![Page 1: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/1.jpg)
Reasoning About Enterprise Application Security in a Cloudy World
@Zulfikar_Ramzan / CTO / www.elastica.net
![Page 2: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/2.jpg)
THREAT LIFECYCLE
Firewalls, NGFW IDS/IPS, AV, AMPForensics, IR Tools
Rethinking Security: Being Threat Centric
BEFOREControlsBEFOREControls
DURINGIdentificati
on
DURINGIdentificati
on
AFTERResponse
AFTERResponse
![Page 3: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/3.jpg)
Key Cybersecurity Hurdles
Proliferation of New
Technologies
Evolution of Threat
Landscape
Increase of
Complexity
![Page 4: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/4.jpg)
GRC: What Matters?
Compliance: Highly complex, one-size fits all, dynamic.
What do you ultimately care about: Visibility. Have to understand risks we are trying to
mitigate.
![Page 5: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/5.jpg)
Traditional Security Operation Center (SOC)
![Page 6: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/6.jpg)
Outside the Visibility of Existing SOC
Unmonitoredactivities
Outside SOC reach
![Page 7: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/7.jpg)
Key Enterprise SaaS Security Challenges
Make it work vs. Approval
No Visibility
App / Action
No Events
for SEIM to
Consume
![Page 8: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/8.jpg)
Application Security Over Time
OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New)
2010-A1 – Injection 2013-A1 – Injection
2010-A2 – Cross Site Scripting (XSS)2013-A2 – Broken Authentication and Session Management
2010-A3 – Broken Authentication and Session Management
2013-A3 – Cross Site Scripting (XSS)
2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References
2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration
2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure
2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control
2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF)
2010-A9 – Insufficient Transport Layer Protection2013-A9 – Using Known Vulnerable Components (NEW)
2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards
3 Primary Changes: Merged: 2010-A7 and 2010-A9 -> 2013-A6
Added New 2013-A9: Using Known Vulnerable Components
2010-A8 broadened to 2013-A7
![Page 9: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/9.jpg)
Where Controls are Lost
9
Layer On Prem IaaS PaaS SaaS
App/Data
Middleware
OS
Virtual
Physical
![Page 10: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/10.jpg)
ESTABLISH SECURITY BASELINEESTABLISH SECURITY BASELINE CHOOSE AND APPLY COMPENSTATING CONTROLS
CHOOSE AND APPLY COMPENSTATING CONTROLS
Gartner Public Cloud Management Lifecycle
INCIDENT DETECTIONINCIDENT DETECTION INCIDENT RESPONSE MANAGEMENT
INCIDENT RESPONSE MANAGEMENT
![Page 11: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/11.jpg)
Establish a Security Baseline
Baseline: Need to understand where you are right nowBasic Discovery: Table stakes (any Firewall / NGFW can do it)Interesting challenge: Audit (what’s enterprise ready for you specifically?)
ADMINISTRATIVE
ADMINISTRATIVE
INFORMATIONAL
INFORMATIONAL
BUSINESSBUSINESS
ACCESSACCESS
DATADATA
SERVICESERVICE
COMPLIANCECOMPLIANCE
![Page 12: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/12.jpg)
Choose and Apply Compensating Controls
12
VISIBILITY
ACTION
UserUser Service
Service ObjectObjectActionAction
ACTIONACTION
VISIBILITYVISIBILITY
![Page 13: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/13.jpg)
Incident Detection
13
Policies and controls identify specific tangible behaviors. But what about sophisticated threats that
fall outside their scope?
SIGNATURES
SIGNATURES HEURISTICSHEURISTICS
BEHAVIOR-BASED
ANALYSIS
BEHAVIOR-BASED
ANALYSIS
ANOMALY DETECTIONANOMALY
DETECTION
![Page 14: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/14.jpg)
Incident Response Management
14
Attackers are constantly evolving and adapting. Threats will eventually get through. The question is
no longer “What if?”, but “What now?”
INFORMATION
ASYMMETRY FAVORS
ATTACKERS
INFORMATION
ASYMMETRY FAVORS
ATTACKERS
PRE-THINK RESPONSE;
HARD TO DO AFTER THE
FACT
PRE-THINK RESPONSE;
HARD TO DO AFTER THE
FACT
INTEGRATE; DON’T BOLT
ON
INTEGRATE; DON’T BOLT
ON
![Page 15: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/15.jpg)
The SaaS Security Landscape
ENCRYPTIONENCRYPTION
SINGLE SIGN ON SINGLE SIGN ON
SAAS APPLICATION MONITORING AND CONTROLSAAS APPLICATION MONITORING AND CONTROL
![Page 16: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/16.jpg)
ENCRYPTION: PROBLEM OR PANACEA?
ENCRYPTION
ENCRYPT IN TRANSITENCRYPT
IN TRANSITENCRYPT AT REST
ENCRYPT AT REST
ENCRYPT IN USE (?)ENCRYPT IN USE (?)
We don’t leverage SaaS Apps only for STORAGE
Crypto is a GREAT TOOL; but great
tools can be greatly MISUSED
![Page 17: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/17.jpg)
SINGLE SIGN-ON: PANACEA?
PHISHINGPHISHING
MALWAREMALWARE
DATA BREACH
DATA BREACH
MALICIOUS INSIDERMALICIOUS INSIDER
WELL MEANING INSIDER
WELL MEANING INSIDER
EASE OF MANAGEMENT
EASE OF MANAGEMENT
CONTROL THE
FRONT DOOR
CONTROL THE
FRONT DOOR
![Page 18: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/18.jpg)
Cloud Services Security Problem
18
Visibility SecurityComplian
ceRisk
Governance
![Page 19: Reasoning About Enterprise Application Security in a Cloudy World](https://reader034.vdocument.in/reader034/viewer/2022051817/547b5b5ab379596f2b8b4cd5/html5/thumbnails/19.jpg)
Thank you
TAKEAWAYS
SaaS Security and GRC Problem Multifaceted
Consider full threat lifecycle: Before, During, After
Visibility and Action are Key Pillars
@zulfikar_ramzan @ElasticaInc