato dell’arte e roadmap
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
walk2talk srl
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
Alert Logic
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week Presentation
Lacework
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Introduction to Azure Sentinel
Introduction to Azure SentinelIntroduction to Azure Sentinel
Introduction to Azure Sentinel
arnaudlh
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
Alert Logic
 
CSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen MiddleCSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen Middle
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Alert Logic
 
McAfee - Portfolio Overview
McAfee - Portfolio OverviewMcAfee - Portfolio Overview
McAfee - Portfolio Overview
Iftikhar Ali Iqbal
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud Security
Susanne Tedrick
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
Microsoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewMicrosoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overview
Allessandra Negri
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021
Matt Soseman
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
Iftikhar Ali Iqbal
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudShared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public Cloud
Alert Logic
 

More Related Content

What's hot

CCI2018 - Azure Security Center - Stato dell’arte e roadmap
CCI2018 - Azure Security Center - Stato dell’arte e roadmapCCI2018 - Azure Security Center - Stato dell’arte e roadmap
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
walk2talk srl
 

What's hot (20)

#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
 
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
CCI2018 - Azure Security Center - Stato dell’arte e roadmapCCI2018 - Azure Security Center - Stato dell’arte e roadmap
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week Presentation
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Introduction to Azure Sentinel
Introduction to Azure SentinelIntroduction to Azure Sentinel
Introduction to Azure Sentinel
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
 
CSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen MiddleCSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen Middle
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
 
McAfee - Portfolio Overview
McAfee - Portfolio OverviewMcAfee - Portfolio Overview
McAfee - Portfolio Overview
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud Security
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
Microsoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overviewMicrosoft threat protection + wdatp+ aatp overview
Microsoft threat protection + wdatp+ aatp overview
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 

Viewers also liked

Viewers also liked (8)

#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
 
Shared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public CloudShared Security Responsibility in the AWS Public Cloud
Shared Security Responsibility in the AWS Public Cloud
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach
 
Cloud Security Summit (Boston) - Live Hack Demo
Cloud Security Summit (Boston) - Live Hack Demo Cloud Security Summit (Boston) - Live Hack Demo
Cloud Security Summit (Boston) - Live Hack Demo
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
 
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWSThe AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
 
The AWS Shared Responsibility Model: Presented by Amazon Web Services
The AWS Shared Responsibility Model: Presented by Amazon Web ServicesThe AWS Shared Responsibility Model: Presented by Amazon Web Services
The AWS Shared Responsibility Model: Presented by Amazon Web Services
 
CRITICAL CHANGES TO SECURITY FOR CLOUD ENVIRONMENTS - Toronto FSI Symposium -...
CRITICAL CHANGES TO SECURITY FOR CLOUD ENVIRONMENTS - Toronto FSI Symposium -...CRITICAL CHANGES TO SECURITY FOR CLOUD ENVIRONMENTS - Toronto FSI Symposium -...
CRITICAL CHANGES TO SECURITY FOR CLOUD ENVIRONMENTS - Toronto FSI Symposium -...
 

Similar to Silver Lining: An Everyman's Journey to Cloud Security - Sven Skoog, Monotype

SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
Effective Cyber Security – the difference between “point in time” and “period...
Effective Cyber Security – the difference between “point in time” and “period...Effective Cyber Security – the difference between “point in time” and “period...
Effective Cyber Security – the difference between “point in time” and “period...
akquinet enterprise solutions GmbH
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
akquinet enterprise solutions GmbH
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
PROIDEA
 
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
akquinet enterprise solutions GmbH
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
Nephi Johnson
 
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdf
amrapalibuildersreviews
 

Similar to Silver Lining: An Everyman's Journey to Cloud Security - Sven Skoog, Monotype (20)

AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity Innovation
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systems
 
Effective Cyber Security – the difference between “point in time” and “period...
Effective Cyber Security – the difference between “point in time” and “period...Effective Cyber Security – the difference between “point in time” and “period...
Effective Cyber Security – the difference between “point in time” and “period...
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
 
ElasTest - Testing in the large
ElasTest - Testing in the largeElasTest - Testing in the large
ElasTest - Testing in the large
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...CONFidence 2015: SCADA and mobile: security assessment of the applications th...
CONFidence 2015: SCADA and mobile: security assessment of the applications th...
 
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
SAST Threat Detection: What you stand to gain from intelligent, SAP real-time...
 
How to Choose a SandBox - Gartner
How to Choose a SandBox - GartnerHow to Choose a SandBox - Gartner
How to Choose a SandBox - Gartner
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat Model
 
Agentless System Crawler - InterConnect 2016
Agentless System Crawler - InterConnect 2016Agentless System Crawler - InterConnect 2016
Agentless System Crawler - InterConnect 2016
 
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdf
 

More from Alert Logic

More from Alert Logic (20)

Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
Security Spotlight: Rent-A-Center
Security Spotlight: Rent-A-CenterSecurity Spotlight: Rent-A-Center
Security Spotlight: Rent-A-Center
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
CSS 2018 Trivia
CSS 2018 TriviaCSS 2018 Trivia
CSS 2018 Trivia
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The Intersection of Security and DevOps
The Intersection of Security and DevOpsThe Intersection of Security and DevOps
The Intersection of Security and DevOps
 

Recently uploaded

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 

Silver Lining: An Everyman's Journey to Cloud Security - Sven Skoog, Monotype

  • 1. SILVER LINING An Everyday Security Primer (…and More) An Everyman’s Journey to “Cloud Security” Sven Skoog (sven.skoog@monotype.com) 15 Dec 2016
  • 2. setting the stage – our enterprise, its players – monotype: typography (fonts), branding, emoji, mercantile imagery – monotype: 500-700 staffers, $200M revenues, 14 offices, 10 countries – a split personality: 130-yr-old typesetters + 13th grade app-developers – a split personality: 50% cloud, 50% on-prem (more like 60%-40% now) – homogeneous defenses? (same safeguards local vs. cloud? different?) – budgetary + staffing concerns given 1600 nodes, ~8-9 administrators? – can virtual (venue-agnostic) defenses replicate on-prem protections? – given off-premise compute/storage, is an on-site SOC even necessary?
  • 3. first line of defense – sensors and instrumentation – arguably the most crucial day-to-day function: is bad_thing happening? – alert logic sensors (“threat manager”) use a snort-like packet engine – alert logic sensors (“threat manager”) are updated w. signatures daily – alert logic sensors (“threat manager”) use daily bad-actor attributions – alert logic sensors (“threat/log manager”) will notice repetition, volume – incident 9036498 (cryptowall ransomware/trojan on workstation(s)) – incident 13486144 (low-and-slow SQL injection attempts, monthly)
  • 4. example – sensors and instrumentation
  • 5. bringing up the rear – forensic logging and consolidation – log storage is the scut-work no sane-minded admin really wants to do – logs are cumbersome, space-consumptive; they overflow, they break – logs obey murphy’s law… the precise one(s) you need are often missing – alert logic collector (“log manager”) is a one-line agent or log directive – alert logic collector (“log manager”) can store locally, or in the cloud – alert logic collector (“log manager”) uses tamper-proof hash for validity – alert logic collector (“log manager”) will escalate on ‘risky’ patterns – alert logic collector (“log manager”) will escalate on repetition/volume – incident 13340004 (new domain admin added in late-afternoon) – incident 13416288 (privileged admin acct repeatedly locking itself out)
  • 6. example – forensic logging and consolidation
  • 7. getting out in front – web app-query (layer 7) inspection – layer 3 access-control rules are well and good, but more is needed – each web app differs, app-firewalls need constant tuning-and-training – alert logic web-firewall (“wsm”) can be deployed as appliance or VM (…in fact, it can sit atop a traditional amazon elastic load-balancer) – alert logic web-firewall (“wsm”) can passively monitor, or actively block – alert logic web-firewall (“wsm”) can be customized by you, or by vendor – 30-to-90-day break-in period; watch + gather queries, then advise rules – garden-variety incident (plain-vanilla nmap scan from outside) – slightly-more-sophisticated incident (PHP parameter walkthrough)
  • 8. example(s) – web app-query (layer 7) inspection
  • 9. automating the machine – rent-a-SOC (?!?) – enterprise goal #1: reduce tier-zero ground clutter, but do not ignore it – enterprise goal #2: ensure daily (shift-by-shift) event review, escalation – enterprise goal #3: crowd-source current attack signatures, bad actors – enterprise goal #4: maintain off-site forensic events/logs for later use – enterprise goal #5: do all of this in a (hopefully) cost-effective manner – alert logic SOC will alert/call/email to 3+ different personnel chains – alert logic SOC will perform realtime event response + daily log review – alert logic SOC will annul/suppress/whitelist items you don’t care about – alert logic SOC will do it all at 20% to 40% of equiv. organic cost (4+ FTE) – i‘ll appeal to your continued patience with one or two more examples…
  • 10. example(s) – automating your rent-a-SOC (?!?)
  • 11. example(s) – automating your rent-a-SOC (?!?) (250 MILLION events per day?!? a single team just can’t keep up…)
  • 12. final thought – meta-insights made possible by the cloud (?) – i‘ve already made reference to “crowd-sourcing threats, bad actors” – also a notion of “meta-access” (amazon cloudtrail, roles, api invocation) – also a notion of “asset tracking” (new VM, using template(s)… or not) – how about a ‘cyber weather forecast’ showing my posture v. the world? – how about a ‘cyber weather forecast’ showing attack trends over time? (…14-yr-old script kiddie crawling my amazon cloud is boring) (…14-yr-old script kiddie who progresses to my webmail is HUGE) – alert logic’s newest service (Cloud Insight) will watch meta-properties – alert logic’s newest service (Cloud Insight) will alert you on deviations – and that’s only a taste of things to come…
  • 13. thank you – sven.skoog@monotype.com (781.970.6112)