azure 101: shared responsibility in the azure cloud

SHARED SECURITY RESPONSIBILITY IN AZURE

Speaker - Chris Camaclang

Agenda

• Intro + Housecleaning + Surveys• Hybrid Cloud Landscape• Threat Landscape• Security Best Practices• Alert Logic Solutions and Value

Hybrid Cloud Today

CLOUD FALLOVER(DIFFERENT GEOGRAPHY)

INTERNALEXTERNAL

PRIVATE CLOUD

PUBLIC CLOUDDEMO SITES

MOBILE PHONES

PROSPECT CUSTOMER BIZ PARTNER MANAGER PM ARCHITECT DEVELOPER SUPPORT

SMART PHONE SMART TV TABLET/iPAD DESKTOP CLOUDTOPNOTEBOOKNETBOOK

PRODUCTION STAGING QA DEV/TEST

DEMO SITESPERFORMANCE

TESTING

IT + DEV SUPP

SERVICESOFFICE SERVICES

TIM/TAM

SERVICES

DESKTOP

SERVICES

MONITORING

SERVICES

BIZ. SUPP.

SERVICES

TRANSFORMATION

SERVICES

ADOBE LC

SERVICES

MESSAGING

SERVICES

SECURITY

SERVICES

BIZ. INT.

SERVICES

CODE MANAGEMENT

SERVICES

TIM/TAM

SERVICES

MONITORING

SERVICES

SECURITY

SERVICES

PERFORMANCETESTING

SECU

RE TU

NNEL

SECU

RE TU

NNEL

SECU

RE TU

NNEL

SECU

RE

TUNN

EL

SECU

RE

TUNN

EL

TheImpactofaBreachisFar-ReachingandLong-Lived

THECYBERKILLCHAIN¹ THEIMPACTFinanciallossHarmbrandandreputationScrutinyfromregulators

IDENTIFY& RECON

INITIALATTACK

COMMAND&CONTROL

DISCOVER& SPREAD

EXTRACT&EXFILTRATE

1. http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster

COMPANIESOFALLSIZESAREIMPACTED

Global Analysis

Threats by Customer Industry Vertical

Source: Alert Logic CSR 2016

29%

48%

10%

11%

2%

Finance-Insurance-RealEstate

APPLICATIONATTACK

BRUTEFORCE

RECON

SUSPICIOUSACTIVITY

TROJANACTIVITY

56%25%

17%

0% 2%

Retail-Wholesale

APPLICATIONATTACK

BRUTEFORCE

RECON

SUSPICIOUSACTIVITY

TROJANACTIVITY

54%21%

22%

1% 2%

InformationTechnology

APPLICATIONATTACK

BRUTEFORCE

RECON

SUSPICIOUSACTIVITY

TROJANACTIVITY

1

49

56

86

125

155

172

197

525

908

Denial of Service

Crimeware

Physical Theft / Loss

Payment Card Skimmers

Everything Else

Cyber-espionage

Privilege Misuse

Miscellaneous Errors

POS Intrusions

Web App Attacks

Security risk is shifting to unprotected web applicationsWeb app attacks are now the #1 source of data breaches

But less than 5% of data center security budgets are spent on app security

Source: Verizon

UP 500% SINCE 2014

$23 to $1

Percentage of Breaches

10% 20% 30% 40%

Source: Gartner

Web App Attacks

Cloud Security is a Shared, but not Equal, Responsibility

• Security Monitoring• Log Analysis• Vulnerability Scanning

• Network Threat Detection• Security Monitoring

• Logical Network Segmentation• Perimeter Security Services• External DDOS, spoofing, and

scanning monitored

• Hypervisor Management• System Image Library• Root Access for Customers• Managed Patching (PaaS, not IaaS)

• Web Application Firewall• Vulnerability Scanning

• Secure Coding and Best Practices• Software and Virtual Patching• Configuration Management

• Access Management(inc. Multi-factor Authentication)

• Application level attack monitoring

• Access Management• Configuration Hardening• Patch Management

• TLS/SSL Encryption• Network Security

Configuration

CUSTOMER ALERT LOGICMICROSOFT

SECURITY BEST PRACTICES

10 Best Practices for Security

1. Understand the Cloud Providers Shared Responsibility Model2. Secure your code3. Create access management policies4. Data Classification5. Adopt a patch management approach6. Review logs regularly 7. Build a security toolkit8. Stay informed of the latest vulnerabilities that may affect you9. Understand your cloud service providers security model10. Know your adversaries

1. Understand the Cloud Providers Shared Responsibility Model

The first step to securing cloud workloads is understanding the shared responsibility model

Microsoft will secure most of the underlying infrastructure, including the physical access to the datacenters, the servers and hypervisors, and parts of the networking infrastructure…but the customer is responsible for the rest.

Taken from the Shared Responsibility for Cloud Computing whitepaper, published by Microsoft in March 2016

2. Secure Your Code

• Test inputs that are open to the Internet• Add delays to your code to confuse bots• Use encryption when you can• Test libraries• Scan plugins• Scan your code after every update• Limit privileges• DevSecOps

3. Create Secure Access Management Policies

• Simplify access controls (KISS)• Lock down Admin account in Azure• Enable MFA (Azure, hardware/software token)• Identify data infrastructure that requires access

(*Lock down AzureSQL)• Define roles and responsibilities (delegating

service admins)• Azure NSG (private vs public)• Continually audit access (Azure Audit Logs)• Start with a least privilege access model (RBAC)

*avoid owner role unless absolutely necessary• Don’t store keys in code (e.g. secret keys)• AAD Premium – (*Security analytics and alerting)

4. Data Classification

• Identify data repositories and mobile backups

• Identify classification levels and requirements

• Analyze data to determine classification• Build Access Management policy around

classification• Monitor file modifications and users

5. Adopt a Patch Management Approach

• Use trusted images (*Prevent users from launching untrusted images)

• Constantly scan all vulnerabilities in your images and patch them

• Compare reported vulnerabilities to production infrastructure

• Classify the risk based on vulnerability and likelihood

• Test patches before you release into production• Setup a regular patching schedule• Keep informed, follow bugtraqer• Follow a SDLC

6. Log Management Strategy

• Monitoring for malicious activity• Forensic investigations• Compliance needs• System performance

• All sources of log data is collected and retained

• Data types (Windows, Syslog)• Azure AD behavior• Azure Audit Logs (services,

instances…activity, powershell)• Azure SQL Logs• Azure App Services Logs

• Review process• Live monitoring• Correlation logic

7. Build a Security Toolkit• Recommended Security Solutions

• Antivirus• IP tables/Firewall• Backups• FIM• Intrusion Detection System (VNET ingress/egress)• Malware Detection• Web Application Firewalls (inspection at Layer 7)• Forensic Image of hardware remotely• Future Deep Packet Forensics• Web Filters• Mail Filters• Encryption Solutions• Proxies• Log collection• SIEM Monitoring and Escalation • Penetration Testing

8. Stay Informed of the Latest Vulnerabilities

• Websites to follow• http://www.securityfocus.com• http://www.exploit-db.com• http://seclists.org/fulldisclosure/• http://www.securitybloggersnetwork.com/• http://cve.mitre.org/• http://nvd.nist.gov/• https://www.alertlogic.com/weekly-threat-report/

9. Understand Your Service Providers Security Model• Understand the security offerings from your provider• Probe into the Security vendors to find their prime service• Hypervisor exploits are patched by the service provider• Questions to use when evaluating cloud service providers

10. Understand your Adversaries

Threats are 24x7 = Security Operations 24x7

Monitor intrusion detection and vulnerability scan activity

Search for Industry trends and deliver intelligence on lost or

stolen data

Collect data from OSINT and Underground Sources to deliver

Intelligence and Content

Identify and implement required policy changes

Escalate incidents and provide guidance to the response team to quickly mitigate

Incidents

Monitor for Zero-Day and New and Emerging

attacks

Cross product correlate data sources to find

anomalies

ALERT LOGICSOLUTIONS

Cloud Security is a Shared, but not Equal, Responsibility

• Security Monitoring• Log Analysis• Vulnerability Scanning

• Network Threat Detection• Security Monitoring

• Logical Network Segmentation• Perimeter Security Services• External DDOS, spoofing, and

scanning monitored

• Hypervisor Management• System Image Library• Root Access for Customers• Managed Patching (PaaS, not IaaS)

• Web Application Firewall• Vulnerability Scanning

• Secure Coding and Best Practices• Software and Virtual Patching• Configuration Management

• Access Management(inc. Multi-factor Authentication)

• Application level attack monitoring

• Access Management• Configuration Hardening• Patch Management

• TLS/SSL Encryption• Network Security

Configuration

CUSTOMER ALERT LOGICMICROSOFT

Vulnerabilities+ Change

+ Shortage

Complexity of defending web applications and workloads

Risks are moving up the stack

1. Wide range of attacks at every layer of the stack

2. Rapidly changing codebase can introduces unknown vulnerabilities

3. Long tail of exposures inherited from 3rd party development tools

4. Extreme shortage of cloud and application security expertise

Web App AttacksOWASP Top 10

Platform / Library Attacks

System / Network Attacks

Perimeter & end-point security tools fail to protect cloud attack surface

Web Apps

Server-side Apps

App Frameworks

Dev Platforms

Server OS

Hypervisor

Databases

Networking

Cloud Management

Block

Analyze

Allow

Your Data

Focus requires full stack inspection…and complex analysis

Known Good

Known Bad

Suspicious

Security DecisionYour App Stack




Threats

App Transactions

Log Data

Network Traffic

Web Apps

Server-side Apps

App Frameworks

Dev Platforms

Server OS

Hypervisor

Databases

Networking

Cloud Management

APP+CONFIG ASSESMENT

Your Data

Focus requires full stack inspection…and complex analysis

Known Bad




App Transactions

Log Data

Network Traffic

Web Apps

Server-side Apps

App Frameworks

Dev Platforms

Server OS

Hypervisor

Databases

Networking

Cloud Management

COLLECTIONTECHNOLOGY

Your Data




App Transactions

Log Data

Network Traffic

Web Apps

Server-side Apps

App Frameworks

Dev Platforms

Server OS

Hypervisor

Databases

Networking

Cloud Management



Integrated value chain delivering full stack security…

Signatures & Rules

Anomaly Detection

Machine Learning

ANALYTICS

Petabytes of normalized data from 4000+ customers

Your Data




App Transactions

Log Data

Network Traffic

Web Apps

Server-side Apps

App Frameworks

Dev Platforms

Server OS

Hypervisor

Databases

Networking

Cloud Management



Signatures & Rules

Anomaly Detection

Machine Learning

ANALYTICS

Integrated value chain delivering full stack security, experts included

Petabytes of normalized data from 4000+ customers

• Threat Intelligence

• Security Research

• Data Science

• Security Content

• Security Operations Center

24/7 EXPERTS& PROCESS




Web Apps

Server-side Apps

App Frameworks

Dev Platforms

Server OS

Hypervisor

Databases

Networking

Cloud Management

CLOUD INSIGHT

Signatures & Rules

Anomaly Detection

Machine Learning

Integrated value chain delivering full stack security, experts included

• Threat Intelligence

• Security Research

• Data Science

• Security Content

• Security Operations Center

ACTIVEWATCHDETECTION &PROTECTION

Web SecurityManager

LogManager

ThreatManager

ALERT LOGIC CLOUD DEFENDER

New capabilities focused on Web Attack Detection

1Over150newwebattackincidents

2ImprovedOWASPTop10CoveragepoweredbyAnomalyDetection

3AdvancedSQLInjectionDetectionpoweredbyMachineLearning

WebAppAttacks

OWASPtop10

Platform/libraryattacks

App/Systemmisconfigattacks

Attacks

Over250breachesdetectedin2016

Alert Logic solutions are easy to deploy

• Use a combination of host based agents and appliances to collect network and application traffic

• Agents also collect logs from the VM

• Azure Activity Logs are collected via the Azure Monitor API

• Azure SQL or App Services Logs are collected from Azure storage accounts

• Appliances can be used to do internal scanning, or we can do external and PCI scanning from our cloud

HOW IT WORKS:

Alert Logic Threat Manager for 3 Tier Application Stack + Azure SQL

VNET

RESOURCE GROUP

Alert Logic

Web Traffic

Threat ManagerAppliance

AutoScale AutoScale Azure SQL

DatabaseTier

Azure StorageTable

SQL Logs

Application TierVM ScaleSets

Web TierVM ScaleSets

ApplicationGateway

VM

3-Tier applications using VMs only

VNET

RESOURCE GROUP

Web TrafficCustomer B

Alert Logic

Threat ManagerAppliance

VM

AutoScale


AutoScale


Database TierSQL VM

AvailabilitySets

VNET

RESOURCE GROUP

AutoScale


AutoScale


Database TierSQL VM

AvailabilitySetsWeb TrafficCustomer A

ARM Template automate appliance deployments

https://github.com/alertlogic/al-arm-templates

Agents can be baked into VM images, or automatically installed using DevOps toolsets

https://supermarket.chef.io/cookbooks/al_agents

Alert Logic – a Leader in Forrester’s 2016 NA MSSP WAVETM

“Alert Logic has a head start in the cloud, and it shows.

Alert Logic is an excellent fit for clients looking to secure their current or planned cloud migrations, clients requiring a provider than can span seamlessly between hybrid architectures, and those that demand strong API capabilities for integrations.”

- Forrester WAVETM Report

Addressing Customers with Compliance RequirementsAlertLogicSolution PCIDSS SOX HIPAA&HITECH

AlertLogicWebSecurity

Manager™

• 6.5.dHaveprocessesinplacetoprotectapplicationsfromcommonvulnerabilitiessuchasinjectionflaws,bufferoverflowsandothers

• 6.6Addressnewthreatsandvulnerabilitiesonanongoingbasisbyinstallingawebapplicationfirewallinfrontofpublic-facingwebapplications.

• DS5.10NetworkSecurity• AI3.2Infrastructureresource

protectionandavailability

• 164.308(a)(1)SecurityManagementProcess

• 164.308(a)(6)SecurityIncidentProcedures

AlertLogicLogManager™

• 10.2Automatedaudittrails• 10.3Captureaudittrails• 10.5Securelogs• 10.6Reviewlogsatleastdaily• 10.7Maintainlogsonlineforthreemonths• 10.7Retainaudittrailforatleastoneyear

• DS5.5SecurityTesting,SurveillanceandMonitoring

• 164.308(a)(1)(ii)(D)InformationSystemActivityReview

• 164.308(a)(6)(i)LoginMonitoring• 164.312(b)AuditControls

AlertLogicThreat

Manager™

• 5.1.1Monitorzerodayattacksnotcoveredbyanti-virus• 6.2Identifynewlydiscoveredsecurityvulnerabilities• 11.2PerformnetworkvulnerabilityscansquarterlybyanASVor

afteranysignificantnetworkchange• 11.4MaintainIDS/IPStomonitorandalertpersonnel;keep

enginesuptodate

• DS5.9MaliciousSoftwarePrevention,DetectionandCorrection

• DS5.6SecurityIncidentDefinition

• DS5.10NetworkSecurity

• 164.308(a)(1)(ii)(A)RiskAnalysis• 164.308(a)(1)(ii)(B)RiskManagement• 164.308(a)(5)(ii)(B)Protectionfrom

MaliciousSoftware• 164.308(a)(6)(iii)Response&

Reporting

AlertLogicSecurityOperationsCenterprovidingMonitoring,Protection,andReporting

Scalable Threat Intel Process Delivers Relevant Content

FUSIONNORMALIZATION

ENTITY RESOLUTION

LINK ANALYSIS

CLUSTERING ANALYSIS

COMPLEX ANALYSIS

EXTRACTION

HONEYNET

3RD-PARTYINTEL

VULNERABILITIES

WATCHLISTS

RESEARCH

TELEMETRY

BigData

ReputationReputation

BlacklistsBlacklists

Content CoverageContent Coverage

Incident ModelingIncident Modeling

Intelligence GatheringIntelligence Gathering

Relevant VulnerabilitiesRelevant Vulnerabilities

Increased Contextual Awareness

Increased Contextual Awareness

Increase Incident Understanding

Increase Incident Understanding

Key Service CapabilitiesAnalysis TechniquesThreat Analytics PlatformInput Sources

Stopping Imminent Data Exfiltration

INCIDENT ESCALATIONPartner and customer notified with threat source information and remediation tactics

8 min

FUTHER ANALYSISAlert Logic Analyst confirms user IDs and password hashes leaked as part of initial attack

2 hours

EXFILTRATION ATTEMPT PREVENTEDPartner works with customer to mitigate compromised accounts

6 hours

COMPROMISE ACTIVITYDiscovered through inspection of 987 log messages indicative of a SQL injection attack

Customer Type: RetailThreat Type: Advanced SQL Injection

Preventing Ransomware Spread

INCIDENT ESCALATIONCritical risk of lateral movement through shared drives identified

14 min

LATERAL MALWARE MOVEMENT PREVENTEDAnalyst performs forensic review of additional 8,000 log messages and 1,400 events that identifies additional attack vectors through related events

6 hours

SUSPICOUS ACTIVITY Cryptowall detected on key gateway server in over 1,400 events (6,000 Packets)

Customer Type: RetailThreat Type: Ransomware

To Follow our Research & Contact Information

Blog

https://www.alertlogtic.com/resources/blog

Newsletter

https://www.alertlogic.com/weekly-threat-report/

Cloud Security Report

https://www.alertlogic.com/resources/cloud-security-report/

Zero Day Magazine

https://www.alertlogic.com/zerodaymagazine/

Twitter

@AlertLogic For More Information on Alert Logic Solutions

[email protected]

206-673-4387

Thank you.