silver lining: an everyman's journey to cloud security - sven skoog, monotype
TRANSCRIPT
SILVER LINING
An Everyday Security Primer (…and More)
An Everyman’s Journey to “Cloud Security”Sven Skoog ([email protected]) 15 Dec 2016
setting the stage – our enterprise, its players
– monotype: typography (fonts), branding, emoji, mercantile imagery– monotype: 500-700 staffers, $200M revenues, 14 offices, 10 countries
– a split personality: 130-yr-old typesetters + 13th grade app-developers– a split personality: 50% cloud, 50% on-prem (more like 60%-40% now)
– homogeneous defenses? (same safeguards local vs. cloud? different?)– budgetary + staffing concerns given 1600 nodes, ~8-9 administrators?
– can virtual (venue-agnostic) defenses replicate on-prem protections?– given off-premise compute/storage, is an on-site SOC even necessary?
first line of defense – sensors and instrumentation
– arguably the most crucial day-to-day function: is bad_thing happening?
– alert logic sensors (“threat manager”) use a snort-like packet engine– alert logic sensors (“threat manager”) are updated w. signatures daily
– alert logic sensors (“threat manager”) use daily bad-actor attributions– alert logic sensors (“threat/log manager”) will notice repetition, volume
– incident 9036498 (cryptowall ransomware/trojan on workstation(s))– incident 13486144 (low-and-slow SQL injection attempts, monthly)
example – sensors and instrumentation
bringing up the rear – forensic logging and consolidation
– log storage is the scut-work no sane-minded admin really wants to do– logs are cumbersome, space-consumptive; they overflow, they break– logs obey murphy’s law… the precise one(s) you need are often missing
– alert logic collector (“log manager”) is a one-line agent or log directive– alert logic collector (“log manager”) can store locally, or in the cloud– alert logic collector (“log manager”) uses tamper-proof hash for validity– alert logic collector (“log manager”) will escalate on ‘risky’ patterns– alert logic collector (“log manager”) will escalate on repetition/volume
– incident 13340004 (new domain admin added in late-afternoon)– incident 13416288 (privileged admin acct repeatedly locking itself out)
example – forensic logging and consolidation
getting out in front – web app-query (layer 7) inspection
– layer 3 access-control rules are well and good, but more is needed– each web app differs, app-firewalls need constant tuning-and-training
– alert logic web-firewall (“wsm”) can be deployed as appliance or VM (…in fact, it can sit atop a traditional amazon elastic load-balancer)– alert logic web-firewall (“wsm”) can passively monitor, or actively block– alert logic web-firewall (“wsm”) can be customized by you, or by vendor – 30-to-90-day break-in period; watch + gather queries, then advise rules
– garden-variety incident (plain-vanilla nmap scan from outside)– slightly-more-sophisticated incident (PHP parameter walkthrough)
example(s) – web app-query (layer 7) inspection
automating the machine – rent-a-SOC (?!?)
– enterprise goal #1: reduce tier-zero ground clutter, but do not ignore it– enterprise goal #2: ensure daily (shift-by-shift) event review, escalation– enterprise goal #3: crowd-source current attack signatures, bad actors– enterprise goal #4: maintain off-site forensic events/logs for later use– enterprise goal #5: do all of this in a (hopefully) cost-effective manner
– alert logic SOC will alert/call/email to 3+ different personnel chains– alert logic SOC will perform realtime event response + daily log review– alert logic SOC will annul/suppress/whitelist items you don’t care about – alert logic SOC will do it all at 20% to 40% of equiv. organic cost (4+ FTE)
– i‘ll appeal to your continued patience with one or two more examples…
example(s) – automating your rent-a-SOC (?!?)
example(s) – automating your rent-a-SOC (?!?)
(250 MILLION events per day?!? a single team just can’t keep up…)
final thought – meta-insights made possible by the cloud (?)
– i‘ve already made reference to “crowd-sourcing threats, bad actors”
– also a notion of “meta-access” (amazon cloudtrail, roles, api invocation)– also a notion of “asset tracking” (new VM, using template(s)… or not)
– how about a ‘cyber weather forecast’ showing my posture v. the world?– how about a ‘cyber weather forecast’ showing attack trends over time? (…14-yr-old script kiddie crawling my amazon cloud is boring) (…14-yr-old script kiddie who progresses to my webmail is HUGE)
– alert logic’s newest service (Cloud Insight) will watch meta-properties– alert logic’s newest service (Cloud Insight) will alert you on deviations
– and that’s only a taste of things to come…
