looking beyond the silver lining
TRANSCRIPT
Looking Beyond the Silver Lining
Rafe Pilling
Dell SecureWorks, Senior Security Researcher
Todays Agenda
• Changing the way we think about protecting our assets?
• Becoming an informed consumer of Cloud Services?
• Impact of Cloud on our security controls, testing and response capabilities?
• What does the “Dark-Side” of Cloud look like?
Cloud Growth
Source: http://www.forbes.com/sites/louiscolumbus/2013/02/19/gartner-predicts-infrastructure-services-will-accelerate-cloud-computing-growth/
Approx 18% Annual Growth Rate $155 Billion dollars spent next year (projected)
Fixed Perimeter
What Perimeter?
Transparency
• On-Premises Thinking – Full visibility into all levels of the stack – Full visibility of security controls – Data location is relatively static – Management and maintenance overhead is high
• Cloud Thinking
– Limited visibility of the stack depending on the cloud service – API’s and management interfaces abstract away the underlying
technology – Data location can be very fluid – Management and maintenance overhead is lower – Limited or no visibility into security controls
Defensive Paradigm Shift
• On-Premises Thinking – Focus on securing the network – Build a secure perimeter and let the business operate within it – Don’t have focus on data security because network is “trusted” – Hard shell / soft center model (like an Armadillo) – There aren’t generally “neighbors” to contend with
• Cloud Thinking – Focus should be on securing the data – Don’t know who the neighbors are
› You could be collateral damage in an attack › Your neighbor could be attacked to get to you
– Assume the environment is hostile unless proven otherwise – Soft shell / hard center model (like an Avocado)
Cloud Risk?
Amazon 24hr outage 24th December 2012
Source: http://gigaom.com/2011/04/22/heres-what-amazon-outage-looked-like/
Source: http://www.businessinsider.com/amazon-apologizes-for-netflix-outage-2012-12
"We want to apologize. We know how critical our services are to our customers’ businesses, and we know this disruption came at an inopportune time for some of our customers. We will do everything we can to learn from this event and use it to drive further improvement in the ELB service."
Google outage
~1 min downtime
Source: http://www.google.com/appsstatus#hl=en&v=status&ts=1377212399000
Source: https://engineering.gosquared.com/googles-downtime-40-drop-in-traffic
Cloud Security
Separation of responsibilities
Source: http://mschnlnine.vo.llnwd.net/d1/inetpub/kevinremde/Images/679669067395_DBE9/image_3.png
13 03/10/2013
14 03/10/2013 Neighbours…
Security Testing
• Amazons Approach: –Collects information on test source and
times –Allows use of any tools –Does NOT allow DDoS –Allows most anything else –Provides a few caveats to protect low-end
resources
• Amazon sets a good example in their approach
Compliance & Control
Simplifying compliance
CSA STAR Portal
“allows them to submit self assessment reports that
document compliance to CSA published best
practices”
Cloud Controls Matrix
”designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.”
Incident Response
Logging in the Cloud
• Logging is crucial for understanding an incident
• These are basic recommendations but rarely implemented until after a major incident.
• MUST retain at least 6months with 12 months being the recommended minimum.
• Focus on authentication and connectivity related log sources as well as any security alerts
• Know – what is being logged? – where it is being logged? – how to get the logs?
• Analyze the logs and act on the findings
Cloud Forensics Challenges
• Live forensics may not be possible
• Storage is logical and focused on allocated space; acquisition images may not include data remnants or unallocated disk space
• Failed or obsolete hardware
• Multi-tenant storage devices may contaminate the acquisition
• Acquisition may require large amounts of bandwidth
• Data fragmentation and dispersal
• Data ownership issues—what happens when the contract is terminated?
25 Confidential 10/3/2013
Credit: http://sinussister.com/blog/wp-content/uploads/2011/08/Storm-cloud.jpg
An Evolving Threat
• Security Services Providers have historically played catch-up • The Threat evolved faster than the available defensive technologies • Threat Intelligence was ad-hoc at best • Challenges are:
– New actors – Moving perimeter – Increased complexity & loss of transparency – Speed of attack – Bad guys operating with impunity
The Threat Actor Stack Keeps Growing S
oph
istication
Script Kiddies
Graffiti Artists
Fraudsters
Botmasters
Hacktivists
Intellectual Property Thieves
Nation State Threats
Cyber Terrorism
Prevalence
Expansion – extending reach
Password Reset on Cloud Services ?
Exfiltration…
• Dirt Jumper
Prevention
Prevention
• Due diligence – Risk assessments – Audits – Security requirements built into procurement
› If you don’t ask for it, it will never happen
• Focus on vulnerabilities in all aspects of the system. – People, process, technology – Vulnerability scanning, penetration testing, secure code development
• Threat Intelligence
– Know the risks – Know the threat actors – Know the exploits – Learn from the mistakes of others
• Monitor and respond
– Maintain visibility and know what to do when incidents are detected
Thank you