Securing Cloud-Based

Transcription

1 White Paper Securing Cloud-Based A Guide for Government Agencies

2 White Paper Contents Executive Summary 3 Introduction 3 The Risks Posed to Agencies Running in the Cloud 4 How FireEye Secures Cloud-Based Against APTs 5 FireEye Deployment Overview 6 Conclusion 7 FireEye, Inc. Securing Cloud-Based 2

3 Executive Summary Today, -based threats represent significant and persistent risks for government agencies, and those dangers are only exacerbated by the move to cloud delivery models. This paper shows how government agencies can capitalize on the benefits of the cloud, while addressing their critical security gaps. The paper reveals how by inspecting and detecting -based attacks both those that leverage malicious URLs and attachments FireEye enables government agencies to mitigate the risks posed by cloud-based services. Introduction In just a few years, the advancement of cloud computing models has fundamentally changed the technology landscape, and ushered in significant opportunities for government agencies. As Richard A. Spires, CIO, Department of Homeland Security, stated, Cloud computing and the continual evolution of mobile devices, collaboration tools, computing power advances, and social media expansion are revolutionizing Information Technology (IT). These advances are changing the way business is conducted inside and outside the U.S. federal government. Not only is this an exciting and novel transformation, it also brings a true opportunity to deliver real innovation with less. 1 Today, CIOs at government agencies worldwide have an array of options to choose from, including private, community, and public cloud offerings. When it comes to the services being migrated to the cloud, government agencies can also leverage a broad array of options; however, one of the most prominent examples is . In fact, CIOs from 15 agencies committed to moving to cloud-based solutions before the end of Following are just a few of the reasons government agencies are being compelled to migrate to the cloud: Cost savings. By some estimates, cloud-based can be three times cheaper than internally-hosted . Operational benefits. By enabling internal IT teams to offload the deployment and ongoing maintenance of internal infrastructures, cloud-delivery models provide government agencies with a range of operational benefits, including saving staff time, improving team efficiency, and more. Mandates. In the FY 2011 U.S. federal government budget, the Obama administration instituted budget freezes for many departments, and in some cases reductions of 5% in budgets 3, pointing to the adoption of cloud computing as a major part of the strategy to achieve efficient and effective IT. 4 However, in addition to a number of prospective benefits, the move to cloud-based also presents some significant risks, as outlined below. 1 CIO.gov, Creating a Future-Ready, Digital Government Today, Richard Spires, June 20, Forbes, Implementation of Cloud Computing Solutions in Federal Agencies: Part 2 - Challenges of Cloud Computing, Kevin L. Jackson, August 28, 2011, 3 Forbes, Implementation of Cloud Computing Solutions in Federal Agencies: Part 2 - Challenges of Cloud Computing, Kevin L. Jackson, August 28, 2011, 4 Google Public Policy Blog, Cloud computing in the President s 2011 budget, February 1, 2010, Harry Wingo, blogspot.com/2010/02/cloud-computing-in-presidents-2011.html FireEye, Inc. Securing Cloud-Based 3

4 The Risks Posed to Agencies Running in the Cloud When assessing the risks of cloud-based , it is important to start with the threat landscape government agencies are operating in today. Government agencies are frequently the victims of advanced persistent threats (APTs), often comprised of multi-stage, coordinated attacks. In spite of massive investments in security infrastructure, over 95% of organizations have at least 10 malicious infections bypass traditional security mechanisms and enter their network on a weekly basis. Further, 80% experience more than 100 new infections each week. 5 is a favored channel for the criminals waging these attacks. The majority of APT attacks targeting government agencies originate with targeted spear phishing s. There s a simple reason why criminals are using this tactic: it works. Why are these -based attacks so effective? In large part, it s because the defenses government agencies have in place today cannot stop them. The reality is that no traditional signature-based technology directly addresses techniques like spear phishing. The spam filters used in most organizations are ill-equipped to detect the personal, low-volume s sent by spear phishers. These spam filters are too general in nature, typically looking for the hallmarks of traditional spam, i.e., large volume, mass mailings from a single, disreputable server. In addition, Web filtering tools are too indirect in nature, and miss malicious attachments that a spear phisher may send. Further, while firewalls, next-generation firewalls, Intrusion Prevention Systems (IPS), Anti-Virus (AV), and gateways remain important security defenses, they continue to be ineffective at stopping targeted attacks. These technologies rely on approaches like URL blacklists and signatures. By definition, these approaches don t work against dynamic attacks that exploit zero-day vulnerabilities. If an IPS or AV program doesn t recognize the signature of a new exploit, it won t stop it. When highly dynamic malicious URLs are employed, URL blacklists don t cut it. Quite simply, traditional defenses stop known attacks, but are rendered defenseless against unknown advanced targeted attacks. These challenges are plenty daunting in their own right, but when you introduce cloud-based delivery models, security teams in government agencies are truly in a bind. Beyond the challenges outlined above, cloud-based , whether public or private, adds the following complexities to the mix: When government agencies leverage multi-tenant cloud environments, there s a very real threat that if another tenant s defenses are compromised by malware, their defenses may also be at risk. Given the shared security models of many cloud-based deployments, security teams have to navigate a host of questions concerning the cloud provider s controls, and how they are verified and audited. 5 FireEye, FireEye Advanced Threat Report 2H 2011, FireEye, Inc. Securing Cloud-Based 4

5 When attacks are discovered, security teams have to manage the hand-off of threat intelligence in order to mitigate risks most quickly and effectively. Sensitive information related to spear phishing attacks on government executives is now being made available online. Because government agencies aren t continuously monitoring for these types of attacks, they lack visibility into when attacks happen and who is being targeted. Consequently, government agencies aren t in compliance with U.S. federal government policies and guidance. To comply with internal security policies and security mandates, for example, the continuous monitoring requirements of the Federal Risk Authorization and Management Program (FedRAMP), U.S. federal government agencies will need to address the risks present when utilizing cloud-based . How FireEye Secures Cloud-Based Against APTs FireEye delivers solutions that have been proven to protect government agencies using cloud-based services. Consequently, FireEye enables government agencies to move forward with their cloudbased initiatives, while effectively safeguarding their networks and assets. The FireEye Malware Protection System (MPS) fills the security gap that exists in government agencies networks today. The FireEye MPS solution features appliances that sit behind traditional gateways and concentrate on the hardest security problems: advanced malware, zero-day exploits, and targeted APT attacks. With the FireEye Malware Protection System ( MPS), government agencies can leverage the following capabilities: Real-time analysis. The FireEye MPS inspects both URLs in s and attachments in real time. Consequently, the solution can guard against attacks that use both and Web, such as a spear phishing that attempts to lure users into clicking on a malicious URL. Real-time blocking. Once malware is detected, the FireEye MPS quarantines malicious s and attachments, ensuring they don t contaminate other systems in the network. Dynamic analysis. Rather than relying on signatures, the FireEye MPS takes the signature-less, dynamic analysis approach that is required to guard against attacks that exploit zero-day vulnerabilities. FireEye, Inc. Securing Cloud-Based 5

6 FireEye Deployment Overview When deploying the FireEye MPS solution, government agencies have a couple of options. First, they can deploy the solution on premise. In this scenario, organizations deploy the FireEye MPS within their data center, employing the solution to inspect traffic between cloud-hosted control points, such as anti-spam gateways, and the cloud-hosted service. The benefit of this approach is that organizations keep threat information on premise, where it can be readily accessible for analysis and remediation. Second, government agencies can deploy the FireEye MPS within the service provider s cloud infrastructure. In some cases, those agencies may still retain responsibility for managing the FireEye MPS solution. In other cases, that responsibility may be assigned to the service provider s security team. Internet Cloud Service ( ) Anti-Spam Gateway Mail Servers Egress Router Firewall CMS Web MPS (Check URLs for malicious content) Core Switch MPS (Scans attachments for APTs) Users SIEM Zero-day malware found in attachments or URLs gets reported to agency Security Information and Event Management (SIEM) device FireEye, Inc. Securing Cloud-Based 6

7 Conclusion Before migrating to cloud-based services, government agencies must be able to thwart the targeted attacks being waged. With its dynamic, real-time, and intelligent solutions, FireEye can help government agencies guard against targeted attacks that seek to exploit zero-day vulnerabilities. With FireEye, agencies can fully leverage the cost and operational benefits of cloudbased services and address their most pressing security challenges. About FireEye FireEye is the leader in stopping advanced targeted attacks that use advanced malware, zero-day exploits, and APT tactics. The FireEye solutions supplement traditional and next-generation firewalls, IPS, anti-virus, and gateways, which cannot stop advanced threats, leaving security holes in networks. FireEye offers the industry s only solution that detects and blocks attacks across both Web and threat vectors as well as latent malware resident on file shares. It addresses all stages of an attack lifecycle with a signature-less engine utilizing stateful attack analysis to detect zero-day threats. Based in Milpitas, California, FireEye is backed by premier financial partners including Sequoia Capital, Norwest Venture Partners, and Juniper Networks FireEye, Inc. All rights reserved. FireEye is a trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. WP.CE.GOVT.US-EN FireEye, Inc. Securing Cloud-Based 7 FireEye, Inc McCarthy Blvd. Milpitas, CA FIREEYE ( ) info@fireeye.com