looking beyond the silver lining

Looking Beyond the Silver Lining

Rafe Pilling

Dell SecureWorks, Senior Security Researcher

Todays Agenda

• Changing the way we think about protecting our assets?

• Becoming an informed consumer of Cloud Services?

• Impact of Cloud on our security controls, testing and response capabilities?

• What does the “Dark-Side” of Cloud look like?

Cloud Growth

Source: http://www.forbes.com/sites/louiscolumbus/2013/02/19/gartner-predicts-infrastructure-services-will-accelerate-cloud-computing-growth/

Approx 18% Annual Growth Rate $155 Billion dollars spent next year (projected)

Fixed Perimeter

What Perimeter?

Transparency

• On-Premises Thinking – Full visibility into all levels of the stack – Full visibility of security controls – Data location is relatively static – Management and maintenance overhead is high

• Cloud Thinking

– Limited visibility of the stack depending on the cloud service – API’s and management interfaces abstract away the underlying

technology – Data location can be very fluid – Management and maintenance overhead is lower – Limited or no visibility into security controls

Defensive Paradigm Shift

• On-Premises Thinking – Focus on securing the network – Build a secure perimeter and let the business operate within it – Don’t have focus on data security because network is “trusted” – Hard shell / soft center model (like an Armadillo) – There aren’t generally “neighbors” to contend with

• Cloud Thinking – Focus should be on securing the data – Don’t know who the neighbors are

› You could be collateral damage in an attack › Your neighbor could be attacked to get to you

– Assume the environment is hostile unless proven otherwise – Soft shell / hard center model (like an Avocado)

Cloud Risk?

Amazon 24hr outage 24th December 2012

Source: http://gigaom.com/2011/04/22/heres-what-amazon-outage-looked-like/

Source: http://www.businessinsider.com/amazon-apologizes-for-netflix-outage-2012-12

"We want to apologize. We know how critical our services are to our customers’ businesses, and we know this disruption came at an inopportune time for some of our customers. We will do everything we can to learn from this event and use it to drive further improvement in the ELB service."

Google outage

~1 min downtime

Source: http://www.google.com/appsstatus#hl=en&v=status&ts=1377212399000

Source: https://engineering.gosquared.com/googles-downtime-40-drop-in-traffic

Cloud Security

Separation of responsibilities

Source: http://mschnlnine.vo.llnwd.net/d1/inetpub/kevinremde/Images/679669067395_DBE9/image_3.png

13 03/10/2013

14 03/10/2013 Neighbours…

Security Testing

• Amazons Approach: –Collects information on test source and

times –Allows use of any tools –Does NOT allow DDoS –Allows most anything else –Provides a few caveats to protect low-end

resources

• Amazon sets a good example in their approach

Compliance & Control

Simplifying compliance

CSA STAR Portal

“allows them to submit self assessment reports that

document compliance to CSA published best

practices”

Cloud Controls Matrix

”designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.”

Incident Response

Logging in the Cloud

• Logging is crucial for understanding an incident

• These are basic recommendations but rarely implemented until after a major incident.

• MUST retain at least 6months with 12 months being the recommended minimum.

• Focus on authentication and connectivity related log sources as well as any security alerts

• Know – what is being logged? – where it is being logged? – how to get the logs?

• Analyze the logs and act on the findings

Cloud Forensics Challenges

• Live forensics may not be possible

• Storage is logical and focused on allocated space; acquisition images may not include data remnants or unallocated disk space

• Failed or obsolete hardware

• Multi-tenant storage devices may contaminate the acquisition

• Acquisition may require large amounts of bandwidth

• Data fragmentation and dispersal

• Data ownership issues—what happens when the contract is terminated?

25 Confidential 10/3/2013

Credit: http://sinussister.com/blog/wp-content/uploads/2011/08/Storm-cloud.jpg

An Evolving Threat

• Security Services Providers have historically played catch-up • The Threat evolved faster than the available defensive technologies • Threat Intelligence was ad-hoc at best • Challenges are:

– New actors – Moving perimeter – Increased complexity & loss of transparency – Speed of attack – Bad guys operating with impunity

The Threat Actor Stack Keeps Growing S

oph

istication

Script Kiddies

Graffiti Artists

Fraudsters

Botmasters

Hacktivists

Intellectual Property Thieves

Nation State Threats

Cyber Terrorism

Prevalence

Expansion – extending reach

Password Reset on Cloud Services ?

Exfiltration…

• Dirt Jumper

Prevention

Prevention

• Due diligence – Risk assessments – Audits – Security requirements built into procurement

› If you don’t ask for it, it will never happen

• Focus on vulnerabilities in all aspects of the system. – People, process, technology – Vulnerability scanning, penetration testing, secure code development

• Threat Intelligence

– Know the risks – Know the threat actors – Know the exploits – Learn from the mistakes of others

• Monitor and respond

– Maintain visibility and know what to do when incidents are detected

Thank you