cso cxo series breakfast

WELCOME

Raimund GenesChief Technology Officer, Trend Micro

Did these guys care about cloud security?

Ebay Heartland TK / TJ Maxx AOL Sony PSN Target Evernote Cardsystems Adobe0

20,000,000

40,000,000

60,000,000

80,000,000

100,000,000

120,000,000

140,000,000

160,000,000

# R

eco

rds

Lo

st

Anatomy of an attack

Ercan Findikogluand crew

HA

CK

S

Get

s C

C d

ata/

PIN R

aises Lim

it

Recruits

Co

py D

ata on

cards

Cashing crews

Hand to

Get

cas

h

Hand to (-25%)

Money, Money, Money!

ARE WE OVERSENSITIVE REGARDING CLOUD

SECURITY?

Letter from Richard Stiennon to President Obama 8 years ago

https://www.linkedin.com/pulse/drastic-times-call-measures-cybersecurity-richard-stiennon

I. All access must be explicitly authorized.

II. All users must be identified and strongly authenticated.

III. All applications must be reviewed for security vulnerabilities.

IV. All network attached systems must be scanned for vulnerabilities on a schedule.

V. All network connections must be fire-walled.

VI. All firewalls must be configured to “deny all except that which is explicitly allowed”.

VII. All government networks must be mapped and understood.

VIII. All data needs to be encrypted at rest

IX. All communication links need to be encrypted

X. All intrusions need to be aggressively analyzed and appropriate responses executed.

QUESTION NO. 1 FOR CLOUD COMPUTING (IN EUROPE)

Where is it stored?Not a concern for Australia?

1. Secure data transfer2. Secure software interfaces. 3. Secure stored data4. User access control5. Data separationSource: http://blogs.cisco.com/smallbusiness/the-top-5-security-risks-of-cloud-computing

Cisco’s view:

Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf

CSA view:

1. Data Breaches2. Data Loss3. Account Hijacking4. Insecure APIs5. Denial of Service6. Malicious Insiders7. Abuse of Cloud Services8. Insufficient Due Diligence9. Shared technology Issues

Encryption anyone?

Time to patch makes it easy for attackers

Remote Control System Price Scheme

Have you simply “lifted-and-shifted”

your traditional security to your virtualised data

center and cloud?

Trend micro’s view

Many organizations are experiencing the following…

• Minutes to deploy a server…weeks to secure it

• Virtually scale beyond physical limits… until you hit your security limit

• Servers that share resources…security that consumes it

Attackers

Potential Risks• Vulnerability in server exploited to

introduce malicious code

• Company must restrict access to certain applications

• Admin makes changes to known good configuration

• Hacker attempts a SQL injection attack

• Brute force authentication attack is executed

Security principles remain the same;APPROACH to security must change

CONTEXT Workload and application-aware

SOFTWARE Security that evolves with the data center

PLATFORM Single platform for data center and cloudSiloed

Generic

Hardware

ADAPTIVE Intelligent, dynamic policy enforcement Automated provisioning specific to platform

Static

New approach can improve data center operations

Provision security automatically within a data center

Manage security effectively and efficiently as you scale

Optimise data center resources

Extend to cloud with confidence

Provisioning securely within a dynamic data center

How do you: • Secure the VM the moment it is provisioned?• Apply the right policies to that VM? • Reduce the time to provision without

compromising on security? • Securely bring up/down/move your VMs?

Provisioning InfrastructurevCenter, AD, vCloud and

AWS

SAP

ExchangeServers

Oracle

Web Servers

Web Server

Automate security as part of your operations

• Gain visibility into environment using vCenter and vCloud Director integration

• Recommend and apply policies automatically - specific to your data center

• Automatically scale up and down as required—with no security gaps

19Rules

15Rules

73Rules

8Rules

28Rules

Simplify provisioning even further with VMare NSX

• Automated deployment using ESXi 5.5+

• Automatic activation of policies

• No maintenance mode or re-boot required

Security is an available service among VMware

and other partner services

Management Challenge: Keeping up-to-date

How do you:

• Quickly and easily identify an issue?

• Keep up to date with patches?

• Manage multiple controls as you execute your

strategy for your data center and cloud?

Establish continuous monitoring to quickly identify issues and respond

• Leverage a comprehensive dashboard across controls

• Implement reporting and alerting

• Manage via web console or API

Protect even before you patch

• Protect against vulnerability exploits before patches available

• Save money avoiding costly emergency patching

• Patch at your convenience

Vulnerability Disclosed orExploit Available

Patch Available

CompleteDeployment

Test

Soak

Exposure

Begin Deployment

Patched

Trend Micro Virtual Patching

Resource challenges: Address the bottlenecks

How do you reduce the impact on resources created by traditional security capabilities?

Optimized for your virtual environments

Network Usage

Scan Speed

CPU/Memory Usage

IOPS

Storage

ESXi

SAN





Extend to external or public cloud with confidence

Public Cloud: Affects every organisation

Public cloud extension of Private Cloud by I.T. (Bursting)

Business groups Bypass IT to use Public Cloud Private Cloud forced to take on attributes of Public Cloud (ITaaS)

Cloud Deployment Dynamics

Instance Awareness• Dynamic real-time security

visibility and response

Complexity• Supporting multi-region

and global deployments

Scale & Automation• Elastic services and

applications managed with new tools Data Protection

• Protection of all data across boot & data volumes

Purchasing• Ability to purchase

security aligned to cloud models

Security in the cloud is a Shared Responsibility

Partner Eco-System

• Operating Systems

• Application

• Security Groups

• OS Firewalls

• Anti-Virus

• Account Management

• Storage Encryption

• Facilities

• Physical Security

• Physical Infrastructure

• Virtualised Infrastructure

Cus

tom

er

Dom

ain

AW

S D

omai

nFoundation Services

Compute Storage Database Networking

AWS Global Infrastructure

EdgeLocations

Availability Zones

Regions

Enterprise Applications

Enterprise Operation Systems

Dr. Raymond ChooFulbright Scholar (Cyber Security/Crime and Digital

Forensics) and Inventor

What happens when your organisation is COMPROMISED?

Have you NOT read about a high profile cyber security incident, OR NOT heard of an

organisation in your sector or government agency that has been breached (e.g. malware infection and theft of corporate data, such as

customer information and intellectual property) in the last 12-month or financial year?

Security sector, 2015

Security sector, 2014

Challenges

• Attribution and identification: More likely to be able to infer or identify the offender in a physical crime based on the physical location of the crime and/or the types of weapons / technologies than their cyber analogues

• Responding: Uncertainty about physical location complicates efforts by governments to respond and investigate and to use retaliation as a deterrent (simply on the basis of the cui bono logic or circumstantial evidence)

Cyber attacks more sophisticated and going ‘under the radar’

What happens when your organisation is COMPROMISED?

Inci

dent

man

agem

ent

Incident handling

Preparation

Detection and analysis

Incident response

Containment

Eradication

RecoveryPost-incident

Vulnerability handling

Artefact handling

Event management

Announcement

Alerts

What about digital forensics, and digital evidence?

Do they matter?

Digital forensics

“the process of identifying, preserving, analysing and presenting digital evidence in a manner that is legally acceptable”

McKemmish’s Key

Elements • Identification• Preservation• Analysis• Presentation

NIST Key

Elements• Collection• Examination• Analysis• Reporting

McKemmish, R 1999, 'What is Forensic Computing?', Trends & Issues in Crime and Criminal Justice, vol. 118, pp. 1 - 6. p.1Kent, K, Chevalier, S, Grance, T & Dang, H 2006, Guide to Integrating Forensic Techniques into Incident Response, U.S. Department of Commerce, <http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf>.

• Reconstructing of the incident and establish facts such as • Where did the attack come from?; • What vulnerability (ies) was/were exploited?; and • What data / which systems was/were compromised?• Etc

• Inform risk mitigation strategy • Evidence collected can be used in:

• the prosecution of the offender in a court of law; or • a civil litigation (e.g. such services are increasingly offered

by consultancy companies such as Deloitte, E&Y, KPMG, and PwC).

The importance of digital forensics (evidence collection) in incident handling

Digital forensics: Challenges of cloud computing

“little guidance exists on how to acquire and conduct forensics in a cloud environment” (National Institute of Standards and Technology 2011, p.64)

“[c]urrently, guidelines and best practice guides on gathering digital evidence are rare and often outdated. There are no guidelines specific to evidence gathered in the cloud…”

(Birk and Wegener 2011, p.9)

“[m]ore research is required in the cyber domain, especially in cloud computing, to identify and categorize the unique aspects of where and how digital evidence can be found. End points such as mobile devices add complexity to this domain. Trace evidence can be found on servers, switches, routers, cell phones, etc” by previous Director of US Department of Defence Computer Forensics Laboratory and the previous Chief Scientist at US Air Force Research Laboratory Information Directorate (Zatyko & Bay 2012, p.15)

Our cloud forensics frameworkIterative

1. Commence (Scope)Determine the scope of the investigation, the requirements and limitations, prepare equipment and expertise.

2. Identification and PreservationIt is critical that preservation commences as soon as cloud computing use is discovered in a case, as such it is combined with identification in this model.

3. CollectionThe potential difficulties in collection of cloud computing data dictates the requirement for collection to be represented as a separate step.

4. Examination and AnalysisExamination of the collected data allows the investigator to locate the evidence in the data, analysis transforms this data into evidence.

5. Reporting and PresentationThis step relates to reporting and presenting evidence to court. As such this step will remain mostly unchanged.

6. Feedback and CompleteThis step relates to a review of the findings and a decision to finalise the case or expand the analysis.

“Cloud Storage Forensics” http://store.elsevier.com/product.jsp?isbn=9780124199705. • Forewords written by Australia’s Chief Defence Scientist (首席澳大利亚国防科学家及国防科技组织

(DSTO)领导人 ) and the Chair of Electronic Evidence Specialist Advisory Group, Senior Managers of Australian and New Zealand Forensic Laboratories.

• Highly Commended Award in the 2014 “Best Chapter in a Book” Category by Australia New Zealand Policing Advisory Agency (ANZPAA) National Institute of Forensic Science (NIFS)

http://store.elsevier.com/product.jsp?isbn=9780124199705

http://store.elsevier.com/product.jsp?isbn=9780124199705

Remote Evidential Data Collection System (REDCoS)

• Limitations due to current forensic techniques making use of vendor data communication facilities built into the client devices (e.g. iTunes backup for iOS devices), inability to circumvent advanced security features and anti-forensic features, etc

• Data (remote) collection / exfiltration techniques for forensic / criminal intelligence (Australian Provisional Patent filed December 2014; PCT filed July 2015)

• Big forensic data reduction method (Australian Provisional Patent, filed December 2014, and PCT to be filed in September 2015)


• Provides organisations with the capability to collect electronic evidence, from a range of data sources, in a forensically sound manner without the need for specially trained staff.

• Evidence sources need not be physically collocated with the evidence collection staff.

• REDCoS only requires network access and, as such, is particularly suitable for evidence collection from sources such as cloud computing and remote unmanned equipment.


• Suitable for collection of local and remote evidence (e.g. evidential data stored in the cloud and systems located offshore);

• Can be operated by IT personnel without forensic training;• Cost effective, permits remote collection without requiring forensic

consultants or prohibitive travel expenses;• Efficient, focuses only on collection of evidential data;• Real time evidence collection and review.

Dr. Kim-Kwang Raymond Choo Research Director, CSA Australia Chapter

Co-Chair, CSA Asia Pacific Education Council

Co-Founder, Cloud Forensics International

[email protected]

mailto:[email protected]

Thank you

cso cxo series breakfast

Technology

data needs

data breaches

data loss

security vulnerabilities

virtualised data center

data center resources

traditional security

security principles