AWS Chicago, profile picture
Uploaded byAWS Chicago
251 views

AWS Chicago May 22 Security event - Redlock CSI report

The Redlock CSI team's May 2018 report outlines alarming trends in cloud security, highlighting issues such as account compromises, widespread cryptojacking, and ineffective compliance practices among organizations. Key findings indicate that many organizations are not adequately managing access keys and have significant vulnerabilities in their cloud environments, leading to rising security risks. To combat these challenges, the report provides actionable tips and emphasizes the need for continuous monitoring and enforcement of security best practices.

Embed presentation

Download to read offline
Cloud Security Trends + 14 Tips to Fortify Your Public Cloud Environment Published by the RedLock CSI Team May 2018 Edition Cloud Threat Defense
Introduction Key Takeaways 01 - Account compromises fueling new attack vectors 02 - Cryptojacking goes mainstream 03 - Effective compliance must be omnipresent 04 - Beyond the specter of “Spectre” and “Meltdown” About the Report Ready to Take Action? 3 6 7 9 11 13 15 16 © 2018 RedLock Inc. All rights reserved. 2 Table of Contents
3© 2018 RedLock Inc. All rights reserved. Introduction This edition of RedLock’s Cloud Security Trends marks the report’s one year anniversary, and it’s been a sobering year in terms of public cloud breaches, disclosures and attacks. This report highlights key learnings from these incidents along with research by the RedLock Cloud Security Intelligence (CSI) team to shed light on the trends that we can expect this year.
2016 Oct Dec 2017 Jan May Oct Oct Nov Jun 2018 Feb Apr Jan 51% 25% 24% - Major companies impacted: Uber, OneLogin, Tesla, Aviva, Gemalto - RedLock research results: On average, 27% of organizations experienced potential account compromises - Major companies impacted: Deep Root Analytics, FedEx, Under Armour - RedLock research results: On average, 51% of organizations publicly exposed at least one cloud storage service - Major companies impacted: Tesla, Gemalto, Aviva - RedLock research results: 25% of organizations currently have cryptojacking activity in their environments - Major companies impacted: MongoDB, Elasticsearch, Intel, Drupal - RedLock research results: 24% of organizations have hosts missing high-severity patches in public cloud Account Compromises Risky Configurations Cryptojacking Vulnerabilities 27% 4© 2018 RedLock Inc. All rights reserved.
5© 2018 RedLock Inc. All rights reserved. The absence of a physical network boundary to the internet, the risk of accidental exposure by users with limited security expertise, decentralized visibility, and the dynamic nature of the cloud increases an organization’s attack surface by orders of magnitude. The shared responsibility model of cloud security clearly outlines the respective responsibilities of cloud service providers and their customers. The RedLock CSI team would like to remind you that your organization’s obligations in the shared responsibility model include: * Monitoring and remediating resource misconfigurations * Detecting and remediating anomalous user activities * Detecting and remediating suspicious network traffic * Identifying vulnerable hosts
KEY1. Account compromises fueling new attack vectors While organizations are ramping up security efforts to deter malicious actors from stealing credentials and access keys, new threats are always at-hand, such as those presented via Instance Metadata APIs. 2. Cryptojacking goes mainstream Unfettered access to expensive and high-powered public cloud compute resources is leading to increased cryptojacking attacks. 3. Effective compliance must be omnipresent Confidential data is moving to the cloud and organizations must prove compliance. Employing additional controls such as encryption and security frameworks, such as NISF CSF and CIS, still need to be operationalized. 4. Beyond the specter of “Spectre” and “Meltdown” Vulnerability management at scale is extremely complex in the cloud and is a key requirement of GDPR. Organizations need to consider how they will address the issue for their public cloud environments. 6© 2018 RedLock Inc. All rights reserved. Key Takeaways
01 7© 2018 RedLock Inc. All rights reserved. Account compromises fueling new attack vectors 43% 20% 27% of access keys have not been rotated in the last 90 days of organizations are allowing root user activities of organizations with potential account compromises Relative to last year, we have seen mixed trends with respect to account compromises. Organizations are becoming more knowledgeable and implementing best practices to avert cloud account compromises, but new attack vectors continue to present themselves. In addition to finding leaking credentials in GitHub repositories, unprotected Kubernetes administrative interfaces, and public Trello boards, the RedLock CSI team found yet another attack vector - public cloud instance metadata APIs. Public cloud instance metadata is data about your instance that can be used to configure or manage the running instance. Essentially, an instance’s metadata can be queried via an API to obtain access credentials to the public cloud environment by any process running on the instance. The overarching trend, however, is clear; account compromises will continue to evolve and organizations must be vigilant and take steps to defend against these threats. Key Findings The most concerning finding from the CSI team was that organizations’ need to do a much better job managing their access keys, as 43% of them had not been rotated in over 90 days. This is a big concern because access keys tend to have overly permissive access, thus creating greater exposure. It is a security best practice to rotate access keys
8© 2018 RedLock Inc. All rights reserved. Tips • Eliminate the use of root accounts for day-to-day operations • Enforce multi-factor authentication on all privileged user accounts • Implement a policy to automatically force periodic rotation of access keys • Automatically disable unused accounts and access keys • Implement user and entity behavior analytics solutions to identify malicious behavior 01significantly to this broader understanding. Additional investigation by the RedLock CSI team determined that 27% of organizations have users whose accounts have potentially been compromised. This result is up from our February 2018 trend report that showed 16%. This negative trend underscores that cloud security remains a porous environment. on a more frequent schedule to limit exposure should they fall into the wrong hands. The CSI team also found an encouraging trend; only 20% of organizations are allowing the root user account to be used to perform activities - down significantly from 73% last year. This trend indicates organizations are getting the message about managing root user accounts and RedLock’s CSI reports have contributed Account compromises fueling new attack vectors
9© 2018 RedLock Inc. All rights reserved. 85% 25% of resources do not restrict outbound traffic at all of organizations had cryptojacking activity within their environments Despite the recent ups and downs of cryptocurrency valuations, interest in illicit cryptomining remains high. Even with the recent disclosures by RedLock’s CSI team on cryptomining at Tesla, the practice of stealing cloud compute resources to mine cryptocurrency seems to have accelerated. One possible explanation for this, according the team, is the ransomware market is becoming saturated and overpriced, and hackers are setting their sights on new revenue streams - in this case cryptojacking. Another reason cryptojacking continues to proliferate is that attackers are using advanced evasion techniques when mining cryptocurrencies. The CSI team detailed some of these creative skills including in it’s blog post. Key Findings Surprisingly, 85% of resources associated with security groups do not restrict outbound traffic at all. This reflects an increase from one year ago when that statistic was 80%. The research found an increasing number of organizations were not following network security best practices and had misconfigured or risky configurations. Industry best practices mandate that outbound access should be restricted to prevent accidental data loss or data exfiltration in the event of a breach. In terms of cryptojacking, the team discovered that 25% of organizations had cryptojacking activity within their environments up from 8% last 02 Cryptojacking goes mainstream
10© 2018 RedLock Inc. All rights reserved. Tips • Implement a “deny all” default outbound firewall policy • Monitor north-south and east-west network traffic to identify any suspicious activities including cryptojacking • Monitor user activity for any unusual or abnormal behavior, such as unusual attempts to spin off new compute instances 02quarter. The team forecasted that cryptojacking would increase as it gained traction in the hacker community, but this rapid, dramatic growth was still unexpected. The rise of cryptojacking and seemingly misuse of security groups highlights the need for a holistic approach to security in the cloud. A combination Cryptojacking goes mainstream of configuration, user activity, network traffic, and host vulnerability monitoring is necessary to detect advanced threats in public cloud environments.
03 11© 2018 RedLock Inc. All rights reserved. Effective compliance must be omnipresent 49% 30% 23% of databases are not encrypted of CIS compliance checks fail of organizations fail NIST CSF compliance assessments 2018 continued 2017’s trend of significant data exposures resulting from cloud misconfigurations. FedEx and MyFitnessPal (Under Armour) both reported millions of exposed consumer records resulting from unsecured cloud storage services. Given the prevalence of cybersecurity standards - NIST CSF, CIS, PCI, SOC2, HIPAA and soon GDPR (General Data Policy Regulation), organizations are under pressure to ensure compliance across their cloud environments. The RedLock CSI team assessed the preparedness of organizations based on fundamental security best practices and the results suggest optimism and disappointment. Moreover, the results underscore that organizations must do better in all areas, as spotty compliance is not compliance at all. Key Findings The RedLock CSI team’s analysis uncovered some positive news; there is a growing trend to encrypt databases. A year ago, the team found that 82% of databases were not encrypted. Today that number stands at 49% - a 67% improvement in one year. As discussed in previous RedLock CSI reports, encryption is an important technique that could help meet the pseudonymization requirement for GDPR and should be enforced as a security best practice. A broader assessment against industry compliance standards revealed that on average
12© 2018 RedLock Inc. All rights reserved. Tips • Ensure cloud resources are automatically discovered when they are created, and monitored for compliance across all cloud environments. • Implement policy guardrails to ensure that resource configurations adhere to industry standards such as NIST CSF, CIS, SOC 2, PCI, and HIPAA. • Integrate configuration change alerts into DevOps and SecOps workflows to automatically resolve issues. regarding their compliance goals and intentions. The speed of cloud innovation is accelerating, with cloud providers adding hundreds of new features each year and developers are leveraging those features to add new apps on a continuous basis. In the end, it may just be that organizations are lagging behind in their quest to maintain compliance and ensure security in this fast paced environment. 03 Effective compliance must be omnipresent organizations fail 30% of CIS Foundations best practices, 50% of PCI requirements, and 23% of NIST CSF requirements. Compared to last year’s analysis, improvements are inconsistent and still point to the fact that organizations have a lot of work to do to make compliance a reality across their cloud environments. These disappointing results do not necessarily indicate that organizations are disingenuous
13© 2018 RedLock Inc. All rights reserved. 24% 39% of organizations have hosts missing critical patches in public cloud of vulnerable hosts flagged as compromised by Amazon GuardDuty We are now a few months into the reality of living with the Spectre and Meltdown vulnerabilities, and now understand their longer term impacts and the technology providers are releasing solutions. For example, Intel announced changes to the Xeon and Core processors specifically designed to guard against these vulnerabilities. Amazon, Microsoft, and Google promptly patched and updated their environments to ensure a safer operating environment. But as proactive as the industry has been, it’s only a matter of time until we face the next global host vulnerability threat. Accordingly, the RedLock CSI team assessed host vulnerability management in the cloud to determine the state of affairs. Key Findings The research revealed that 24% of organizations have hosts missing high-severity patches in public cloud, which seemingly confirms data from the February 2018 report that 83% of vulnerable hosts were receiving suspicious traffic from the internet. While many organizations have traditional vulnerability scanning tools made for on-premise data centers and networks, organizations are unable to map the data from these tools to gain cloud-specific context. For example, identifying cloud resources that are communicating with outside IPs or suspicious IPs in an ephemeral environment is a problem traditional vulnerability scanning tools were not designed to solve. 04 Beyond the specter of “Spectre” and “Meltdown”
14© 2018 RedLock Inc. All rights reserved. Tips • Correlate vulnerability data with resource configuration data to identify vulnerable hosts. • Correlate network traffic data to determine whether the vulnerabilities are actually network exploitable and prioritize remediation accordingly. • Correlate vulnerability data with cloud configuration and network traffic data to identify the riskiest assets, and determine whether the vulnerabilities are actually exploitable from the internet. 04Vulnerability management at scale is extremely complex in the cloud and is a key requirement of GDPR. In this dynamic environment, it is often hard to pinpoint specific questionable cloud resources, or understand the real exploitability and risks associated with them. Traditional vulnerability scanning tools fall short on delivering actionable results to users. Further, host vulnerability data needs to be correlated with host configurations in the cloud that can help identify the business purpose of the host and help prioritize patching. RedLock’s integration with Amazon GuardDuty, a threat detection service launched in November 2017, indicates that 39% of these hosts are actually exhibiting activity patterns associated with instance compromise or reconnaissance by attackers. This is an increase of 160% is about 6 months. This increase may be explained by the broader acceptance of GuardDuty since its launch; however it also indicates that organizations need to be more proactive with vulnerability management in the cloud. Beyond the specter of “Spectre” and “Meltdown”
15© 2018 RedLock Inc. All rights reserved. About the Report ABOUTAbout the Report RedLock CSI Team RedLock enables effective threat defense across Amazon Web Services, Microsoft Azure, and Google Cloud environments. The RedLock Cloud 360™ platform takes a new AI-driven approach that correlates disparate security data sets to provide comprehensive visibility, detect threats, and enable rapid response across fragmented cloud environments. With RedLock, organizations can ensure compliance, govern security, and enable security operations across public cloud environments. The RedLock Cloud Security Intelligence (CSI) team consists of elite security analysts, data scientists, and data engineers with deep security expertise. The team’s mission is to enable organizations to confidently adopt public cloud by researching cloud threats, advising organizations on cloud security best practices, and frequently publishing out-of-the-box policies in the RedLock Cloud 360™ platform. The CSI team has discovered millions of exposed records that contain sensitive data belonging to dozens of organizations ranging from small businesses to Fortune 50 companies. The team notifies the affected organizations and publishes security advisories to raise awareness about the issues. Report Methodology The data in this report is based on analysis across the public cloud environments monitored by RedLock, which comprises of over twelve million resources that are processing petabytes of network traffic. In addition, the team also actively probed the internet for vulnerabilities in public cloud environments.
ACTIONReady to Take Action? Get a Free Risk Assessment Get started in minutes and obtain a free risk assessment across your cloud footprint without hindering agile development. It will provide the following insights: Are there any resources with risky configurations? Are there unpatched hosts in your environment? Have there been any network intrusions? Are there any insider threats? Have any accounts been compromised? More information: https://info.redlock.io/cloud-risk-assessment Download Cloud Security Buyer’s Guide Download the Cloud Security Buyer’s Guide to get 20+ tips based on the NIST Cybersecurity Framework and manage risks across your public cloud computing environment. More information: https://info.redlock.io/lp-nist-csf-cloud-security 16© 2018 RedLock Inc. All rights reserved.
“With RedLock, we have full visibility so we can be sure our cloud environment is secure, risk is reduced and any threats that do present themselves can be remediated right away” - David Pace Global Information Security Western Asset Management (WAM) To learn more: Call: +1.650.665.9480, Visit: www.redlock.io © 2018 RedLock Inc. All rights reserved. RedLock and RedLock logo are registered US trademarks of RedLock Inc. RedLock Cloud 360 is a trademark of RedLock Inc. All other registered trademarks are the properties of their respective owners.

More Related Content

PDF
How can i find my security blind spots in Oracle - nyoug - sep 2016
byUlf Mattsson
 
PDF
How can i find my security blind spots ulf mattsson - aug 2016
byUlf Mattsson
 
PPTX
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
byUlf Mattsson
 
PDF
Alert logic cloud security report
byGabe Akisanmi
 
PDF
Cyfirma cybersecurity-predictions-2022-v1.0 c
byAanchal579958
 
PPTX
Cyber Risk Management in 2017 - Challenges & Recommendations
byUlf Mattsson
 
PDF
Webinar: Securing Mobile Banking Apps
byWultra
 
PPT
Security in Web 2.0, Social Web and Cloud
byITDogadjaji.com
 
How can i find my security blind spots in Oracle - nyoug - sep 2016
byUlf Mattsson
 
How can i find my security blind spots ulf mattsson - aug 2016
byUlf Mattsson
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
byUlf Mattsson
 
Alert logic cloud security report
byGabe Akisanmi
 
Cyfirma cybersecurity-predictions-2022-v1.0 c
byAanchal579958
 
Cyber Risk Management in 2017 - Challenges & Recommendations
byUlf Mattsson
 
Webinar: Securing Mobile Banking Apps
byWultra
 
Security in Web 2.0, Social Web and Cloud
byITDogadjaji.com
 

What's hot

PPTX
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
byChristopher Korban
 
PDF
Security Incident Response Readiness Survey
byRahul Neel Mani
 
PPTX
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
byUlf Mattsson
 
PPTX
Cybersecurity 2020 the biggest threats to watch out for
byCigniti Technologies Ltd
 
PDF
How the latest trends in data security can help your data protection strategy...
byUlf Mattsson
 
PDF
State of the ATT&CK - ATT&CKcon Power Hour
byAdam Pennington
 
PDF
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
byBlueHat Security Conference
 
PPTX
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
byArgyle Executive Forum
 
PDF
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
PDF
Topsec email security 2016
byNathan CAVRIL
 
PDF
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
byAdam Pennington
 
PPTX
Building securable infrastructures
bySteven Aiello
 
PDF
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...
byBlueHat Security Conference
 
PDF
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
PPTX
Data Protection & Privacy During the Coronavirus Pandemic
byUlf Mattsson
 
DOCX
A Case study scenario on collaborative Portal Risk Assessment
byVictor Oluwajuwon Badejo
 
PDF
Blueliv Corporate Brochure 2017
byBlueliv
 
PDF
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
byMichael Bunn
 
PDF
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
byScalar Decisions
 
PPTX
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
byBlack Duck by Synopsys
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
byChristopher Korban
 
Security Incident Response Readiness Survey
byRahul Neel Mani
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
byUlf Mattsson
 
Cybersecurity 2020 the biggest threats to watch out for
byCigniti Technologies Ltd
 
How the latest trends in data security can help your data protection strategy...
byUlf Mattsson
 
State of the ATT&CK - ATT&CKcon Power Hour
byAdam Pennington
 
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
byBlueHat Security Conference
 
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
byArgyle Executive Forum
 
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
Topsec email security 2016
byNathan CAVRIL
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
byAdam Pennington
 
Building securable infrastructures
bySteven Aiello
 
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...
byBlueHat Security Conference
 
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
Data Protection & Privacy During the Coronavirus Pandemic
byUlf Mattsson
 
A Case study scenario on collaborative Portal Risk Assessment
byVictor Oluwajuwon Badejo
 
Blueliv Corporate Brochure 2017
byBlueliv
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
byMichael Bunn
 
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
byScalar Decisions
 
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
byBlack Duck by Synopsys
 

Similar to AWS Chicago May 22 Security event - Redlock CSI report

PDF
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
bySBWebinars
 
PPTX
CSA Atlanta Q1'2016 Chapter Meeting
byPhil Agcaoili
 
PDF
Cloud Computing Security
byArunvignesh Venkatesh
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PPTX
Cloud Security in 2025_ Top Challenges, Daily Risks & Key Threats You Need to...
byinfosprintseo
 
PPTX
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
PPTX
The-Evolving-Cybersecurity-Landscape.pptx
byVLink Inc
 
PDF
The State of Data Security
byRazor Technology
 
PPTX
IT Security Essentials
bySkoda Minotti
 
PDF
Cloud_security_v2_chpater_9_s_version.pdf
byalkabarala01
 
PPTX
TiEcon 2016 Keynote - Security Challenges & Opportunities with Public Cloud A...
byRavinder Reddy Amanaganti
 
PDF
Cloud Infrastructure Security: Navigating Threats & Overcoming Challenges
byTeleglobal International
 
PDF
Are Your Files Really Safe? The Hidden Cloud Security Threats | CyberPro Maga...
byCyberPro Magazine
 
PDF
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
byPriyanka Aash
 
PDF
The Anatomy of a Cloud Security Breach
byCloudLock
 
PDF
Cloud Security Redefined With Runtime Meetup 29102025
bylior mazor
 
PDF
The 3 Recommendations for Cloud Security
byVAST
 
PDF
Cybersecurity | Risk. Impact. Innovations.
byVertex Holdings
 
PDF
Cloud Insecurity and True Accountability - Guardtime Whitepaper
byMartin Ruubel
 
PDF
Risks to Cloud based critical infrastructure -- DHS bulletin
byDavid Sweigert
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
bySBWebinars
 
CSA Atlanta Q1'2016 Chapter Meeting
byPhil Agcaoili
 
Cloud Computing Security
byArunvignesh Venkatesh
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
Cloud Security in 2025_ Top Challenges, Daily Risks & Key Threats You Need to...
byinfosprintseo
 
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
The-Evolving-Cybersecurity-Landscape.pptx
byVLink Inc
 
The State of Data Security
byRazor Technology
 
IT Security Essentials
bySkoda Minotti
 
Cloud_security_v2_chpater_9_s_version.pdf
byalkabarala01
 
TiEcon 2016 Keynote - Security Challenges & Opportunities with Public Cloud A...
byRavinder Reddy Amanaganti
 
Cloud Infrastructure Security: Navigating Threats & Overcoming Challenges
byTeleglobal International
 
Are Your Files Really Safe? The Hidden Cloud Security Threats | CyberPro Maga...
byCyberPro Magazine
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
byPriyanka Aash
 
The Anatomy of a Cloud Security Breach
byCloudLock
 
Cloud Security Redefined With Runtime Meetup 29102025
bylior mazor
 
The 3 Recommendations for Cloud Security
byVAST
 
Cybersecurity | Risk. Impact. Innovations.
byVertex Holdings
 
Cloud Insecurity and True Accountability - Guardtime Whitepaper
byMartin Ruubel
 
Risks to Cloud based critical infrastructure -- DHS bulletin
byDavid Sweigert
 

More from AWS Chicago

PPTX
Kathie Kinde Clark - Elevate Your Professional Footprint: LinkedIn Masterclass
byAWS Chicago
 
PDF
Jason Anderson From Dirt Roads to Highways: Simplifying DevOps and Cloud Inf...
byAWS Chicago
 
PDF
Aman Sardana and Vijay Kumar Soni - Navigating Hybrid Cloud Challenges for ...
byAWS Chicago
 
PDF
Ben Blair Operating Safely in a Vibe Coding World
byAWS Chicago
 
PPTX
Joseph Morotti Enhancing customer experience through Amazon Connect and Gene...
byAWS Chicago
 
PPTX
Craig Johnson When VPCs Attack: Real-Life Cloud Networking Fails (and Fixes)
byAWS Chicago
 
PDF
Peter Sankauskas Access Denied: Understanding & Debugging AWS IAM
byAWS Chicago
 
PDF
Shuen Mei Parth Sharma Boost Productivity, Innovation and Efficiency wit...
byAWS Chicago
 
PDF
Bob Fornal The Impact of Testing on a DevOps Pipeline
byAWS Chicago
 
PDF
Jason Butz Chaos Engineering with FIS and Lambda Functions
byAWS Chicago
 
PPTX
Automated VPC migration into centralized inspection architecture with AWS Gat...
byAWS Chicago
 
PDF
Julia Furst Morgado The Lazy Guide to Kubernetes with EKS Auto Mode + Karpenter
byAWS Chicago
 
PDF
Bob Fornal - Active Career Management AWS Community Day Midwest 2025
byAWS Chicago
 
PDF
Edwin Moedano Monitoring and Observability of Lambdas with Cloudwatch and Po...
byAWS Chicago
 
PPTX
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
byAWS Chicago
 
PPTX
Nathan Hiscock Architecting secure, scalable, cost-efficient computer vision...
byAWS Chicago
 
PDF
AWS Community Day Midwest 2025 Julia Furst Morgado The Lazy Guide to Kuberne...
byAWS Chicago
 
PDF
Steven Seaney - Simplifying and Streamlining AWS Control Tower Deployments
byAWS Chicago
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
byAWS Chicago
 
PPTX
Paul Chin Jr. Data Gone in 60 Seconds: A Serverless ETL Heist
byAWS Chicago
 
Kathie Kinde Clark - Elevate Your Professional Footprint: LinkedIn Masterclass
byAWS Chicago
 
Jason Anderson From Dirt Roads to Highways: Simplifying DevOps and Cloud Inf...
byAWS Chicago
 
Aman Sardana and Vijay Kumar Soni - Navigating Hybrid Cloud Challenges for ...
byAWS Chicago
 
Ben Blair Operating Safely in a Vibe Coding World
byAWS Chicago
 
Joseph Morotti Enhancing customer experience through Amazon Connect and Gene...
byAWS Chicago
 
Craig Johnson When VPCs Attack: Real-Life Cloud Networking Fails (and Fixes)
byAWS Chicago
 
Peter Sankauskas Access Denied: Understanding & Debugging AWS IAM
byAWS Chicago
 
Shuen Mei Parth Sharma Boost Productivity, Innovation and Efficiency wit...
byAWS Chicago
 
Bob Fornal The Impact of Testing on a DevOps Pipeline
byAWS Chicago
 
Jason Butz Chaos Engineering with FIS and Lambda Functions
byAWS Chicago
 
Automated VPC migration into centralized inspection architecture with AWS Gat...
byAWS Chicago
 
Julia Furst Morgado The Lazy Guide to Kubernetes with EKS Auto Mode + Karpenter
byAWS Chicago
 
Bob Fornal - Active Career Management AWS Community Day Midwest 2025
byAWS Chicago
 
Edwin Moedano Monitoring and Observability of Lambdas with Cloudwatch and Po...
byAWS Chicago
 
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
byAWS Chicago
 
Nathan Hiscock Architecting secure, scalable, cost-efficient computer vision...
byAWS Chicago
 
AWS Community Day Midwest 2025 Julia Furst Morgado The Lazy Guide to Kuberne...
byAWS Chicago
 
Steven Seaney - Simplifying and Streamlining AWS Control Tower Deployments
byAWS Chicago
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
byAWS Chicago
 
Paul Chin Jr. Data Gone in 60 Seconds: A Serverless ETL Heist
byAWS Chicago
 

Recently uploaded

PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
The year in review - MarvelClient in 2025
bypanagenda
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
The Landscape of Computer Software Development Companies
byYash Singh
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 

AWS Chicago May 22 Security event - Redlock CSI report

  • 1.
    Cloud Security Trends + 14 Tipsto Fortify Your Public Cloud Environment Published by the RedLock CSI Team May 2018 Edition Cloud Threat Defense
  • 2.
    Introduction Key Takeaways 01 -Account compromises fueling new attack vectors 02 - Cryptojacking goes mainstream 03 - Effective compliance must be omnipresent 04 - Beyond the specter of “Spectre” and “Meltdown” About the Report Ready to Take Action? 3 6 7 9 11 13 15 16 © 2018 RedLock Inc. All rights reserved. 2 Table of Contents
  • 3.
    3© 2018 RedLockInc. All rights reserved. Introduction This edition of RedLock’s Cloud Security Trends marks the report’s one year anniversary, and it’s been a sobering year in terms of public cloud breaches, disclosures and attacks. This report highlights key learnings from these incidents along with research by the RedLock Cloud Security Intelligence (CSI) team to shed light on the trends that we can expect this year.
  • 4.
    2016 Oct Dec 2017 Jan May Oct Oct Nov Jun 2018 Feb Apr Jan 51% 25% 24% - Major companiesimpacted: Uber, OneLogin, Tesla, Aviva, Gemalto - RedLock research results: On average, 27% of organizations experienced potential account compromises - Major companies impacted: Deep Root Analytics, FedEx, Under Armour - RedLock research results: On average, 51% of organizations publicly exposed at least one cloud storage service - Major companies impacted: Tesla, Gemalto, Aviva - RedLock research results: 25% of organizations currently have cryptojacking activity in their environments - Major companies impacted: MongoDB, Elasticsearch, Intel, Drupal - RedLock research results: 24% of organizations have hosts missing high-severity patches in public cloud Account Compromises Risky Configurations Cryptojacking Vulnerabilities 27% 4© 2018 RedLock Inc. All rights reserved.
  • 5.
    5© 2018 RedLockInc. All rights reserved. The absence of a physical network boundary to the internet, the risk of accidental exposure by users with limited security expertise, decentralized visibility, and the dynamic nature of the cloud increases an organization’s attack surface by orders of magnitude. The shared responsibility model of cloud security clearly outlines the respective responsibilities of cloud service providers and their customers. The RedLock CSI team would like to remind you that your organization’s obligations in the shared responsibility model include: * Monitoring and remediating resource misconfigurations * Detecting and remediating anomalous user activities * Detecting and remediating suspicious network traffic * Identifying vulnerable hosts
  • 6.
    KEY1. Account compromisesfueling new attack vectors While organizations are ramping up security efforts to deter malicious actors from stealing credentials and access keys, new threats are always at-hand, such as those presented via Instance Metadata APIs. 2. Cryptojacking goes mainstream Unfettered access to expensive and high-powered public cloud compute resources is leading to increased cryptojacking attacks. 3. Effective compliance must be omnipresent Confidential data is moving to the cloud and organizations must prove compliance. Employing additional controls such as encryption and security frameworks, such as NISF CSF and CIS, still need to be operationalized. 4. Beyond the specter of “Spectre” and “Meltdown” Vulnerability management at scale is extremely complex in the cloud and is a key requirement of GDPR. Organizations need to consider how they will address the issue for their public cloud environments. 6© 2018 RedLock Inc. All rights reserved. Key Takeaways
  • 7.
    01 7© 2018 RedLockInc. All rights reserved. Account compromises fueling new attack vectors 43% 20% 27% of access keys have not been rotated in the last 90 days of organizations are allowing root user activities of organizations with potential account compromises Relative to last year, we have seen mixed trends with respect to account compromises. Organizations are becoming more knowledgeable and implementing best practices to avert cloud account compromises, but new attack vectors continue to present themselves. In addition to finding leaking credentials in GitHub repositories, unprotected Kubernetes administrative interfaces, and public Trello boards, the RedLock CSI team found yet another attack vector - public cloud instance metadata APIs. Public cloud instance metadata is data about your instance that can be used to configure or manage the running instance. Essentially, an instance’s metadata can be queried via an API to obtain access credentials to the public cloud environment by any process running on the instance. The overarching trend, however, is clear; account compromises will continue to evolve and organizations must be vigilant and take steps to defend against these threats. Key Findings The most concerning finding from the CSI team was that organizations’ need to do a much better job managing their access keys, as 43% of them had not been rotated in over 90 days. This is a big concern because access keys tend to have overly permissive access, thus creating greater exposure. It is a security best practice to rotate access keys
  • 8.
    8© 2018 RedLockInc. All rights reserved. Tips • Eliminate the use of root accounts for day-to-day operations • Enforce multi-factor authentication on all privileged user accounts • Implement a policy to automatically force periodic rotation of access keys • Automatically disable unused accounts and access keys • Implement user and entity behavior analytics solutions to identify malicious behavior 01significantly to this broader understanding. Additional investigation by the RedLock CSI team determined that 27% of organizations have users whose accounts have potentially been compromised. This result is up from our February 2018 trend report that showed 16%. This negative trend underscores that cloud security remains a porous environment. on a more frequent schedule to limit exposure should they fall into the wrong hands. The CSI team also found an encouraging trend; only 20% of organizations are allowing the root user account to be used to perform activities - down significantly from 73% last year. This trend indicates organizations are getting the message about managing root user accounts and RedLock’s CSI reports have contributed Account compromises fueling new attack vectors
  • 9.
    9© 2018 RedLockInc. All rights reserved. 85% 25% of resources do not restrict outbound traffic at all of organizations had cryptojacking activity within their environments Despite the recent ups and downs of cryptocurrency valuations, interest in illicit cryptomining remains high. Even with the recent disclosures by RedLock’s CSI team on cryptomining at Tesla, the practice of stealing cloud compute resources to mine cryptocurrency seems to have accelerated. One possible explanation for this, according the team, is the ransomware market is becoming saturated and overpriced, and hackers are setting their sights on new revenue streams - in this case cryptojacking. Another reason cryptojacking continues to proliferate is that attackers are using advanced evasion techniques when mining cryptocurrencies. The CSI team detailed some of these creative skills including in it’s blog post. Key Findings Surprisingly, 85% of resources associated with security groups do not restrict outbound traffic at all. This reflects an increase from one year ago when that statistic was 80%. The research found an increasing number of organizations were not following network security best practices and had misconfigured or risky configurations. Industry best practices mandate that outbound access should be restricted to prevent accidental data loss or data exfiltration in the event of a breach. In terms of cryptojacking, the team discovered that 25% of organizations had cryptojacking activity within their environments up from 8% last 02 Cryptojacking goes mainstream
  • 10.
    10© 2018 RedLockInc. All rights reserved. Tips • Implement a “deny all” default outbound firewall policy • Monitor north-south and east-west network traffic to identify any suspicious activities including cryptojacking • Monitor user activity for any unusual or abnormal behavior, such as unusual attempts to spin off new compute instances 02quarter. The team forecasted that cryptojacking would increase as it gained traction in the hacker community, but this rapid, dramatic growth was still unexpected. The rise of cryptojacking and seemingly misuse of security groups highlights the need for a holistic approach to security in the cloud. A combination Cryptojacking goes mainstream of configuration, user activity, network traffic, and host vulnerability monitoring is necessary to detect advanced threats in public cloud environments.
  • 11.
    03 11© 2018 RedLockInc. All rights reserved. Effective compliance must be omnipresent 49% 30% 23% of databases are not encrypted of CIS compliance checks fail of organizations fail NIST CSF compliance assessments 2018 continued 2017’s trend of significant data exposures resulting from cloud misconfigurations. FedEx and MyFitnessPal (Under Armour) both reported millions of exposed consumer records resulting from unsecured cloud storage services. Given the prevalence of cybersecurity standards - NIST CSF, CIS, PCI, SOC2, HIPAA and soon GDPR (General Data Policy Regulation), organizations are under pressure to ensure compliance across their cloud environments. The RedLock CSI team assessed the preparedness of organizations based on fundamental security best practices and the results suggest optimism and disappointment. Moreover, the results underscore that organizations must do better in all areas, as spotty compliance is not compliance at all. Key Findings The RedLock CSI team’s analysis uncovered some positive news; there is a growing trend to encrypt databases. A year ago, the team found that 82% of databases were not encrypted. Today that number stands at 49% - a 67% improvement in one year. As discussed in previous RedLock CSI reports, encryption is an important technique that could help meet the pseudonymization requirement for GDPR and should be enforced as a security best practice. A broader assessment against industry compliance standards revealed that on average
  • 12.
    12© 2018 RedLockInc. All rights reserved. Tips • Ensure cloud resources are automatically discovered when they are created, and monitored for compliance across all cloud environments. • Implement policy guardrails to ensure that resource configurations adhere to industry standards such as NIST CSF, CIS, SOC 2, PCI, and HIPAA. • Integrate configuration change alerts into DevOps and SecOps workflows to automatically resolve issues. regarding their compliance goals and intentions. The speed of cloud innovation is accelerating, with cloud providers adding hundreds of new features each year and developers are leveraging those features to add new apps on a continuous basis. In the end, it may just be that organizations are lagging behind in their quest to maintain compliance and ensure security in this fast paced environment. 03 Effective compliance must be omnipresent organizations fail 30% of CIS Foundations best practices, 50% of PCI requirements, and 23% of NIST CSF requirements. Compared to last year’s analysis, improvements are inconsistent and still point to the fact that organizations have a lot of work to do to make compliance a reality across their cloud environments. These disappointing results do not necessarily indicate that organizations are disingenuous
  • 13.
    13© 2018 RedLockInc. All rights reserved. 24% 39% of organizations have hosts missing critical patches in public cloud of vulnerable hosts flagged as compromised by Amazon GuardDuty We are now a few months into the reality of living with the Spectre and Meltdown vulnerabilities, and now understand their longer term impacts and the technology providers are releasing solutions. For example, Intel announced changes to the Xeon and Core processors specifically designed to guard against these vulnerabilities. Amazon, Microsoft, and Google promptly patched and updated their environments to ensure a safer operating environment. But as proactive as the industry has been, it’s only a matter of time until we face the next global host vulnerability threat. Accordingly, the RedLock CSI team assessed host vulnerability management in the cloud to determine the state of affairs. Key Findings The research revealed that 24% of organizations have hosts missing high-severity patches in public cloud, which seemingly confirms data from the February 2018 report that 83% of vulnerable hosts were receiving suspicious traffic from the internet. While many organizations have traditional vulnerability scanning tools made for on-premise data centers and networks, organizations are unable to map the data from these tools to gain cloud-specific context. For example, identifying cloud resources that are communicating with outside IPs or suspicious IPs in an ephemeral environment is a problem traditional vulnerability scanning tools were not designed to solve. 04 Beyond the specter of “Spectre” and “Meltdown”
  • 14.
    14© 2018 RedLockInc. All rights reserved. Tips • Correlate vulnerability data with resource configuration data to identify vulnerable hosts. • Correlate network traffic data to determine whether the vulnerabilities are actually network exploitable and prioritize remediation accordingly. • Correlate vulnerability data with cloud configuration and network traffic data to identify the riskiest assets, and determine whether the vulnerabilities are actually exploitable from the internet. 04Vulnerability management at scale is extremely complex in the cloud and is a key requirement of GDPR. In this dynamic environment, it is often hard to pinpoint specific questionable cloud resources, or understand the real exploitability and risks associated with them. Traditional vulnerability scanning tools fall short on delivering actionable results to users. Further, host vulnerability data needs to be correlated with host configurations in the cloud that can help identify the business purpose of the host and help prioritize patching. RedLock’s integration with Amazon GuardDuty, a threat detection service launched in November 2017, indicates that 39% of these hosts are actually exhibiting activity patterns associated with instance compromise or reconnaissance by attackers. This is an increase of 160% is about 6 months. This increase may be explained by the broader acceptance of GuardDuty since its launch; however it also indicates that organizations need to be more proactive with vulnerability management in the cloud. Beyond the specter of “Spectre” and “Meltdown”
  • 15.
    15© 2018 RedLockInc. All rights reserved. About the Report ABOUTAbout the Report RedLock CSI Team RedLock enables effective threat defense across Amazon Web Services, Microsoft Azure, and Google Cloud environments. The RedLock Cloud 360™ platform takes a new AI-driven approach that correlates disparate security data sets to provide comprehensive visibility, detect threats, and enable rapid response across fragmented cloud environments. With RedLock, organizations can ensure compliance, govern security, and enable security operations across public cloud environments. The RedLock Cloud Security Intelligence (CSI) team consists of elite security analysts, data scientists, and data engineers with deep security expertise. The team’s mission is to enable organizations to confidently adopt public cloud by researching cloud threats, advising organizations on cloud security best practices, and frequently publishing out-of-the-box policies in the RedLock Cloud 360™ platform. The CSI team has discovered millions of exposed records that contain sensitive data belonging to dozens of organizations ranging from small businesses to Fortune 50 companies. The team notifies the affected organizations and publishes security advisories to raise awareness about the issues. Report Methodology The data in this report is based on analysis across the public cloud environments monitored by RedLock, which comprises of over twelve million resources that are processing petabytes of network traffic. In addition, the team also actively probed the internet for vulnerabilities in public cloud environments.
  • 16.
    ACTIONReady to Take Action? Geta Free Risk Assessment Get started in minutes and obtain a free risk assessment across your cloud footprint without hindering agile development. It will provide the following insights: Are there any resources with risky configurations? Are there unpatched hosts in your environment? Have there been any network intrusions? Are there any insider threats? Have any accounts been compromised? More information: https://info.redlock.io/cloud-risk-assessment Download Cloud Security Buyer’s Guide Download the Cloud Security Buyer’s Guide to get 20+ tips based on the NIST Cybersecurity Framework and manage risks across your public cloud computing environment. More information: https://info.redlock.io/lp-nist-csf-cloud-security 16© 2018 RedLock Inc. All rights reserved.
  • 17.
    “With RedLock, wehave full visibility so we can be sure our cloud environment is secure, risk is reduced and any threats that do present themselves can be remediated right away” - David Pace Global Information Security Western Asset Management (WAM) To learn more: Call: +1.650.665.9480, Visit: www.redlock.io © 2018 RedLock Inc. All rights reserved. RedLock and RedLock logo are registered US trademarks of RedLock Inc. RedLock Cloud 360 is a trademark of RedLock Inc. All other registered trademarks are the properties of their respective owners.