Azure 101: Shared responsibility in the Azure Cloud
-
Upload
paulo-renato -
Category
Technology
-
view
96 -
download
0
Transcript of Azure 101: Shared responsibility in the Azure Cloud
SHARED SECURITY RESPONSIBILITY IN AZURE
Speaker - Chris Camaclang
Agenda
• Intro + Housecleaning + Surveys• Hybrid Cloud Landscape• Threat Landscape• Security Best Practices• Alert Logic Solutions and Value
Hybrid Cloud Today
CLOUD FALLOVER(DIFFERENT GEOGRAPHY)
INTERNALEXTERNAL
PRIVATE CLOUD
PUBLIC CLOUDDEMO SITES
MOBILE PHONES
PROSPECT CUSTOMER BIZ PARTNER MANAGER PM ARCHITECT DEVELOPER SUPPORT
SMART PHONE SMART TV TABLET/iPAD DESKTOP CLOUDTOPNOTEBOOKNETBOOK
PRODUCTION STAGING QA DEV/TEST
DEMO SITESPERFORMANCE
TESTING
IT + DEV SUPP
SERVICESOFFICE SERVICES
TIM/TAM
SERVICES
DESKTOP
SERVICES
MONITORING
SERVICES
BIZ. SUPP.
SERVICES
TRANSFORMATION
SERVICES
ADOBE LC
SERVICES
MESSAGING
SERVICES
SECURITY
SERVICES
BIZ. INT.
SERVICES
CODE MANAGEMENT
SERVICES
TIM/TAM
SERVICES
MONITORING
SERVICES
SECURITY
SERVICES
PERFORMANCETESTING
SECU
RE TU
NNEL
SECU
RE TU
NNEL
SECU
RE TU
NNEL
SECU
RE
TUNN
EL
SECU
RE
TUNN
EL
TheImpactofaBreachisFar-ReachingandLong-Lived
THECYBERKILLCHAIN¹ THEIMPACTFinanciallossHarmbrandandreputationScrutinyfromregulators
IDENTIFY& RECON
INITIALATTACK
COMMAND&CONTROL
DISCOVER& SPREAD
EXTRACT&EXFILTRATE
1. http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster
COMPANIESOFALLSIZESAREIMPACTED
Global Analysis
Threats by Customer Industry Vertical
Source: Alert Logic CSR 2016
29%
48%
10%
11%
2%
Finance-Insurance-RealEstate
APPLICATIONATTACK
BRUTEFORCE
RECON
SUSPICIOUSACTIVITY
TROJANACTIVITY
56%25%
17%
0% 2%
Retail-Wholesale
APPLICATIONATTACK
BRUTEFORCE
RECON
SUSPICIOUSACTIVITY
TROJANACTIVITY
54%21%
22%
1% 2%
InformationTechnology
APPLICATIONATTACK
BRUTEFORCE
RECON
SUSPICIOUSACTIVITY
TROJANACTIVITY
1
49
56
86
125
155
172
197
525
908
Denial of Service
Crimeware
Physical Theft / Loss
Payment Card Skimmers
Everything Else
Cyber-espionage
Privilege Misuse
Miscellaneous Errors
POS Intrusions
Web App Attacks
Security risk is shifting to unprotected web applicationsWeb app attacks are now the #1 source of data breaches
But less than 5% of data center security budgets are spent on app security
Source: Verizon
UP 500% SINCE 2014
$23 to $1
Percentage of Breaches
10% 20% 30% 40%
Source: Gartner
Web App Attacks
Cloud Security is a Shared, but not Equal, Responsibility
• Security Monitoring• Log Analysis• Vulnerability Scanning
• Network Threat Detection• Security Monitoring
• Logical Network Segmentation• Perimeter Security Services• External DDOS, spoofing, and
scanning monitored
• Hypervisor Management• System Image Library• Root Access for Customers• Managed Patching (PaaS, not IaaS)
• Web Application Firewall• Vulnerability Scanning
• Secure Coding and Best Practices• Software and Virtual Patching• Configuration Management
• Access Management(inc. Multi-factor Authentication)
• Application level attack monitoring
• Access Management• Configuration Hardening• Patch Management
• TLS/SSL Encryption• Network Security
Configuration
CUSTOMER ALERT LOGICMICROSOFT
SECURITY BEST PRACTICES
10 Best Practices for Security
1. Understand the Cloud Providers Shared Responsibility Model2. Secure your code3. Create access management policies4. Data Classification5. Adopt a patch management approach6. Review logs regularly 7. Build a security toolkit8. Stay informed of the latest vulnerabilities that may affect you9. Understand your cloud service providers security model10. Know your adversaries
1. Understand the Cloud Providers Shared Responsibility Model
The first step to securing cloud workloads is understanding the shared responsibility model
Microsoft will secure most of the underlying infrastructure, including the physical access to the datacenters, the servers and hypervisors, and parts of the networking infrastructure…but the customer is responsible for the rest.
Taken from the Shared Responsibility for Cloud Computing whitepaper, published by Microsoft in March 2016
2. Secure Your Code
• Test inputs that are open to the Internet• Add delays to your code to confuse bots• Use encryption when you can• Test libraries• Scan plugins• Scan your code after every update• Limit privileges• DevSecOps
3. Create Secure Access Management Policies
• Simplify access controls (KISS)• Lock down Admin account in Azure• Enable MFA (Azure, hardware/software token)• Identify data infrastructure that requires access
(*Lock down AzureSQL)• Define roles and responsibilities (delegating
service admins)• Azure NSG (private vs public)• Continually audit access (Azure Audit Logs)• Start with a least privilege access model (RBAC)
*avoid owner role unless absolutely necessary• Don’t store keys in code (e.g. secret keys)• AAD Premium – (*Security analytics and alerting)
4. Data Classification
• Identify data repositories and mobile backups
• Identify classification levels and requirements
• Analyze data to determine classification• Build Access Management policy around
classification• Monitor file modifications and users
5. Adopt a Patch Management Approach
• Use trusted images (*Prevent users from launching untrusted images)
• Constantly scan all vulnerabilities in your images and patch them
• Compare reported vulnerabilities to production infrastructure
• Classify the risk based on vulnerability and likelihood
• Test patches before you release into production• Setup a regular patching schedule• Keep informed, follow bugtraqer• Follow a SDLC
6. Log Management Strategy
• Monitoring for malicious activity• Forensic investigations• Compliance needs• System performance
• All sources of log data is collected and retained
• Data types (Windows, Syslog)• Azure AD behavior• Azure Audit Logs (services,
instances…activity, powershell)• Azure SQL Logs• Azure App Services Logs
• Review process• Live monitoring• Correlation logic
7. Build a Security Toolkit• Recommended Security Solutions
• Antivirus• IP tables/Firewall• Backups• FIM• Intrusion Detection System (VNET ingress/egress)• Malware Detection• Web Application Firewalls (inspection at Layer 7)• Forensic Image of hardware remotely• Future Deep Packet Forensics• Web Filters• Mail Filters• Encryption Solutions• Proxies• Log collection• SIEM Monitoring and Escalation • Penetration Testing
8. Stay Informed of the Latest Vulnerabilities
• Websites to follow• http://www.securityfocus.com• http://www.exploit-db.com• http://seclists.org/fulldisclosure/• http://www.securitybloggersnetwork.com/• http://cve.mitre.org/• http://nvd.nist.gov/• https://www.alertlogic.com/weekly-threat-report/
9. Understand Your Service Providers Security Model• Understand the security offerings from your provider• Probe into the Security vendors to find their prime service• Hypervisor exploits are patched by the service provider• Questions to use when evaluating cloud service providers
10. Understand your Adversaries
Threats are 24x7 = Security Operations 24x7
Monitor intrusion detection and vulnerability scan activity
Search for Industry trends and deliver intelligence on lost or
stolen data
Collect data from OSINT and Underground Sources to deliver
Intelligence and Content
Identify and implement required policy changes
Escalate incidents and provide guidance to the response team to quickly mitigate
Incidents
Monitor for Zero-Day and New and Emerging
attacks
Cross product correlate data sources to find
anomalies
ALERT LOGICSOLUTIONS
Cloud Security is a Shared, but not Equal, Responsibility
• Security Monitoring• Log Analysis• Vulnerability Scanning
• Network Threat Detection• Security Monitoring
• Logical Network Segmentation• Perimeter Security Services• External DDOS, spoofing, and
scanning monitored
• Hypervisor Management• System Image Library• Root Access for Customers• Managed Patching (PaaS, not IaaS)
• Web Application Firewall• Vulnerability Scanning
• Secure Coding and Best Practices• Software and Virtual Patching• Configuration Management
• Access Management(inc. Multi-factor Authentication)
• Application level attack monitoring
• Access Management• Configuration Hardening• Patch Management
• TLS/SSL Encryption• Network Security
Configuration
CUSTOMER ALERT LOGICMICROSOFT
Vulnerabilities+ Change
+ Shortage
Complexity of defending web applications and workloads
Risks are moving up the stack
1. Wide range of attacks at every layer of the stack
2. Rapidly changing codebase can introduces unknown vulnerabilities
3. Long tail of exposures inherited from 3rd party development tools
4. Extreme shortage of cloud and application security expertise
Web App AttacksOWASP Top 10
Platform / Library Attacks
System / Network Attacks
Perimeter & end-point security tools fail to protect cloud attack surface
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
Block
Analyze
Allow
Your Data
Focus requires full stack inspection…and complex analysis
Known Good
Known Bad
Suspicious
Security DecisionYour App Stack
Web App AttacksOWASP Top 10
Platform / Library Attacks
System / Network Attacks
Threats
App Transactions
Log Data
Network Traffic
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
APP+CONFIG ASSESMENT
Your Data
Focus requires full stack inspection…and complex analysis
Known Bad
Web App AttacksOWASP Top 10
Platform / Library Attacks
System / Network Attacks
App Transactions
Log Data
Network Traffic
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
COLLECTIONTECHNOLOGY
Your Data
Web App AttacksOWASP Top 10
Platform / Library Attacks
System / Network Attacks
App Transactions
Log Data
Network Traffic
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
APP+CONFIG ASSESMENT
COLLECTIONTECHNOLOGY
Integrated value chain delivering full stack security…
Signatures & Rules
Anomaly Detection
Machine Learning
ANALYTICS
Petabytes of normalized data from 4000+ customers
Your Data
Web App AttacksOWASP Top 10
Platform / Library Attacks
System / Network Attacks
App Transactions
Log Data
Network Traffic
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
APP+CONFIG ASSESMENT
COLLECTIONTECHNOLOGY
Signatures & Rules
Anomaly Detection
Machine Learning
ANALYTICS
Integrated value chain delivering full stack security, experts included
Petabytes of normalized data from 4000+ customers
• Threat Intelligence
• Security Research
• Data Science
• Security Content
• Security Operations Center
24/7 EXPERTS& PROCESS
Web App AttacksOWASP Top 10
Platform / Library Attacks
System / Network Attacks
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
CLOUD INSIGHT
Signatures & Rules
Anomaly Detection
Machine Learning
Integrated value chain delivering full stack security, experts included
• Threat Intelligence
• Security Research
• Data Science
• Security Content
• Security Operations Center
ACTIVEWATCHDETECTION &PROTECTION
Web SecurityManager
LogManager
ThreatManager
ALERT LOGIC CLOUD DEFENDER
New capabilities focused on Web Attack Detection
1Over150newwebattackincidents
2ImprovedOWASPTop10CoveragepoweredbyAnomalyDetection
3AdvancedSQLInjectionDetectionpoweredbyMachineLearning
WebAppAttacks
OWASPtop10
Platform/libraryattacks
App/Systemmisconfigattacks
Attacks
Over250breachesdetectedin2016
Alert Logic solutions are easy to deploy
• Use a combination of host based agents and appliances to collect network and application traffic
• Agents also collect logs from the VM
• Azure Activity Logs are collected via the Azure Monitor API
• Azure SQL or App Services Logs are collected from Azure storage accounts
• Appliances can be used to do internal scanning, or we can do external and PCI scanning from our cloud
HOW IT WORKS:
Alert Logic Threat Manager for 3 Tier Application Stack + Azure SQL
VNET
RESOURCE GROUP
Alert Logic
Web Traffic
Threat ManagerAppliance
AutoScale AutoScale Azure SQL
DatabaseTier
Azure StorageTable
SQL Logs
Application TierVM ScaleSets
Web TierVM ScaleSets
ApplicationGateway
VM
3-Tier applications using VMs only
VNET
RESOURCE GROUP
Web TrafficCustomer B
Alert Logic
Threat ManagerAppliance
VM
AutoScale
Application TierVM ScaleSets
AutoScale
Web TierVM ScaleSets
Database TierSQL VM
AvailabilitySets
VNET
RESOURCE GROUP
AutoScale
Application TierVM ScaleSets
AutoScale
Web TierVM ScaleSets
Database TierSQL VM
AvailabilitySetsWeb TrafficCustomer A
ARM Template automate appliance deployments
https://github.com/alertlogic/al-arm-templates
Agents can be baked into VM images, or automatically installed using DevOps toolsets
https://supermarket.chef.io/cookbooks/al_agents
Alert Logic – a Leader in Forrester’s 2016 NA MSSP WAVETM
“Alert Logic has a head start in the cloud, and it shows.
Alert Logic is an excellent fit for clients looking to secure their current or planned cloud migrations, clients requiring a provider than can span seamlessly between hybrid architectures, and those that demand strong API capabilities for integrations.”
- Forrester WAVETM Report
Addressing Customers with Compliance RequirementsAlertLogicSolution PCIDSS SOX HIPAA&HITECH
AlertLogicWebSecurity
Manager™
• 6.5.dHaveprocessesinplacetoprotectapplicationsfromcommonvulnerabilitiessuchasinjectionflaws,bufferoverflowsandothers
• 6.6Addressnewthreatsandvulnerabilitiesonanongoingbasisbyinstallingawebapplicationfirewallinfrontofpublic-facingwebapplications.
• DS5.10NetworkSecurity• AI3.2Infrastructureresource
protectionandavailability
• 164.308(a)(1)SecurityManagementProcess
• 164.308(a)(6)SecurityIncidentProcedures
AlertLogicLogManager™
• 10.2Automatedaudittrails• 10.3Captureaudittrails• 10.5Securelogs• 10.6Reviewlogsatleastdaily• 10.7Maintainlogsonlineforthreemonths• 10.7Retainaudittrailforatleastoneyear
• DS5.5SecurityTesting,SurveillanceandMonitoring
• 164.308(a)(1)(ii)(D)InformationSystemActivityReview
• 164.308(a)(6)(i)LoginMonitoring• 164.312(b)AuditControls
AlertLogicThreat
Manager™
• 5.1.1Monitorzerodayattacksnotcoveredbyanti-virus• 6.2Identifynewlydiscoveredsecurityvulnerabilities• 11.2PerformnetworkvulnerabilityscansquarterlybyanASVor
afteranysignificantnetworkchange• 11.4MaintainIDS/IPStomonitorandalertpersonnel;keep
enginesuptodate
• DS5.9MaliciousSoftwarePrevention,DetectionandCorrection
• DS5.6SecurityIncidentDefinition
• DS5.10NetworkSecurity
• 164.308(a)(1)(ii)(A)RiskAnalysis• 164.308(a)(1)(ii)(B)RiskManagement• 164.308(a)(5)(ii)(B)Protectionfrom
MaliciousSoftware• 164.308(a)(6)(iii)Response&
Reporting
AlertLogicSecurityOperationsCenterprovidingMonitoring,Protection,andReporting
Scalable Threat Intel Process Delivers Relevant Content
FUSIONNORMALIZATION
ENTITY RESOLUTION
LINK ANALYSIS
CLUSTERING ANALYSIS
COMPLEX ANALYSIS
EXTRACTION
HONEYNET
3RD-PARTYINTEL
VULNERABILITIES
WATCHLISTS
RESEARCH
TELEMETRY
BigData
ReputationReputation
BlacklistsBlacklists
Content CoverageContent Coverage
Incident ModelingIncident Modeling
Intelligence GatheringIntelligence Gathering
Relevant VulnerabilitiesRelevant Vulnerabilities
Increased Contextual Awareness
Increased Contextual Awareness
Increase Incident Understanding
Increase Incident Understanding
Key Service CapabilitiesAnalysis TechniquesThreat Analytics PlatformInput Sources
Stopping Imminent Data Exfiltration
INCIDENT ESCALATIONPartner and customer notified with threat source information and remediation tactics
8 min
FUTHER ANALYSISAlert Logic Analyst confirms user IDs and password hashes leaked as part of initial attack
2 hours
EXFILTRATION ATTEMPT PREVENTEDPartner works with customer to mitigate compromised accounts
6 hours
COMPROMISE ACTIVITYDiscovered through inspection of 987 log messages indicative of a SQL injection attack
Customer Type: RetailThreat Type: Advanced SQL Injection
Preventing Ransomware Spread
INCIDENT ESCALATIONCritical risk of lateral movement through shared drives identified
14 min
LATERAL MALWARE MOVEMENT PREVENTEDAnalyst performs forensic review of additional 8,000 log messages and 1,400 events that identifies additional attack vectors through related events
6 hours
SUSPICOUS ACTIVITY Cryptowall detected on key gateway server in over 1,400 events (6,000 Packets)
Customer Type: RetailThreat Type: Ransomware
To Follow our Research & Contact Information
Blog
https://www.alertlogtic.com/resources/blog
Newsletter
https://www.alertlogic.com/weekly-threat-report/
Cloud Security Report
https://www.alertlogic.com/resources/cloud-security-report/
Zero Day Magazine
https://www.alertlogic.com/zerodaymagazine/
@AlertLogic For More Information on Alert Logic Solutions
206-673-4387
Thank you.