As organizations continue to move to the cloud for hosting applications and development, security teams must protect multiple attack surfaces, including the applications and cloud infrastructure. Additionally, attackers are automated and capable. While these attackers continuously probe and find access or vulnerabilities on many different levels, their success usually results from human error in code or infrastructure configurations, such as open admin ports and over privileged identity roles.
Join DisruptOps and NetSPI for this webinar to learn how to better secure both the application layer and cloud infrastructure, using both automated tools and capable penetration testers to uncover logic flaws and other soft spots. We will share how to find and remediate your own vulnerabilities more efficiently, before the attackers do.
3. Karl Fosaaen, Practice Director - NetSPI
• Joined NetSPI in 2011
• Leads the Cloud Pentesting Service
• Leads the NetSPI Portland office
• Creator of MicroBurst, a toolset for pentesting Azure
• NetSPI was founded in 2001 and works with seven of
the top 10 U.S. banks and two of the three largest
global cloud providers.
• NetSPI has completed over 10,000 engagements and
reported more than 4 million vulnerabilities.
4. Mike Rothman, President - DisruptOps
• Founded in 2014
• Raised $10M+ in funding
• 2019 RSA Innovation Sandbox Top 10 Finalists
• Pioneering pathways to accelerate cloud adoption
• Helping organizations of all sizes embrace trustable
cloud management and automation at scale
• DisruptOps provides a SaaS-based, Detection and
Response platform that automates assessment and
remediation procedures of critical cloud security
issues
6. Common Pentest Requirements
• Application Testing
• Recently ported legacy applications
• New applications
• Recent or upcoming code pushes
• Web / Mobile / Thick Client
• Network Testing
• Internal Network
• External Network
• Segmentation testing (PCI)
7. How do we pentest “The Cloud”?
• With Permission…
• Traditional Network / App testing
• Traditional Vulnerability/Port scanners
• Nessus, Nmap, Burp Suite, etc.
• Cloud Configuration Review
• Automated tools to dump configurations and find issues
• Manual review of console/portal interfaces
8. What services do we care about?
• Virtual Machines
• Serverless Code
• Platform Users and Groups
• How permissions are applied (IAM)
• Integrations with identity providers (IDPs/Federation/SSO)
• (Potentially) Public-facing PaaS services
• Web application services
• Database services
• Data storage
9. How to plan/scope your cloud pen test
• Gather counts of resources
• Numbers of:
• Virtual Machines
• Public IPs
• PaaS services
• Include public facing IPs in your external ranges
• Beware of dynamic IPs
• Include application testing as part of your scope
• Complete a separate Cloud environment pen test
• Scope should cover App/Network/Config
13. Why is Cloud Security at Scale Hard?
• Complexity – hundreds of cloud services and tens of
thousands of resources spread across multiple cloud accounts.
• Speed of change – DevOps and agile approaches have led to
frequent and even continuous change.
• Human error – Lack of expertise and tools leave issues
undetected and unresolved.
• Automated attackers – Exposed cloud resources are rapidly
discovered an exploited by automated attacks.
14. Get off the Hamster Wheel with a
Cloud SecOps Platform
Events
API
Hyperscale
Automation Engine
Governance
Notifications and
Reporting
Remediation
Issues
Ac<ons
Detec<on and
Response
Rules
15. Platform Critical Capabilities
Event-Driven
Internal architecture is
completely event-driven,
for both internal and
external events
SaaS
DisruptOps is a fully
multitenant SaaS
application
Secure by Design
Security is baked in;
including an advanced
least-privilege
provisioning system
Serverless
DisruptOps is fully cloud-
native and serverless for
cloud-scale support.
16. Use Case: Assessment and Remediation
Assess: Find port 22
open to the Internet
Action: Restrict
to known IP
addresses
Issue: instance xxx
exposes TCP/22 to
0.0.0.0/0
Notifications and
Reporting
Cloud Inventory
Verify action and refresh
resource in inventory
17. Use Case: Detection and Response
Events
Rules
Cryptocurrency
Miner Detected by
GuardDuty
Matched
Guardrail
Terminate
Instance
Action Decision
Notifications and
Reporting
Process decision
action response
18. The Key to Automation: Decisions
• Human integrated automation puts the power in the hands of
the administrators
• Fully automated, UI Interaction, ChatOps – Delay/Wait actions
19. Top Down Meets Bottom Up
Identify
Issue
Remediate
Once
Automate
Continuous
Assessment