reasoning about enterprise application security in a cloudy world
DESCRIPTION
by Elastica CTO Zulfkar RamzanTRANSCRIPT
Reasoning About Enterprise Application Security in a Cloudy World
@Zulfikar_Ramzan / CTO / www.elastica.net
THREAT LIFECYCLE
Firewalls, NGFW IDS/IPS, AV, AMPForensics, IR Tools
Rethinking Security: Being Threat Centric
BEFOREControlsBEFOREControls
DURINGIdentificati
on
DURINGIdentificati
on
AFTERResponse
AFTERResponse
Key Cybersecurity Hurdles
Proliferation of New
Technologies
Evolution of Threat
Landscape
Increase of
Complexity
GRC: What Matters?
Compliance: Highly complex, one-size fits all, dynamic.
What do you ultimately care about: Visibility. Have to understand risks we are trying to
mitigate.
Traditional Security Operation Center (SOC)
Outside the Visibility of Existing SOC
Unmonitoredactivities
Outside SOC reach
Key Enterprise SaaS Security Challenges
Make it work vs. Approval
No Visibility
App / Action
No Events
for SEIM to
Consume
Application Security Over Time
OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New)
2010-A1 – Injection 2013-A1 – Injection
2010-A2 – Cross Site Scripting (XSS)2013-A2 – Broken Authentication and Session Management
2010-A3 – Broken Authentication and Session Management
2013-A3 – Cross Site Scripting (XSS)
2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References
2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration
2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure
2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control
2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF)
2010-A9 – Insufficient Transport Layer Protection2013-A9 – Using Known Vulnerable Components (NEW)
2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards
3 Primary Changes: Merged: 2010-A7 and 2010-A9 -> 2013-A6
Added New 2013-A9: Using Known Vulnerable Components
2010-A8 broadened to 2013-A7
Where Controls are Lost
9
Layer On Prem IaaS PaaS SaaS
App/Data
Middleware
OS
Virtual
Physical
ESTABLISH SECURITY BASELINEESTABLISH SECURITY BASELINE CHOOSE AND APPLY COMPENSTATING CONTROLS
CHOOSE AND APPLY COMPENSTATING CONTROLS
Gartner Public Cloud Management Lifecycle
INCIDENT DETECTIONINCIDENT DETECTION INCIDENT RESPONSE MANAGEMENT
INCIDENT RESPONSE MANAGEMENT
Establish a Security Baseline
Baseline: Need to understand where you are right nowBasic Discovery: Table stakes (any Firewall / NGFW can do it)Interesting challenge: Audit (what’s enterprise ready for you specifically?)
ADMINISTRATIVE
ADMINISTRATIVE
INFORMATIONAL
INFORMATIONAL
BUSINESSBUSINESS
ACCESSACCESS
DATADATA
SERVICESERVICE
COMPLIANCECOMPLIANCE
Choose and Apply Compensating Controls
12
VISIBILITY
ACTION
UserUser Service
Service ObjectObjectActionAction
ACTIONACTION
VISIBILITYVISIBILITY
Incident Detection
13
Policies and controls identify specific tangible behaviors. But what about sophisticated threats that
fall outside their scope?
SIGNATURES
SIGNATURES HEURISTICSHEURISTICS
BEHAVIOR-BASED
ANALYSIS
BEHAVIOR-BASED
ANALYSIS
ANOMALY DETECTIONANOMALY
DETECTION
Incident Response Management
14
Attackers are constantly evolving and adapting. Threats will eventually get through. The question is
no longer “What if?”, but “What now?”
INFORMATION
ASYMMETRY FAVORS
ATTACKERS
INFORMATION
ASYMMETRY FAVORS
ATTACKERS
PRE-THINK RESPONSE;
HARD TO DO AFTER THE
FACT
PRE-THINK RESPONSE;
HARD TO DO AFTER THE
FACT
INTEGRATE; DON’T BOLT
ON
INTEGRATE; DON’T BOLT
ON
The SaaS Security Landscape
ENCRYPTIONENCRYPTION
SINGLE SIGN ON SINGLE SIGN ON
SAAS APPLICATION MONITORING AND CONTROLSAAS APPLICATION MONITORING AND CONTROL
ENCRYPTION: PROBLEM OR PANACEA?
ENCRYPTION
ENCRYPT IN TRANSITENCRYPT
IN TRANSITENCRYPT AT REST
ENCRYPT AT REST
ENCRYPT IN USE (?)ENCRYPT IN USE (?)
We don’t leverage SaaS Apps only for STORAGE
Crypto is a GREAT TOOL; but great
tools can be greatly MISUSED
SINGLE SIGN-ON: PANACEA?
PHISHINGPHISHING
MALWAREMALWARE
DATA BREACH
DATA BREACH
MALICIOUS INSIDERMALICIOUS INSIDER
WELL MEANING INSIDER
WELL MEANING INSIDER
EASE OF MANAGEMENT
EASE OF MANAGEMENT
CONTROL THE
FRONT DOOR
CONTROL THE
FRONT DOOR
Cloud Services Security Problem
18
Visibility SecurityComplian
ceRisk
Governance
Thank you
TAKEAWAYS
SaaS Security and GRC Problem Multifaceted
Consider full threat lifecycle: Before, During, After
Visibility and Action are Key Pillars
@zulfikar_ramzan @ElasticaInc