The document discusses security challenges in cloud computing environments, noting that while cloud platforms provide robust security tools, many security incidents are still caused by human errors or vulnerabilities in customer applications and configurations. It also examines trends in common attack types like web application attacks and how adversaries are increasingly chaining together vulnerabilities using techniques like machine learning. The author advocates for best practices like ongoing vulnerability scanning, web application firewalls, compliance monitoring, and leveraging a security operations center for detection, response and guidance.

1. Thank you.Reality Check: Security in the
Cloud
Amy Bogroff– Director Sales Engineering - East, Alert Logic

2. The Cloud Is Secure.
• AWS provides the most comprehensive suite of tools allowing
subscribers to achieve that promise
• Integrators like Presidio work to simplify the transition

3. Sometimes…
• Through 2022, at least 95% of cloud security failures will be the customer’s fault –
Gartner
• More than 1.5 billion sensitive corporate and other files are visible on the public
internet due to human error – Digital Shadows
• 88% of Java applications had at least one component-based vulnerability, 56% of all
PHP apps had at least one SQLi vulnerability - Veracode
• Attackers are outpacing enterprises with technology such as machine learning and
artificial intelligence (AI) – Ponemon/ServiceNow

4. With great power, comes those that seek to abuse it.

5. Check your sources…
Attacks are cloud scale
just like your application.

6. Check your surroundings…
Your adversary is
leveraging ML and AI
against you.

7. Alert Logic Security Operations Center
443

8. Alert Logic Cloud Security Report 2017
550 DAYS
AUG 1, 2015 –JAN 31 2017
2,207,795
TOTAL TRUE POSITIVE SECURITY
INCIDENTS ANALYZED
32.5 MILLION
EVENTS DRIVING ESCALATED
INCIDENTS
147
PETABYTES
OF DATA ANALYZED
3807 CUSTOMERS
ANALYZED
452
INDUSTRIES ACROSS 3 CONTINENTS

9. Key Findings
1. Web applications are the soft underbelly of your organization –
the number-one means by which attackers breach data.
2. The movement toward assembling a chain of vulnerabilities to
build hard-to-detect, resilient attacks is accelerating.
3. Hybrid networks, with portions scattered among public clouds,
private clouds, and on-premises systems, are at greatest risk.
4. Organizations in different sectors suffer from very similar attacks
– and can learn much from each other.

10. Workload Environments Impact Incident Volumes
2.5x
more security incidents
observed in Hybrid vs
Public Cloud
51%
higher rate of
security incidents in
on premises vs Cloud
AVERAGE PER CUSTOMER SECURITY INCIDENT COUNTS

11. Web App Attacks – King of the Hill
WEB APP
ATTACK
DoS / DDoS
1% Other
1%
75%
DOS/DDOS
1% OTHER
1%
SERVER-SIDE
MALWARE
2%
RECON
5%
BRUTE
FORCE
5%
SQL INJECTION
55% REMOTE
CODE
EXECUTION
22%
XXE
3%
APACHE
STRUTS
RCE
6%
WEB APP
ATTACK
RECON
5%
FILE
UPLOAD
6%
OTHER
4%
SECURITY INCIDENT TYPES ESCALATED

12. Increasing vulnerabilities at every layer
Vulnerabilities in
YOUR CODE
Vulnerabilities in
YOUR CONFIGS
Vulnerabilities
YOU INHERIT

13. Detect, Inspect, &
Escalate
Industry Challenge: The Good, the Bad and the Ugly
Known Good
Known Bad
Suspicious
Allow
Identify | Tune | Permit
Block
Drop | Reconfigure
Application Stack
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Databases
Server OS
Hypervisor
Hardware Classification Action
HUMAN EXPERT
REQUIRED
Page 13

14. What Can We Do???
• Scan for vulnerabilities and
misconfigurations
• WAF blocking/virtual patching,
IDS, and log monitoring as air
cover as you burn down your web
app vulnerabilities
• Leverage multiple detection
techniques
• Compliance requirements also
tend to be best practices
ASSESS
BLOCK COMPLY
DETECT

15. Address Vulnerabilities
Source: SC Magazine: scmagazine.com/one-year-later-heartbleed-still-a-threat/article/407803/
SHELLSHOCK HEARTBLEED
% of Global 2000
Organizations
Vulnerable to
Heartbleed in
August 2014: 76%
April, 2015: 74%
359 of 6000 analyzed containers – Tenable, 2018

16. Leverage Multiple Detection Techniques

17. Anomaly Detection – Something Just Doesn’t Look Right

18. Multi-stage Web Application Attacks Appear As Noise

19. Enter Machine Learning
Over nine months :
8-10% of the customers we
monitored were targeted by
actors with better-than-
average levels of skill and
determination
Each attack
had a High
degree of
complexity
Identified,
approx. 231
attacks

20. Multi-stage Attacks
Time: Day 1
Event: Early stage recon event
Criticality: Medium
Time: Day 3
Event: SQL Injection recon
Criticality: Medium
Time: Day 4
Event: SQL table enumeration
Criticality: High
Time: Day 4
Event: Injection
Criticality: Critica
Situation: Multiple address spaces and disparate unrelated events over days

21. Surgical Exfiltration
1 IP Address
Duration: 7 minutes
Surgical Exfiltration
1 IP Address
Duration: 2 minutes
Precision Recon
1 IP Address
Duration: 12 minutes
Precision Recon
1 IP Address
Duration: 8 minutes
Precision Recon
1 IP Address
Duration: 1 minute
Precision Recon
1 IP Address
Duration: 11 minutes
Sustained, Multi-stage Attack for Intellectual Property Theft
September2016 2017AprilOctober November December January February March
Jan 16th
Jan 3rd
Nov 2nd
Feb 6th
Continuous SQLi Reconnaissance to Better Understand the Environment (49 Unique IPs)
Continuous General SQLi Testing (172 Unique IPs)

22. Behind the Data
Web apps and misconfigurations can be the final destination…or initial entry
point
Perimeter AND Network AND
System /log-based Detection
defend your hosts
see N / S / E / W in all of your
protected environments
WAF blocking/virtual patching,
IDS, and log monitoring as air
cover as you burn down your
web app vulnerabilities
• Redistribute malware directly / indirectly
(exploit kits / watering hole)
• Monetization through fraud (SEO, Coin Mining,
Spam)
• Entry point into Infrastructure
• Lateral movement, privilege escalation
• Steal data (exfiltration of information from
databases)

23. Best Practices
Know your Shared
Security Responsibilities
with AWS
Attack surface
isn’t just where
your data resides
Continually assess for
exposures across all
environments
Understand impacts
from applicable
compliance mandates
Implement controls
built for cloud ,
containers, and
DevOps

24. A Few Parting Thoughts
• 24-hour monitoring
• Validation & enrichment
• Remediation advice
ANALYTICS
• Signatures & rules
• Anomaly detection
• Machine learning
LIVE EXPERTS
ActiveWatch™ Managed Threat Detection
DETECT
DATA COLLECTION & INSPECTION
•Web (HTTP) requests & responses
•System logs
•Network packets
BLOCK
In-Line Web
Application
Firewall (WAF)
COMPLY
• PCI, HIPAA, SOX COBIT
• Attestation reporting
• Log review & archiving
ASSESS
VULNERABILITY SCANNING
• Software CVEs
• Network config
• Remediation workflows
AWS CONFIG AUDITING
• Configuration exposures
• Pre-authorized with AWS
• Auto-discovery, topology
Priority Alerts
AlertsIncident
Reports
Incident
Workflows
HOSTEDON-PREMISES

25. Who Can I Speak To?
Need 1-on-1 time with Security Experts?
Speak to Alert Logic to have all your questions answered.
Alert Logic 2017 Cloud Security Report
www.alertlogic.com

26. Questions?
Are these findings in line with your expectations?
What additional areas concern you most?
What other insights can we draw from these numbers?
What other best practices should we be sharing?