cso cxo series breakfast
TRANSCRIPT
Did these guys care about cloud security?
Ebay Heartland TK / TJ Maxx AOL Sony PSN Target Evernote Cardsystems Adobe0
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
140,000,000
160,000,000
# R
eco
rds
Lo
st
Anatomy of an attack
Ercan Findikogluand crew
HA
CK
S
Get
s C
C d
ata/
PIN R
aises Lim
it
Recruits
Co
py D
ata on
cards
Cashing crews
Hand to
Get
cas
h
Hand to (-25%)
Money, Money, Money!
Letter from Richard Stiennon to President Obama 8 years ago
https://www.linkedin.com/pulse/drastic-times-call-measures-cybersecurity-richard-stiennon
I. All access must be explicitly authorized.
II. All users must be identified and strongly authenticated.
III. All applications must be reviewed for security vulnerabilities.
IV. All network attached systems must be scanned for vulnerabilities on a schedule.
V. All network connections must be fire-walled.
VI. All firewalls must be configured to “deny all except that which is explicitly allowed”.
VII. All government networks must be mapped and understood.
VIII. All data needs to be encrypted at rest
IX. All communication links need to be encrypted
X. All intrusions need to be aggressively analyzed and appropriate responses executed.
1. Secure data transfer2. Secure software interfaces. 3. Secure stored data4. User access control5. Data separationSource: http://blogs.cisco.com/smallbusiness/the-top-5-security-risks-of-cloud-computing
Cisco’s view:
Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
CSA view:
1. Data Breaches2. Data Loss3. Account Hijacking4. Insecure APIs5. Denial of Service6. Malicious Insiders7. Abuse of Cloud Services8. Insufficient Due Diligence9. Shared technology Issues
Have you simply “lifted-and-shifted”
your traditional security to your virtualised data
center and cloud?
Trend micro’s view
Many organizations are experiencing the following…
• Minutes to deploy a server…weeks to secure it
• Virtually scale beyond physical limits… until you hit your security limit
• Servers that share resources…security that consumes it
Attackers
Potential Risks• Vulnerability in server exploited to
introduce malicious code
• Company must restrict access to certain applications
• Admin makes changes to known good configuration
• Hacker attempts a SQL injection attack
• Brute force authentication attack is executed
Security principles remain the same;APPROACH to security must change
CONTEXT Workload and application-aware
SOFTWARE Security that evolves with the data center
PLATFORM Single platform for data center and cloudSiloed
Generic
Hardware
ADAPTIVE Intelligent, dynamic policy enforcement Automated provisioning specific to platform
Static
New approach can improve data center operations
Provision security automatically within a data center
Manage security effectively and efficiently as you scale
Optimise data center resources
Extend to cloud with confidence
Provisioning securely within a dynamic data center
How do you: • Secure the VM the moment it is provisioned?• Apply the right policies to that VM? • Reduce the time to provision without
compromising on security? • Securely bring up/down/move your VMs?
Provisioning InfrastructurevCenter, AD, vCloud and
AWS
SAP
ExchangeServers
Oracle
Web Servers
Web Server
Automate security as part of your operations
• Gain visibility into environment using vCenter and vCloud Director integration
• Recommend and apply policies automatically - specific to your data center
• Automatically scale up and down as required—with no security gaps
19Rules
15Rules
73Rules
8Rules
28Rules
Simplify provisioning even further with VMare NSX
• Automated deployment using ESXi 5.5+
• Automatic activation of policies
• No maintenance mode or re-boot required
Security is an available service among VMware
and other partner services
New approach can improve data center operations
Provision security automatically within a data center
Manage security effectively and efficiently as you scale
Optimise data center resources
Extend to cloud with confidence
Management Challenge: Keeping up-to-date
How do you:
• Quickly and easily identify an issue?
• Keep up to date with patches?
• Manage multiple controls as you execute your
strategy for your data center and cloud?
Establish continuous monitoring to quickly identify issues and respond
• Leverage a comprehensive dashboard across controls
• Implement reporting and alerting
• Manage via web console or API
Protect even before you patch
• Protect against vulnerability exploits before patches available
• Save money avoiding costly emergency patching
• Patch at your convenience
Vulnerability Disclosed orExploit Available
Patch Available
CompleteDeployment
Test
Soak
Exposure
Begin Deployment
Patched
Trend Micro Virtual Patching
New approach can improve data center operations
Provision security automatically within a data center
Manage security effectively and efficiently as you scale
Optimise data center resources
Extend to cloud with confidence
Resource challenges: Address the bottlenecks
How do you reduce the impact on resources created by traditional security capabilities?
Optimized for your virtual environments
Network Usage
Scan Speed
CPU/Memory Usage
IOPS
Storage
ESXi
SAN
New approach can improve data center operations
Provision security automatically within a data center
Manage security effectively and efficiently as you scale
Optimise data center resources
Extend to external or public cloud with confidence
Public Cloud: Affects every organisation
Public cloud extension of Private Cloud by I.T. (Bursting)
Business groups Bypass IT to use Public Cloud Private Cloud forced to take on attributes of Public Cloud (ITaaS)
Cloud Deployment Dynamics
Instance Awareness• Dynamic real-time security
visibility and response
Complexity• Supporting multi-region
and global deployments
Scale & Automation• Elastic services and
applications managed with new tools Data Protection
• Protection of all data across boot & data volumes
Purchasing• Ability to purchase
security aligned to cloud models
Security in the cloud is a Shared Responsibility
Partner Eco-System
• Operating Systems
• Application
• Security Groups
• OS Firewalls
• Anti-Virus
• Account Management
• Storage Encryption
• Facilities
• Physical Security
• Physical Infrastructure
• Virtualised Infrastructure
Cus
tom
er
Dom
ain
AW
S D
omai
nFoundation Services
Compute Storage Database Networking
AWS Global Infrastructure
EdgeLocations
Availability Zones
Regions
Enterprise Applications
Enterprise Operation Systems
Dr. Raymond ChooFulbright Scholar (Cyber Security/Crime and Digital
Forensics) and Inventor
What happens when your organisation is COMPROMISED?
Have you NOT read about a high profile cyber security incident, OR NOT heard of an
organisation in your sector or government agency that has been breached (e.g. malware infection and theft of corporate data, such as
customer information and intellectual property) in the last 12-month or financial year?
Challenges
• Attribution and identification: More likely to be able to infer or identify the offender in a physical crime based on the physical location of the crime and/or the types of weapons / technologies than their cyber analogues
• Responding: Uncertainty about physical location complicates efforts by governments to respond and investigate and to use retaliation as a deterrent (simply on the basis of the cui bono logic or circumstantial evidence)
Cyber attacks more sophisticated and going ‘under the radar’
Inci
dent
man
agem
ent
Incident handling
Preparation
Detection and analysis
Incident response
Containment
Eradication
RecoveryPost-incident
Vulnerability handling
Artefact handling
Event management
Announcement
Alerts
Digital forensics
“the process of identifying, preserving, analysing and presenting digital evidence in a manner that is legally acceptable”
McKemmish’s Key
Elements • Identification• Preservation• Analysis• Presentation
NIST Key
Elements• Collection• Examination• Analysis• Reporting
McKemmish, R 1999, 'What is Forensic Computing?', Trends & Issues in Crime and Criminal Justice, vol. 118, pp. 1 - 6. p.1Kent, K, Chevalier, S, Grance, T & Dang, H 2006, Guide to Integrating Forensic Techniques into Incident Response, U.S. Department of Commerce, <http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf>.
• Reconstructing of the incident and establish facts such as • Where did the attack come from?; • What vulnerability (ies) was/were exploited?; and • What data / which systems was/were compromised?• Etc
• Inform risk mitigation strategy • Evidence collected can be used in:
• the prosecution of the offender in a court of law; or • a civil litigation (e.g. such services are increasingly offered
by consultancy companies such as Deloitte, E&Y, KPMG, and PwC).
The importance of digital forensics (evidence collection) in incident handling
Digital forensics: Challenges of cloud computing
“little guidance exists on how to acquire and conduct forensics in a cloud environment” (National Institute of Standards and Technology 2011, p.64)
“[c]urrently, guidelines and best practice guides on gathering digital evidence are rare and often outdated. There are no guidelines specific to evidence gathered in the cloud…”
(Birk and Wegener 2011, p.9)
“[m]ore research is required in the cyber domain, especially in cloud computing, to identify and categorize the unique aspects of where and how digital evidence can be found. End points such as mobile devices add complexity to this domain. Trace evidence can be found on servers, switches, routers, cell phones, etc” by previous Director of US Department of Defence Computer Forensics Laboratory and the previous Chief Scientist at US Air Force Research Laboratory Information Directorate (Zatyko & Bay 2012, p.15)
Our cloud forensics frameworkIterative
1. Commence (Scope)Determine the scope of the investigation, the requirements and limitations, prepare equipment and expertise.
2. Identification and PreservationIt is critical that preservation commences as soon as cloud computing use is discovered in a case, as such it is combined with identification in this model.
3. CollectionThe potential difficulties in collection of cloud computing data dictates the requirement for collection to be represented as a separate step.
4. Examination and AnalysisExamination of the collected data allows the investigator to locate the evidence in the data, analysis transforms this data into evidence.
5. Reporting and PresentationThis step relates to reporting and presenting evidence to court. As such this step will remain mostly unchanged.
6. Feedback and CompleteThis step relates to a review of the findings and a decision to finalise the case or expand the analysis.
“Cloud Storage Forensics” http://store.elsevier.com/product.jsp?isbn=9780124199705. • Forewords written by Australia’s Chief Defence Scientist (首席澳大利亚国防科学家及国防科技组织
(DSTO)领导人 ) and the Chair of Electronic Evidence Specialist Advisory Group, Senior Managers of Australian and New Zealand Forensic Laboratories.
• Highly Commended Award in the 2014 “Best Chapter in a Book” Category by Australia New Zealand Policing Advisory Agency (ANZPAA) National Institute of Forensic Science (NIFS)
Remote Evidential Data Collection System (REDCoS)
• Limitations due to current forensic techniques making use of vendor data communication facilities built into the client devices (e.g. iTunes backup for iOS devices), inability to circumvent advanced security features and anti-forensic features, etc
• Data (remote) collection / exfiltration techniques for forensic / criminal intelligence (Australian Provisional Patent filed December 2014; PCT filed July 2015)
• Big forensic data reduction method (Australian Provisional Patent, filed December 2014, and PCT to be filed in September 2015)
Remote Evidential Data Collection System (REDCoS)
• Provides organisations with the capability to collect electronic evidence, from a range of data sources, in a forensically sound manner without the need for specially trained staff.
• Evidence sources need not be physically collocated with the evidence collection staff.
• REDCoS only requires network access and, as such, is particularly suitable for evidence collection from sources such as cloud computing and remote unmanned equipment.
Remote Evidential Data Collection System (REDCoS)
• Suitable for collection of local and remote evidence (e.g. evidential data stored in the cloud and systems located offshore);
• Can be operated by IT personnel without forensic training;• Cost effective, permits remote collection without requiring forensic
consultants or prohibitive travel expenses;• Efficient, focuses only on collection of evidential data;• Real time evidence collection and review.
Dr. Kim-Kwang Raymond Choo Research Director, CSA Australia Chapter
Co-Chair, CSA Asia Pacific Education Council
Co-Founder, Cloud Forensics International