This is a picture of a kiqen



Similar documents
Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

Splunk and Big Data for Insider Threats

LAUREA MAGISTRALE - CURRICULUM IN INTERNATIONAL MANAGEMENT, LEGISLATION AND SOCIETY. 1st TERM (14 SEPT - 27 NOV)

True in Depth Security through Next Generation SIEM. Ray Menard Senior Principal Security Consultant Q1 Labs

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

ISSA Phoenix Chapter Meeting Topic: Security Enablement & Risk Reducing Best Practices for BYOD + SaaS Cloud Apps

How To Protect A Network From Attack From A Hacker (Hbss)

Protec'ng Communica'on Networks, Devices, and their Users: Technology and Psychology

DNS Traffic Monitoring. Dave Piscitello VP Security and ICT Coordina;on, ICANN

NGFW is yesterdays news what is next in scope for the firewall in the threat intelligence age

Concierge SIEM Reporting Overview

There e really is No Place Like Rome to experience great Opera! Tel: to discuss your break to the Eternal City!

Critical Security Controls

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

How To Protect Virtualized Data From Security Threats

How To Perform a SaaS Applica7on Inventory in. 5Simple Steps. A Guide for Informa7on Security Professionals. Share this ebook

Cloud Compu)ng. Yeow Wei CHOONG Anne LAURENT

Main Research Gaps in Cyber Security

NETWORK DEVICE SECURITY AUDITING

/Endpoint Security and More Rondi Jamison

Member Municipality Security Awareness Training. End- User Informa/on Security Awareness Training

PALO ALTO SAFE APPLICATION ENABLEMENT

The Role of Nutanix in the Public /Private / Hybrid Cloud Spectrum

Pervade Software. Use Case PCI Technical Controls. PCI- DSS Requirements

Splunk for Networking and SDN

Cisco & Big Data Security

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

How to Grow and Transform your Security Program into the Cloud

CLOUD GUARD UNIFIED ENTERPRISE

Windows Server 2003 End of Support. What does it mean? What are my options?

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

SANS Top 20 Critical Controls for Effective Cyber Defense

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Cisco Security Optimization Service

Analyzing HTTP/HTTPS Traffic Logs

Security Event Management. February 7, 2007 (Revision 5)

The Threat of Coexisting With an Unknown Tenant in a Public Cloud

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Ecom Infotech. Page 1 of 6

The Incident Response Playbook for Android and ios

Intrusion Detection Systems

Reneaué Railton Sr. Informa2on Security Analyst, Duke Medicine Cyber Defense & Response

Advanced Threats: The New World Order

DDOS Mi'ga'on in RedIRIS. SIG- ISM. Vienna

Corporate Account Takeover & Information Security Awareness

The Sumo Logic Solution: Security and Compliance

Canaveral Port Authority Master Cruise Ship Schedule -- FY 2015

T2 IaaSand PCI Compliance. Robert Zigweid, IOActive

Computer Security Incident Handling Detec6on and Analysis

First Line of Defense

Top 20 Critical Security Controls

Kaseya Fundamentals Workshop DAY THREE. Developed by Kaseya University. Powered by IT Scholars

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Software Defined Perimeter

Intrusion Detection for Mobile Ad Hoc Networks

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

ITDays Security issues

Course Syllabus Revised: Dec. 20, 2011.

Managing Network-related Risk for SMEs

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

CONNECTRIA MANAGED AMAZON WEB SERVICES (AWS)

Security testing the Internet-of-things

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

WHAT IS LOG CORRELATION? Understanding the most powerful feature of SIEM

Chapter 3. Database Architectures and the Web Transparencies

Detecting Botnets with NetFlow

Building a cloud- based SIEM with Splunk Cloud and AWS

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Security Information & Event Management (SIEM)

NORTH EAST Regional Road Safety Resource

Secure Cloud-Ready Data Centers Juniper Networks

Adding Value to Automated Web Scans. Burp Suite and Beyond

End-user Security Analytics Strengthens Protection with ArcSight

Data Management in the Cloud: Limitations and Opportunities. Annies Ductan

Design and Evalua.on of a Real- Time URL Spam Filtering Service

Cisco IPS Tuning Overview

2016 Examina on dates

Transcription:

Who am I? 11 years in InfoSec with 5 years of hobby work prior to that Primary interests: penetra;on tes;ng, intrusion detec;on, and log correla;on Currently employed as an InfoSec generalist at a cloud provider Previously worked at several Fortune 100 companies blindedscience@gmail.com

What is this

What is the Cloud? Harnesses the massively scalable Internet infrastructure to provide mul;ple users with on- demand access to data, applica;ons, and services Use of shared or virtualized resources to lower costs, reduce complexity, and increase flexibility For the purpose of this talk, we re talking about IaaS or SaaS

This is a picture of a kiqen

A Weapon of Mass Destruc;on? DefCon 17 Clobbering the Cloud (SensePost) DefCon 18 Cloud Compu;ng: A Weapon of Mass Destruc;on? (Bryan/Anderson) Cloud providers essen;ally aren t doing much internal policing of their clients Unofficial policy: As long as no complaints are received, nothing will be done

Vulnerabili;es of the Cloud Easy Access Anonymity/Fraud Conten;on for resources

Threats to the Cloud Provider Proven inability Infrastructure Damage Fraudulent/ Nonpaying Clients to address security

Threats to the Client One compromised client of a mul;- tenant environment can affect others Users can be unaware that their data is compromised

What are most cloud providers currently doing? Providers are trea;ng cloud security as a tradi;onal hos;ng environment Clients are given a virtual firewall with in- line IPS services Providers frequently offer Vulnerability Assessment for free Each client s virtual instance is independent Clients are fending for themselves with no coordinated enterprise security

Conven;onal Solu;on: IPS Very difficult for providers to offer prepackaged IPS that works for all clients and won t block legi;mate traffic Informa;on coming from an IPS is frequently incomplete (encryp;on, lack of end- point awareness) In- line IPS has to work at line speeds, so very complex correla;ons aren t possible

Conven;onal Solu;on: Tradi;onal Design Focus on external threats Assume internal hosts are trusted Clients can t benefit from security data being generated by other clients

By the way, how s that working? I can t say for certain what the security posture is inside a company I can guess the nature of the security posture based on behaviors of their network and personnel Guesses are based on how frequently a par;cular host contacted my network, and how long it took for it to stop Data is from first six months of 2011

(AWS) There was a single recurring host from AWS. Given their size, that s probably a very good indicator Wed Apr 20 06:54:50 PDT 2011 FW Block: 122.248.246.104 Sweep Wed Apr 20 06:54:54 PDT 2011 Complaint: 122.248.246.104 abuse@amazonaws.com ec2- abuse@amazon.com email- abuse@amazon.com Wed Apr 20 21:34:48 PDT 2011 FW Block: 122.248.246.104 AdminProtocol Wed Apr 20 21:34:49 PDT 2011 Complaint: 122.248.246.104 abuse@amazonaws.com ec2- abuse@amazon.com email- abuse@amazon.com Based on this, Amazon s response ;me to complaints/incidents is at least 14.5 hours

Rackspace/Slicehost There were 10 recurring hosts from Rackspace. The worst: Thu Mar 17 22:18:36 PDT 2011 FW Block: 184.106.187.15 Sweep Thu Mar 17 22:18:37 PDT 2011 Complaint: 184.106.187.15 abuse@cloud- ips.com abuse@rackspace.com abuse@slicehost.com Sat Mar 19 22:45:10 PDT 2011 FW Block: 184.106.187.15 Sweep Sat Mar 19 22:45:11 PDT 2011 Complaint: 184.106.187.15 abuse@cloud- ips.com abuse@rackspace.com abuse@slicehost.com Based on this, complaint/incident response ;me from Rackspace is greater than 48 hours

Soklayer: Your World Wild Web provider! 5 recurring hosts from Soklayer; all spanned mul;ple days Soklayer never responds to complaints or incidents, or at the very least, response is measured in months

The Proof: Soklayer Data Mon Feb 14 02:46:37 PST 2011 FW Block: 174.37.237.66 Sweep Mon Feb 14 02:46:38 PST 2011 Complaint: 174.37.237.66 abuse@soklayer.com Tue Apr 19 04:26:09 PDT 2011 FW Block: 174.37.237.66 Sweep Tue Apr 19 04:26:11 PDT 2011 Complaint: 174.37.237.66 abuse@soklayer.com Fri May 13 10:29:53 PDT 2011 FW Block: 174.37.237.66 Sweep Fri May 13 10:29:53 PDT 2011 Complaint: 174.37.237.66 abuse@soklayer.com Mon Jun 13 09:06:44 PDT 2011 FW Block: 174.37.237.66 Sweep Mon Jun 13 09:06:45 PDT 2011 Complaint: 174.37.237.66 abuse@soklayer.com Not as bad: Thu Mar 10 18:02:58 PST 2011 FW Block: 174.37.255.47 AdminProtocol Thu Mar 10 18:03:20 PDT 2011 Complaint: 174.37.255.47 abuse@soklayer.com Fri Mar 18 23:21:20 PDT 2011 FW Block: 174.37.255.47 Sweep Fri Mar 18 23:21:20 PDT 2011 Complaint: 174.37.255.47 abuse@soklayer.com Sun Mar 20 03:41:04 PDT 2011 FW Block: 174.37.255.47 AdminProtocol Sun Mar 20 03:41:05 PDT 2011 Complaint: 174.37.255.47 abuse@soklayer.com

Tighten it up Clients should have their own IDS/ firewall/etc, but Hosts that are aqacking mul;ple clients should be detected and shunned by the provider The provider should take steps to help their clients protect themselves The provider should also be looking for inten;onally malicious clients

DANGER! Consolida;ng events from all client environments to look for enterprise- threatening external agents would improve things, but The single largest unaddressed threat is the client networks

What Are Providers Dealing With? Frequent, rapid client changes Clients with a wide variety of services, users, and ways of u;lizing resources Clients who are in an unknown state A need to be as close to 0% false posi;ve as possible

What Stays the Same? In- line IPS, owned and controlled by the client Firewall, owned and controlled by the client Vulnerability Assessment (VA) Well- understood technologies that allow clients baseline control over their own networks within the cloud

What Are We Adding? Nerlow Analyzer On- access misconfigura;on detec;on IDS Log Consolida;on NAC Event Correla;on

Why Not OSSIM? hqp://alienvault.com/community OSSIM uses many of the same tools I m sugges;ng It makes assump;ons about the network it s placed into (tool/vendor lock- in) Correla;on engine is not as flexible as SEC; regardless, has advantages

Nerlow (nfdump) hqp://nfdump.sourceforge.net/ Used to monitor for excessive, prolonged network u;liza;on Can also trend network performance and flag suspicious spikes Data is sent from internal switches and other network devices for analysis Provides network server/service inventory data

Enterprise- Wide IDS (Snort) hqp://www.snort.org/ Well- known, widely used Independent of clients; no client visibility AQached to network egress points No trusted networks: monitoring ALL traffic Provides network server/ service inventory data

NAC (PacketFence) hqp://www.packerence.org/home.html Post- admission behavioral quaran;ning This system will take input from our other systems, and use it to make decisions to quaran;ne devices

Log Consolida;on (syslog- ng) Well- known, widely used All infrastructure devices (servers, switches, IDS, etc) logging here

On- Access Misconfigura;on Detec;on Medusa hqp://www.foofus.net/~jmk/medusa/ medusa.html Metasploit hqp://www.metasploit.com/ Nmap hqp://nmap.org/ Others Tools called by correla;on system to run basic misconfigura;on checks of new services and servers

The Magic : Correla;on (SEC) hqp://simple- evcorr.sourceforge.net/ Keeps track of events from a variety of sources Isn t in- line, makes it possible to make slow, well- informed decisions Coordinates all other components

How does this work?

Iden;fying Misbehaving Hosts

nfdump Unusual traffic paqerns alone don t dictate an incident nfdump data should be compared with IDS, firewall and other data to look for anomalies Example: Traffic peak, combined with ARP collision messages from switches à ARP Cache Overflow Example: Traffic peak, combined with many IRC events à Botnet Par;cipa;on

Correlated IDS Logs Much beqer informa;on, but limited to what we can see Example: Single event type enters server, replayed by server mul;ple ;mes à Worm Infec;on Example: Server contacts successive servers using the same administra;ve protocol à Protocol Scanning

Limita;ons Err on the side of cau;on Reac;ve, so damage might already be done

Demonstra;on

Conclusion Cloud providers don t appear to be internally policing their clients networks Reliable measures should be be taken to detect both malicious clients and compromised clients

Ques;ons

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information