Applying a Holistic Defense-in- Depth Approach to The Cloud (with a dash of application security thrown in)

Transcription

1 Applying a Holistic Defense-in- Depth Approach to The Cloud (with a dash of application security thrown in) NiKSUN World Wide Security & Mobility Conference 25-July-2011 Barry Lyons IV, CISSP Senior Cyber Architect, Northrop Grumman

2 At the end of this presentation, you will: Have a security framework to BETTER SECURE THE CLOUD Know how to make your APPLICATIONS MORE SECURE But First 2

3 Barry Lyons IV Founder of FADD! Had to implement proactive security measures 3

4 4 An Excellent Solution

5 5 What is the Cloud?

6 Attributes of Cloud Computing 6 Courtesy of Microsoft Corporation

7 NIST Working Definition of Cloud Computing Essential Characteristics Service Models Deployment Models 7

8 Software as a Service (SaaS) Service Models Consumer does not manage or control The underlying infrastructure The applications 8

9 Platform as a Service (PaaS) Service Models Consumer does not manage or control: The underlying infrastructure But does have control over applications 9

10 Infrastructure as a Service (IaaS) Service Models Consumer does not manage or control: The underlying infrastructure But can deploy S/W (O/S & applications) 10

11 You manage You manage You manage Stated Another Way (On- Premises) Infrastructure (as a Service) Platform (as a Service) Software (as a Service) Applications Applications Applications Applications Data Data Data Data Runtime Middleware O/S Virtualization Servers Storage Networking Runtime Middleware O/S Virtualization Servers Storage Networking Managed by vendor Runtime Middleware O/S Virtualization Servers Storage Networking Managed by vendor Runtime Middleware O/S Virtualization Servers Storage Networking Managed by vendor 11 Courtesy of Microsoft Corporation

12 Public Cloud Deployment Models Available to the general public Owned by an organization selling cloud services 12

13 Private Cloud Deployment Models Operated solely for a single organization May be managed by a third party 13

14 Hybrid Cloud Deployment Models Two or more clouds Enables Cloud Bursting 14

15 Community Cloud Deployment Models Shared by several organizations Support a specific community with shared concerns 15

16 16 We have one more important concept to define

17 Defense-in-Depth 17 Photo courtesy of U.S. Navy.

18 Defense-in-Depth! 18 Photo courtesy of U.S. Navy.

19 People Process Technology Three Elements of Defense-in-Depth Photo courtesy of U.S. Navy. People Process Technology 19 People Process Technology

20 20 Challenges With Cloud Security

21 21 A Private Cloud On Its Own Can Be Made Very Secure

22 22 But When You Move to a Hybrid

23 The Door is Opened for Trouble to Enter If the Public Cloud has embedded vulnerabilities, or worse, embedded malware, it can populate the Private Cloud! 23

24 Another Challenge: The Hypervisor! Also called the virtual machine manager (VMM) Controls the host processor and resources Allocates what is needed to each operating system The Hypervisor CONTROLS the VM machines!» So you have to be cognizant of 24

25 Virtualization Hypervisor Attacks! Some Examples: Vm Escapes (DomU Dom0) Hypervisor hijacking (Dom0 Xen) Hypervisor rootkits (not just BluePill) And they can be initiated by 25

26 26 The Insider Threat!

27 Has anyone developed a Cloud Security Reference Model? 27

28 Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Cloud Security Alliance Reference Model Presentation Modality Presentation Platform APIs Applications Data Metadata Content Integration & Middleware APIs Core Connectivity & Delivery Abstraction Hardware Facilities Cloud Security Alliance, Cloud Security Alliance Guidance Version 2.1

29 Security Responsibility Cloud Security Alliance, Cloud Security Alliance Guidance Version 2.1

30 Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) How does security apply? Cloud Model Presentation Modality Presentation Platform APIs Applications Security Control Model Applications SDLC, Binary Analysis, Scanners, WebApp s, Transactional Sec. Compliance Model 30 Data Metadata Content Integration & Middleware APIs Core Connectivity & Delivery Abstraction Hardware Facilities 2009 Cloud Security Alliance, Cloud Security Alliance Guidance Version 2.1 Information Management Network Trusted Computing Compute & Storage, CMF, Database Activity Monitoring, Encryption GRC, IAM, VA/VM, Patch Management, Configuration Management, Monitoring NIDS/NIPS, s, DPI, Anti-DDoS, QoS, DNSSEC, OAuth Hardware & Software RoT & API s Host-based s, HIDS/HIPS, Integrity & File/log Management, Encryption, Masking PCI s Code Review WAF Encryption Unique User Ids Anti-Virus Monitoring/IDS/IPS HIPAA GLBA Physical Physical Paint Security, CCTV, Guards SOX Patch/Vulnerability Management Physical Access Control Two-Factor Authentication

31 31 The CSA Reference model is a great starting point, now let s make it even better!

32 Introducing a cyber reference model for defense and capability The Northrop Grumman Cyber Architecture Reference Series 32

33 The Fan - Layered Cybersecurity Defensive Reference Model OUTSIDE THREAT PROTECTION Secure DMZs Message Security (anti-virus, anti-malware) Honeypot IT Security Governance Security Policies & Compliance Security Architecture & Design Continuous C&A Perimeter Perimeter IDS/IPS Enclave/ DataCenter Cyber Threat Intelligence Northrop Grumman Corporation Enterprise IDS/IPS Threat Modeling Risk Management VoIP Protection Desktop Security Awareness Training Inline Patching Host IDS/IPS Penetration Testing Web Proxy Content Filtering Content Security (anti-virus, anti-malware) Static App Testing/Code Review Dynamic App Testing PKI DAR/DIM/DIU Protection Data Wiping Cleansing Vulnerability Assessment NAC Endpoint Security Enforcement WAF Identity & Access Management Enterprise Right Management Mission Critical Assets Inside Threats FDCC Compliance Database Monitoring /Scanning Data Classification Data Integrity Monitoring Data/Drive Encryption Escalation Management Enterprise Message Security Focused Ops Enterprise Wireless Security Patch Management Database Secure Gateway (Shield) Enterprise Remote Access Continuous Monitoring and Assessment Situational Awareness DHS Einstein SOC/NOC Monitoring (24x7) Incident Reporting, Detection, Response (CIRT) Security Dashboard SIEM Digital Forensics Security SLA/SLO Reporting

34 How Does the Fan Provide Reference? PERSISTENT ATTACKER PROTECTION Secure DMZs Message Security (anti-virus, anti-malware) Honeypot Perimeter IT Security Governance Security Policies & Compliance Security Architecture & Design Continuous C&A Perimeter IDS/IPS Enclave/ DataCenter Cyber Threat Intelligence Enterprise IDS/IPS VoIP Protection Desktop Threat Modeling Risk Management Security Awareness Training Inline Patching Host IDS/IPS Web Proxy Content Filtering Content Security (anti-virus, anti-malware) Static App Testing/Code Review Penetration Testing Dynamic App Testing PKI DAR/DIM/DIU Protection Data Wiping Cleansing Vulnerability Assessment NAC Endpoint Security Enforcement WAF Identity & Access Management Enterprise Right Management Mission Critical Assets Enterprise Message Security FDCC Compliance Database Monitoring /Scanning Data Classification Data Integrity Monitoring Data/Drive Encryption Escalation Management Enterprise Wireless Security Patch Management Database Secure Gateway (Shield) Focused Ops Enterprise Remote Access Continuous Monitoring and Assessment Situational Awareness DHS Einstein SOC/NOC Monitoring (24x7) Incident Reporting, Detection, Response (CIRT) Security Dashboard SIEM Digital Forensics Security SLA/SLO Reporting Northrop Grumman Corporation

35 Actual Use Case of The Fan Malicious outside User Compliant outside User ZONE 2 A Layered Defense-In-Depth Security Technology Approach Einstein Box Mail Relay Interscan Mail Sweeper Server shield (virtual patching) AV VA FIM PA WAF Server shield (virtual patching) Web Ftp AV VA PA FIM CR+AS Server shield (virtual patching) Directory App Database AV VA PA FIM CR+AS Internet Router Honeypot Outside UTM Switch ONE (SSL VPN) SDI/SDDI (IPSEC VPN) VA VA IDS/IPS BES Exchange Server shield (virtual patching) App Switch AV VA FIM PA Web Proxy IWSS AV VA FIM PA Inside IDS/IPS ZONE 1 LEGEND: ZONE 1 - Internet PRIVATE WAN Einstein Box Router Mobile User (Endpoint Security Protected) Router UTM VPN firewall Encryptor ` Laptop Desktop Overseas Post VA AV Wireless AP DC/DNS/ Exchange FDCC PA WIDPS AV VA Auth FDCC PA Map/Location Rogue Detection WiFi Entry UTM firewall ONE User SDI/SDDI User (Endpoint Security (Endpoint Security Protected) Protected) IPSEC Router VPN Encryptor IDS/IPS Internal WAN VOIP BlackBerry UTM firewall SDI/SDDI Policy Server Policy DB DC/DNS/ Exchange AV DHCP VA PA FIM Enterprise Users (NAC/NAP) Patch, Anti-virus, Anti-malware distribution UTM firewall UTM firewall ONE Restricted Network Remediation Servers Citrix ` FDCC Compliant Desktop/Laptop NFuse BlackBerry PDA SafeWord Non-compliant Desktop/Laptop AV AV VA VA FDCC PA PA ZONE 3 ZONE 2 - DMZ ZONE 3 Enterprise End User Network ZONE 4 Data Center & Enclave Networks VA AV UTM firewall UTM firewall AV VA FIM CR+AS PA UTM firewall AV VA UTM firewall 35 PA AV VA FIM CR+AS FDCC Patching Anti-virus/spyware Vulnerability & Compliance Scan File Integrity Monitoring Code Review & Application Scan FDCC scan & enforcement Data Loss Prevention on Desktop/Laptop FIM PA Vuln/FDCC/ Web/DB Scanners, VPN, IDS/IPS Mgmt Servers Threat Analysis Security Policy NAC/NAP (DC,, AV (NPS, HRA, HRS) Malware, Spam) Security Mgmt Network SIEM Servers Virtual Shield Virtual patching for VMs Server shield (virtual patching) SAN NAS Data Center Domain Exchange Servers database File Servers Web/Ftp Mainframe Apps CA Keys PKI Network X.500/LDAP Mgmt Consloe FIM PA ` FDCC Compliant Desktop/Laptop Enclave Network Apps AV VA FIM FDCC PA ZONE 4

36 So how can we combine these reference models (cyber and cloud) to improve a SECURITY architecture? 36

37 Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Start with the Cloud Security Alliance Reference Model Presentation Modality Presentation Platform APIs Applications Data Metadata Content Integration & Middleware APIs Core Connectivity & Delivery Abstraction Hardware Facilities Cloud Security Alliance, Cloud Security Alliance Guidance Version 2.1

38 Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Blending The Security and Service Reference Models To Get Layered Security In The Cloud Presentation Modality Presentation Platform Secure DMZs APIs OUTSIDE THREAT PROTECTION Applications Message Security (anti-virus, anti-malware) Data Metadata Content Honeypot 38 Perimeter IT Security Governance Security Policies & Compliance Security Architecture & Design Continuous C&A Perimeter IDS/IPS Enclave/ DataCenter Cyber Threat Intelligence Enterprise IDS/IPS Desktop Threat Modeling Risk Management Security Awareness Training Copyright 2009 Cloud Security Alliance VoIP Protection Inline Patching Host IDS/IPS Content Security (anti-virus, anti-malware) Static App Testing/Code Review Penetration Testing Web Proxy Content Filtering Integration & Middleware Vulnerability Assessment NAC Endpoint Security Enforcement APIs Core Connectivity WAF Dynamic App Testing & Delivery PKI Abstraction Identity & Access DAR/DIM/DIU Management Protection Hardware Right Data Wiping Cleansing Enterprise Management Facilities Mission Critical Assets Enterprise Message Security FDCC Compliance Database Monitoring /Scanning Data Classification Data Integrity Monitoring Data/Drive Encryption Escalation Management Enterprise Wireless Security Enterprise Remote Access Patch Management Database Secure Gateway (Shield) Focused Ops Continuous Monitoring and Assessment Situational Awareness DHS Einstein SOC/NOC Monitoring (24x7) Incident Reporting, Detection, Response (CIRT) Security Dashboard SIEM Digital Forensics Security SLA/SLO Reporting 2009 Cloud Security Alliance, Cloud Security Alliance Guidance Version 2.1

39 Result - Fan Applied to The Cloud Layered Cyber Security Defense Framework Automated Compliance Automated Enforcement Policy Enforcement Vulnerability Mgmt Patch Update CM OUTSIDE THREAT Server Virtualization ENGINEERING & INFRASTRUCTURE Virtual Infrastructure Layered Cyber Security Defense Framework Virtual Desktop (VDI) Virtual Applications Secure DMZs Message Security (anti-virus, anti-malware) Honeypot Mobile NAC Enforce AV FDCC Enforce Continuous C&A Perimeter IT Security Governance Security Architecture & Design Security Policies & Compliance Perimeter IDS/IPS Enclave/ DataCenter Threat Modeling VoIP Protection Enterprise IDS/IPS Desktop Cyber Threat Intelligence Inline Patching Host IDS/IPS Security Technology Evaluation Risk Management Security Awareness Training Web Proxy Content Filtering Content Security (anti-virus, anti-malware) Dynamic App Testing Static App Testing/Code Review DAR/DIM/DIU Protection PKI Penetration Testing Data Wiping Cleansing Vulnerability Assessment NAC Endpoint Security Enforcement WAF Identity & Access Management Enterprise Right Management Mission Critical Assets Enterprise Message Security Enterprise Wireless Security FDCC Compliance Enterprise Patch Remote Access Database Monitoring /Scanning Data/Drive Encryption Management Database Data Secure Gateway Classification (Shield) Data Integrity Monitoring SOC/NOC Monitoring (24x7) Security Dashboard DHS Einstein Incident Reporting, Detection, Response (CIRT) Escalation Continuous Management Monitoring and Assessment Situational Focused Ops Awareness SIEM Digital Forensics Security SLA/SLO Reporting Managed Security Services Virt Security SaaS Storage Services 39 Acronyms & Abbreviations: 2010 Northrop Grumman Corporation DAR: Data At Rest DIM: Data In Motion DIU: Data In Use : Data Loss Prevention FDCC: Federal Desktop Core Configuration IDP: Intrusion Detection and Prevention NAC: Network Access Control PKI: Public Key Infrastructure SIEM: Security Information Event Management

40 BENEFIT A reference architecture that provides the framework to develop: Better Cloud Security Layered Cyber Security Defense Framework CM Automated Compliance Automated Enforcement Policy Enforcement Vulnerability Mgmt Patch Update Secure DMZs OUTSIDE THREAT ENGINEERING & INFRASTRUCTURE Message Security (anti-virus, anti-malware) Server Virtualization Virtual Infrastructure Honeypot Layered Cyber Security Defense Framework Virtual Desktop (VDI) Virtual Applications Enforce AV Mobile NAC FDCC Enforce Perimeter Perimeter IDS/IPS Enclave/ DataCenter Enterprise IDS/IPS Web Proxy Content Filtering Inline Patching VoIP Protection Host IDS/IPS Content Security (anti-virus, anti-malware) NAC Endpoint Security Enforcement Enterprise Message Security Enterprise Wireless Security FDCC Compliance Enterprise Patch Remote Access DHS Einstein WAF Database Management Dynamic App Testing IT Security Desktop Monitoring /Scanning Governance Static App Database Incident Reporting, Testing/Code Data Secure Gateway Security Identity & Access Detection, Response Review (Shield) Architecture Threat DAR/DIM/DIU Classification Management (CIRT) & Design Modeling Protection Data Integrity Escalation Cyber Threat Intelligence PKI Enterprise Right Monitoring Continuous Management Data Wiping Security Policies Management Monitoring Data/Drive Security Cleansing SOC/NOC Monitoring (24x7) and Assessment & Compliance Technology Evaluation Penetration Encryption Situational Testing Mission Security Dashboard Focused Ops Awareness Continuous Risk Security Awareness Vulnerability C&A Management Training Assessment Critical Assets SIEM Digital Forensics Security SLA/SLO Reporting Managed Security Services Virt Security SaaS Storage Services 40 BUT WAIT! There s more

41 What About Application Security? Layered Cyber Security Defense Framework Automated Compliance Automated Enforcement Policy Enforcement Vulnerability Mgmt Patch Update CM OUTSIDE THREAT Server Virtualization ENGINEERING & INFRASTRUCTURE Virtual Infrastructure Layered Cyber Security Defense Framework Virtual Desktop (VDI) Virtual Applications Secure DMZs Message Security (anti-virus, anti-malware) Honeypot Mobile NAC Enforce AV FDCC Enforce Continuous C&A Perimeter IT Security Governance Security Architecture & Design Security Policies & Compliance Perimeter IDS/IPS Enclave/ DataCenter Threat Modeling VoIP Protection Enterprise IDS/IPS Desktop Cyber Threat Intelligence Inline Patching Host IDS/IPS Security Technology Evaluation Risk Management Security Awareness Training Web Proxy Content Filtering Content Security (anti-virus, anti-malware) Dynamic App Testing Static App Testing/Code Review DAR/DIM/DIU Protection PKI Penetration Testing Data Wiping Cleansing Vulnerability Assessment NAC Endpoint Security Enforcement WAF Identity & Access Management Enterprise Right Management Mission Critical Assets Enterprise Message Security Enterprise Wireless Security FDCC Compliance Enterprise Patch Remote Access Database Monitoring /Scanning Data/Drive Encryption Management Database Data Secure Gateway Classification (Shield) Data Integrity Monitoring SOC/NOC Monitoring (24x7) Security Dashboard DHS Einstein Incident Reporting, Detection, Response (CIRT) Escalation Continuous Management Monitoring and Assessment Situational Focused Ops Awareness SIEM Digital Forensics Security SLA/SLO Reporting Managed Security Services Virt Security SaaS Storage Services 41 Acronyms & Abbreviations: 2010 Northrop Grumman Corporation DAR: Data At Rest DIM: Data In Motion DIU: Data In Use : Data Loss Prevention FDCC: Federal Desktop Core Configuration IDP: Intrusion Detection and Prevention NAC: Network Access Control PKI: Public Key Infrastructure SIEM: Security Information Event Management

42 Organizations that think they have secure code, BUT The Open Web Application Security Project (OWASP) OWASP Top 10 Application Vulnerabilities Injection Cross-Site Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery (CSRF) Security Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards 42

43 43 What is the solution?

44 We need to address two scenarios: Applications on the drawing board Applications that are already deployed 44

45 Software Not Yet Developed Define the SECURITY REQUIREMENTS! 45

46 Software development 101 Software Engineering Activities Security Engineering Activities 1. Determine Needs 1. Determine Information Protection Needs 2. Define Requirements 2. Define Security Requirements 3. Design Architecture 3. Embed Security Elements Within Architecture 4. Develop Detailed Design 4. Embed Security Elements Within Design 5. Develop Software 5. Test s/w as it is being developed to confirm security is built into the code 6. Assess Effectiveness 6. Assess Information Protection Effectiveness 46

47 Security Engineering Must Be Included Software Engineering Activities Security Engineering Activities 1. Determine Needs 1. Determine Information Protection Needs 2. Define Requirements 2. Define Security Requirements 3. Design Architecture 3. Embed Security Elements Within Architecture 4. Develop Detailed Design 4. Embed Security Elements Within Design 5. Develop Software 5. Test s/w as it is being developed to confirm security is built into the code 6. Assess Effectiveness 6. Assess Information Protection Effectiveness 47

48 Test s/w as it is being developed Run application vulnerability scans* against executable code: (example products) AppScan (IBM) Cenzic Webinspect (HP) Beyond security Then do yourself one more favor *You can also perform Source Code scanning; those use different tools 48

49 3 rd Party Pen Test Have a 3 rd party penetration test organization (example: White Hat) come in and truly confirm the code is clean!

50 50 Pen Test Flow Chart

51 But what about my existing applications? 51

52 Deploy an Application Enclave Defense-in-Depth Approach Three building blocks: Application vulnerability scanner File integrity monitor Web application firewall 52

53 Traditional Defense-in-Depth (DnD) Web Enabled Applications Enclave Traditional Network Defense-in-Depth Traditional HIDS Intelligent Configurable Pen Tool Network Remote User Traditional HIDS IDS ` IDS Content Monitor Local Users Honeypot NAC Behavioral Anomaly Monitoring 53

54 Traditional Defense-in-Depth (DnD) Web Enabled Applications Enclave Traditional Network Defense-in-Depth Traditional HIDS Cross Site Scripting / Command Insertion Intelligent Configurable Pen Tool Network Remote User Traditional HIDS IDS ` IDS Content Monitor Local Users Honeypot NAC Behavioral Anomaly Monitoring 54

55 Web Enabled Application DnD: Block One Application Defense-in-Depth Traditional Network Defense-in-Depth Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 55

56 Web Enabled Application DnD: Block One Application Defense-in-Depth Traditional Network Defense-in-Depth Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 56

57 Web Enabled Application DnD: Block One Application Defense-in-Depth Traditional Network Defense-in-Depth Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 57

58 Web Enabled Application DnD: Block One Application Defense-in-Depth Traditional Network Defense-in-Depth Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 58

59 Web Enabled Application DnD: Block Two Application Defense-in-Depth Traditional Network Defense-in-Depth Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User Web Application (WAF) ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 59

60 Web Enabled Application DnD: Block Three Application Defense-in-Depth Traditional Network Defense-in-Depth Real Time File Integrity Monitor Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User Real Time File Integrity Monitor Web Application (WAF) ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 60

61 Scan, Fix, Then Run Multiple Pen Tests! From outside the network Application Defense-in-Depth Traditional Network Defense-in-Depth Real Time File Integrity Monitor Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User Real Time File Integrity Monitor Web Application (WAF) ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 61 From inside the network

62 Product Examples WAFs F5 TrafficShield Breach WebDefend Barracuda / NetContinuum Citrix Application Imperva SecureSphere Web Application AppliCure dotdefender File Integrity Monitors TripWire ISS HIDS Sanctuary Veracity Application Vulnerability Scanners: IBM s AppScan (Formerly WatchFire) HP s WebInspect (Formerly SPI Dynamics) Cenzic N-Stealth Nikto (Open Source) Acunetix Web Vulnerability Scanner More at: 62 More at:

63 What did we learn today Simple steps to build security into the S/W development process We can protect existing applications We can have a cloud security framework Resulting in 63

64 How to achieve Better Cloud Security Stronger Application Security 64

65