Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Realities of Security in the Cloud
1. Thank you.Reality Check: Security in the
Cloud
Amy Bogroff– Director Sales Engineering - East, Alert Logic
2. The Cloud Is Secure.
• AWS provides the most comprehensive suite of tools allowing
subscribers to achieve that promise
• Integrators like Presidio work to simplify the transition
3. Sometimes…
• Through 2022, at least 95% of cloud security failures will be the customer’s fault –
Gartner
• More than 1.5 billion sensitive corporate and other files are visible on the public
internet due to human error – Digital Shadows
• 88% of Java applications had at least one component-based vulnerability, 56% of all
PHP apps had at least one SQLi vulnerability - Veracode
• Attackers are outpacing enterprises with technology such as machine learning and
artificial intelligence (AI) – Ponemon/ServiceNow
8. Alert Logic Cloud Security Report 2017
550 DAYS
AUG 1, 2015 –JAN 31 2017
2,207,795
TOTAL TRUE POSITIVE SECURITY
INCIDENTS ANALYZED
32.5 MILLION
EVENTS DRIVING ESCALATED
INCIDENTS
147
PETABYTES
OF DATA ANALYZED
3807 CUSTOMERS
ANALYZED
452
INDUSTRIES ACROSS 3 CONTINENTS
9. Key Findings
1. Web applications are the soft underbelly of your organization –
the number-one means by which attackers breach data.
2. The movement toward assembling a chain of vulnerabilities to
build hard-to-detect, resilient attacks is accelerating.
3. Hybrid networks, with portions scattered among public clouds,
private clouds, and on-premises systems, are at greatest risk.
4. Organizations in different sectors suffer from very similar attacks
– and can learn much from each other.
10. Workload Environments Impact Incident Volumes
2.5x
more security incidents
observed in Hybrid vs
Public Cloud
51%
higher rate of
security incidents in
on premises vs Cloud
AVERAGE PER CUSTOMER SECURITY INCIDENT COUNTS
11. Web App Attacks – King of the Hill
WEB APP
ATTACK
DoS / DDoS
1% Other
1%
75%
DOS/DDOS
1% OTHER
1%
SERVER-SIDE
MALWARE
2%
RECON
5%
BRUTE
FORCE
5%
SQL INJECTION
55% REMOTE
CODE
EXECUTION
22%
XXE
3%
APACHE
STRUTS
RCE
6%
WEB APP
ATTACK
RECON
5%
FILE
UPLOAD
6%
OTHER
4%
SECURITY INCIDENT TYPES ESCALATED
12. Increasing vulnerabilities at every layer
Vulnerabilities in
YOUR CODE
Vulnerabilities in
YOUR CONFIGS
Vulnerabilities
YOU INHERIT
13. Detect, Inspect, &
Escalate
Industry Challenge: The Good, the Bad and the Ugly
Known Good
Known Bad
Suspicious
Allow
Identify | Tune | Permit
Block
Drop | Reconfigure
Application Stack
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Databases
Server OS
Hypervisor
Hardware Classification Action
HUMAN EXPERT
REQUIRED
Page 13
14. What Can We Do???
• Scan for vulnerabilities and
misconfigurations
• WAF blocking/virtual patching,
IDS, and log monitoring as air
cover as you burn down your web
app vulnerabilities
• Leverage multiple detection
techniques
• Compliance requirements also
tend to be best practices
ASSESS
BLOCK COMPLY
DETECT
15. Address Vulnerabilities
Source: SC Magazine: scmagazine.com/one-year-later-heartbleed-still-a-threat/article/407803/
SHELLSHOCK HEARTBLEED
% of Global 2000
Organizations
Vulnerable to
Heartbleed in
August 2014: 76%
April, 2015: 74%
359 of 6000 analyzed containers – Tenable, 2018
19. Enter Machine Learning
Over nine months :
8-10% of the customers we
monitored were targeted by
actors with better-than-
average levels of skill and
determination
Each attack
had a High
degree of
complexity
Identified,
approx. 231
attacks
20. Multi-stage Attacks
Time: Day 1
Event: Early stage recon event
Criticality: Medium
Time: Day 3
Event: SQL Injection recon
Criticality: Medium
Time: Day 4
Event: SQL table enumeration
Criticality: High
Time: Day 4
Event: Injection
Criticality: Critica
Situation: Multiple address spaces and disparate unrelated events over days
21. Surgical Exfiltration
1 IP Address
Duration: 7 minutes
Surgical Exfiltration
1 IP Address
Duration: 2 minutes
Precision Recon
1 IP Address
Duration: 12 minutes
Precision Recon
1 IP Address
Duration: 8 minutes
Precision Recon
1 IP Address
Duration: 1 minute
Precision Recon
1 IP Address
Duration: 11 minutes
Sustained, Multi-stage Attack for Intellectual Property Theft
September2016 2017AprilOctober November December January February March
Jan 16th
Jan 3rd
Nov 2nd
Feb 6th
Continuous SQLi Reconnaissance to Better Understand the Environment (49 Unique IPs)
Continuous General SQLi Testing (172 Unique IPs)
22. Behind the Data
Web apps and misconfigurations can be the final destination…or initial entry
point
Perimeter AND Network AND
System /log-based Detection
defend your hosts
see N / S / E / W in all of your
protected environments
WAF blocking/virtual patching,
IDS, and log monitoring as air
cover as you burn down your
web app vulnerabilities
• Redistribute malware directly / indirectly
(exploit kits / watering hole)
• Monetization through fraud (SEO, Coin Mining,
Spam)
• Entry point into Infrastructure
• Lateral movement, privilege escalation
• Steal data (exfiltration of information from
databases)
23. Best Practices
Know your Shared
Security Responsibilities
with AWS
Attack surface
isn’t just where
your data resides
Continually assess for
exposures across all
environments
Understand impacts
from applicable
compliance mandates
Implement controls
built for cloud ,
containers, and
DevOps
25. Who Can I Speak To?
Need 1-on-1 time with Security Experts?
Speak to Alert Logic to have all your questions answered.
Alert Logic 2017 Cloud Security Report
www.alertlogic.com
26. Questions?
Are these findings in line with your expectations?
What additional areas concern you most?
What other insights can we draw from these numbers?
What other best practices should we be sharing?