This document discusses security in the cloud and recommends best practices. It notes that while AWS provides many security tools, customers are still responsible for 95% of security failures due to human error. It then outlines various attack types like SQL injection and remote code execution that target web applications. The document recommends leveraging machine learning and multiple detection techniques to identify multi-stage attacks. It emphasizes the need to secure the entire attack surface, including on-premises environments, and highlights services like Alert Logic that provide 24/7 monitoring, analytics, and security experts to help detect and respond to threats.

1. REALITY CHECK:
SECURITY IN THE CLOUD
Chris Camaclang, Sales Engineer – Alert Logic

2. The Cloud Is Secure
AWS has all the tools you need to secure your cloud!
• AWS WAF
• CloudFront
• Security Groups
• AWS Artifact
• Certificate Manager
• AWS Cloud HSM
• Amazon Cognito
• AWS Firewall Manager
• Macie
• GuardDuty
• AWS IAM
• Inspector
• AWS Config
• AWS KMS
• Amazon Macie
• AWS Shield
• AWS Secrets Manager
• AWS SSO

3. Sometimes…you might wonder what could go wrong?
• Through 2022, at least 95% of cloud security failures will be the customer’s
fault – Gartner
• More than 1.5 billion sensitive corporate and other files are visible on the
public internet due to human error – Digital Shadows
• 88% of Java applications had at least one component-based vulnerability,
56% of all PHP apps had at least one SQLi vulnerability - Veracode

4. Cloud Has Disrupted Traditional Security
Agility & Automation Hyper-scalability

5. The Cloud Attack Service

6. Cloud Landscape

7. The Cloud Attack Surface /s
443

8. Web App Attacks – King of the Hill
WEB APP
ATTACK
DoS / DDoS
1% Other
1%
75%
DOS/DDOS
1% OTHER
1%
SERVER-SIDE
MALWARE
2%
RECON
5%
BRUTE
FORCE
5%
SQL INJECTION
55% REMOTE
CODE
EXECUTION
22%
XXE
3%
APACHE
STRUTS
RCE
6%
WEB APP
ATTACK
RECON
5%
FILE
UPLOAD
6%
OTHER
4%
SECURITY INCIDENT TYPES ESCALATED

9. With great power, comes those that seek to abuse it.

10. Check your sources…
Attacks are cloud scale
just like your application.

11. Check your surroundings…
Your adversary is
leveraging ML and AI
against you.

12. Multi-stage Web Application Attacks Appear As Noise

13. Enter Machine Learning
Over nine months :
8-10% of the customers we
monitored were targeted by
actors with better-than-
average levels of skill and
determination
Each attack
had a High
degree of
complexity
Identified,
approx. 231
attacks

14. Multi-stage Attacks
Time: Day 1
Event: Early stage recon event
Criticality: Medium
Time: Day 3
Event: SQL Injection recon
Criticality: Medium
Time: Day 4
Event: SQL table enumeration
Criticality: High
Time: Day 4
Event: Injection
Criticality: Critica
Situation: Multiple address spaces and disparate unrelated events over days

15. Behind the Data
Web apps and misconfigurations can be the final destination…or initial entry
point
Perimeter AND Network AND
System /log-based Detection
defend your hosts
see N / S / E / W in all of your
protected environments
WAF blocking/virtual patching,
IDS, and log monitoring as air
cover as you burn down your
web app vulnerabilities
• Redistribute malware directly / indirectly
(exploit kits / watering hole)
• Monetization through fraud (SEO, Coin Mining,
Spam)
• Entry point into Infrastructure
• Lateral movement, privilege escalation
• Steal data (exfiltration of information from
databases)

16. Leverage Multiple Detection Techniques

17. Best Practices
Know your Shared
Security Responsibilities
with AWS
Attack surface
isn’t just where
your data resides
Continually assess for
exposures across all
environments
Understand impacts
from applicable
compliance mandates
Implement controls
built for cloud…and
work on-premises

18. A Few Parting Thoughts
• 24-hour monitoring
• Validation & enrichment
• Remediation advice
ANALYTICS
• Signatures & rules
• Anomaly detection
• Machine learning
LIVE EXPERTS
ActiveWatch™ Managed Threat Detection
DETECT
DATA COLLECTION & INSPECTION
•Web (HTTP) requests & responses
•System logs
•Network packets
BLOCK
In-Line Web
Application
Firewall (WAF)
COMPLY
• PCI, HIPAA, SOX COBIT
• Attestation reporting
• Log review & archiving
ASSESS
VULNERABILITY SCANNING
• Software CVEs
• Network config
• Remediation workflows
AWS CONFIG AUDITING
• Configuration exposures
• Pre-authorized with AWS
• Auto-discovery, topology
Priority Alerts
AlertsIncident
Reports
Incident
Workflows
HOSTEDON-PREMISES

19. Alert Logic Cloud Security Report 2017
550 DAYS
AUG 1, 2015 – JAN 31 2017
2,207,795 INCIDENTS
TOTAL TRUE POSITIVE SECURITY INCIDENTS
ANALYZED
32.5 MILLION EVENTS
DRIVING ESCALATED INCIDENTS
147 PETABYTES
OF DATA ANALYZED
3807 CUSTOMERS
ANALYZED
452 INDUSTRIES
ACROSS 3 CONTINENTS

20. Who Can I Speak To?
Need 1-on-1 time with Security Experts?
Speak to Alert Logic to have all your questions
answered.
Alert Logic 2017 Cloud Security Report
www.alertlogic.com

21. Thank you.