Applying a Holistic Defense-in- Depth Approach to The Cloud (with a dash of application security thrown in)

Applying a Holistic Defense-in- Depth Approach to The Cloud (with a dash of application security thrown in) NiKSUN World Wide Security & Mobility Conference 25-July-2011 Barry Lyons IV, CISSP Senior Cyber Architect, Northrop Grumman

At the end of this presentation, you will: Have a security framework to BETTER SECURE THE CLOUD Know how to make your APPLICATIONS MORE SECURE But First 2

Barry Lyons IV Founder of FADD! Had to implement proactive security measures 3

4 An Excellent Solution

5 What is the Cloud?

Attributes of Cloud Computing 6 Courtesy of Microsoft Corporation

NIST Working Definition of Cloud Computing Essential Characteristics Service Models Deployment Models 7

Software as a Service (SaaS) Service Models Consumer does not manage or control The underlying infrastructure The applications 8

Platform as a Service (PaaS) Service Models Consumer does not manage or control: The underlying infrastructure But does have control over applications 9

Infrastructure as a Service (IaaS) Service Models Consumer does not manage or control: The underlying infrastructure But can deploy S/W (O/S & applications) 10

You manage You manage You manage Stated Another Way (On- Premises) Infrastructure (as a Service) Platform (as a Service) Software (as a Service) Applications Applications Applications Applications Data Data Data Data Runtime Middleware O/S Virtualization Servers Storage Networking Runtime Middleware O/S Virtualization Servers Storage Networking Managed by vendor Runtime Middleware O/S Virtualization Servers Storage Networking Managed by vendor Runtime Middleware O/S Virtualization Servers Storage Networking Managed by vendor 11 Courtesy of Microsoft Corporation

Public Cloud Deployment Models Available to the general public Owned by an organization selling cloud services 12

Private Cloud Deployment Models Operated solely for a single organization May be managed by a third party 13

Hybrid Cloud Deployment Models Two or more clouds Enables Cloud Bursting 14

Community Cloud Deployment Models Shared by several organizations Support a specific community with shared concerns 15

16 We have one more important concept to define

Defense-in-Depth 17 Photo courtesy of U.S. Navy.

Defense-in-Depth! 18 Photo courtesy of U.S. Navy.

People Process Technology Three Elements of Defense-in-Depth Photo courtesy of U.S. Navy. People Process Technology 19 People Process Technology

20 Challenges With Cloud Security

21 A Private Cloud On Its Own Can Be Made Very Secure

22 But When You Move to a Hybrid

The Door is Opened for Trouble to Enter If the Public Cloud has embedded vulnerabilities, or worse, embedded malware, it can populate the Private Cloud! 23

Another Challenge: The Hypervisor! Also called the virtual machine manager (VMM) Controls the host processor and resources Allocates what is needed to each operating system The Hypervisor CONTROLS the VM machines!» So you have to be cognizant of 24

Virtualization Hypervisor Attacks! Some Examples: Vm Escapes (DomU Dom0) Hypervisor hijacking (Dom0 Xen) Hypervisor rootkits (not just BluePill) And they can be initiated by 25

26 The Insider Threat!

Has anyone developed a Cloud Security Reference Model? 27

Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Cloud Security Alliance Reference Model Presentation Modality Presentation Platform APIs Applications Data Metadata Content Integration & Middleware APIs Core Connectivity & Delivery Abstraction Hardware Facilities 28 2009 Cloud Security Alliance, Cloud Security Alliance Guidance Version 2.1

Security Responsibility 29 2009 Cloud Security Alliance, Cloud Security Alliance Guidance Version 2.1

Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) How does security apply? Cloud Model Presentation Modality Presentation Platform APIs Applications Security Control Model Applications SDLC, Binary Analysis, Scanners, WebApp s, Transactional Sec. Compliance Model 30 Data Metadata Content Integration & Middleware APIs Core Connectivity & Delivery Abstraction Hardware Facilities 2009 Cloud Security Alliance, Cloud Security Alliance Guidance Version 2.1 Information Management Network Trusted Computing Compute & Storage, CMF, Database Activity Monitoring, Encryption GRC, IAM, VA/VM, Patch Management, Configuration Management, Monitoring NIDS/NIPS, s, DPI, Anti-DDoS, QoS, DNSSEC, OAuth Hardware & Software RoT & API s Host-based s, HIDS/HIPS, Integrity & File/log Management, Encryption, Masking PCI s Code Review WAF Encryption Unique User Ids Anti-Virus Monitoring/IDS/IPS HIPAA GLBA Physical Physical Paint Security, CCTV, Guards SOX Patch/Vulnerability Management Physical Access Control Two-Factor Authentication

31 The CSA Reference model is a great starting point, now let s make it even better!

Introducing a cyber reference model for defense and capability The Northrop Grumman Cyber Architecture Reference Series 32

The Fan - Layered Cybersecurity Defensive Reference Model OUTSIDE THREAT PROTECTION Secure DMZs Message Security (anti-virus, anti-malware) Honeypot IT Security Governance Security Policies & Compliance Security Architecture & Design Continuous C&A Perimeter Perimeter IDS/IPS Enclave/ DataCenter Cyber Threat Intelligence 33 2010 Northrop Grumman Corporation Enterprise IDS/IPS Threat Modeling Risk Management VoIP Protection Desktop Security Awareness Training Inline Patching Host IDS/IPS Penetration Testing Web Proxy Content Filtering Content Security (anti-virus, anti-malware) Static App Testing/Code Review Dynamic App Testing PKI DAR/DIM/DIU Protection Data Wiping Cleansing Vulnerability Assessment NAC Endpoint Security Enforcement WAF Identity & Access Management Enterprise Right Management Mission Critical Assets Inside Threats FDCC Compliance Database Monitoring /Scanning Data Classification Data Integrity Monitoring Data/Drive Encryption Escalation Management Enterprise Message Security Focused Ops Enterprise Wireless Security Patch Management Database Secure Gateway (Shield) Enterprise Remote Access Continuous Monitoring and Assessment Situational Awareness DHS Einstein SOC/NOC Monitoring (24x7) Incident Reporting, Detection, Response (CIRT) Security Dashboard SIEM Digital Forensics Security SLA/SLO Reporting

How Does the Fan Provide Reference? PERSISTENT ATTACKER PROTECTION Secure DMZs Message Security (anti-virus, anti-malware) Honeypot Perimeter IT Security Governance Security Policies & Compliance Security Architecture & Design Continuous C&A Perimeter IDS/IPS Enclave/ DataCenter Cyber Threat Intelligence Enterprise IDS/IPS VoIP Protection Desktop Threat Modeling Risk Management Security Awareness Training Inline Patching Host IDS/IPS Web Proxy Content Filtering Content Security (anti-virus, anti-malware) Static App Testing/Code Review Penetration Testing Dynamic App Testing PKI DAR/DIM/DIU Protection Data Wiping Cleansing Vulnerability Assessment NAC Endpoint Security Enforcement WAF Identity & Access Management Enterprise Right Management Mission Critical Assets Enterprise Message Security FDCC Compliance Database Monitoring /Scanning Data Classification Data Integrity Monitoring Data/Drive Encryption Escalation Management Enterprise Wireless Security Patch Management Database Secure Gateway (Shield) Focused Ops Enterprise Remote Access Continuous Monitoring and Assessment Situational Awareness DHS Einstein SOC/NOC Monitoring (24x7) Incident Reporting, Detection, Response (CIRT) Security Dashboard SIEM Digital Forensics Security SLA/SLO Reporting 34 2010 Northrop Grumman Corporation

Actual Use Case of The Fan Malicious outside User Compliant outside User ZONE 2 A Layered Defense-In-Depth Security Technology Approach Einstein Box Mail Relay Interscan Mail Sweeper Server shield (virtual patching) AV VA FIM PA WAF Server shield (virtual patching) Web Ftp AV VA PA FIM CR+AS Server shield (virtual patching) Directory App Database AV VA PA FIM CR+AS Internet Router Honeypot Outside UTM Switch ONE (SSL VPN) SDI/SDDI (IPSEC VPN) VA VA IDS/IPS BES Exchange Server shield (virtual patching) App Switch AV VA FIM PA Web Proxy IWSS AV VA FIM PA Inside IDS/IPS ZONE 1 LEGEND: ZONE 1 - Internet PRIVATE WAN Einstein Box Router Mobile User (Endpoint Security Protected) Router UTM VPN firewall Encryptor ` Laptop Desktop Overseas Post VA AV Wireless AP DC/DNS/ Exchange FDCC PA WIDPS AV VA Auth FDCC PA Map/Location Rogue Detection WiFi Entry UTM firewall ONE User SDI/SDDI User (Endpoint Security (Endpoint Security Protected) Protected) IPSEC Router VPN Encryptor IDS/IPS Internal WAN VOIP BlackBerry UTM firewall SDI/SDDI Policy Server Policy DB DC/DNS/ Exchange AV DHCP VA PA FIM Enterprise Users (NAC/NAP) Patch, Anti-virus, Anti-malware distribution UTM firewall UTM firewall ONE Restricted Network Remediation Servers Citrix ` FDCC Compliant Desktop/Laptop NFuse BlackBerry PDA SafeWord Non-compliant Desktop/Laptop AV AV VA VA FDCC PA PA ZONE 3 ZONE 2 - DMZ ZONE 3 Enterprise End User Network ZONE 4 Data Center & Enclave Networks VA AV UTM firewall UTM firewall AV VA FIM CR+AS PA UTM firewall AV VA UTM firewall 35 PA AV VA FIM CR+AS FDCC Patching Anti-virus/spyware Vulnerability & Compliance Scan File Integrity Monitoring Code Review & Application Scan FDCC scan & enforcement Data Loss Prevention on Desktop/Laptop FIM PA Vuln/FDCC/ Web/DB Scanners, VPN, IDS/IPS Mgmt Servers Threat Analysis Security Policy NAC/NAP (DC,, AV (NPS, HRA, HRS) Malware, Spam) Security Mgmt Network SIEM Servers Virtual Shield Virtual patching for VMs Server shield (virtual patching) SAN NAS Data Center Domain Exchange Servers database File Servers Web/Ftp Mainframe Apps CA Keys PKI Network X.500/LDAP Mgmt Consloe FIM PA ` FDCC Compliant Desktop/Laptop Enclave Network Apps AV VA FIM FDCC PA ZONE 4

So how can we combine these reference models (cyber and cloud) to improve a SECURITY architecture? 36

Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Start with the Cloud Security Alliance Reference Model Presentation Modality Presentation Platform APIs Applications Data Metadata Content Integration & Middleware APIs Core Connectivity & Delivery Abstraction Hardware Facilities 37 2009 Cloud Security Alliance, Cloud Security Alliance Guidance Version 2.1

Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Blending The Security and Service Reference Models To Get Layered Security In The Cloud Presentation Modality Presentation Platform Secure DMZs APIs OUTSIDE THREAT PROTECTION Applications Message Security (anti-virus, anti-malware) Data Metadata Content Honeypot 38 Perimeter IT Security Governance Security Policies & Compliance Security Architecture & Design Continuous C&A Perimeter IDS/IPS Enclave/ DataCenter Cyber Threat Intelligence Enterprise IDS/IPS Desktop Threat Modeling Risk Management Security Awareness Training Copyright 2009 Cloud Security Alliance VoIP Protection Inline Patching Host IDS/IPS Content Security (anti-virus, anti-malware) Static App Testing/Code Review Penetration Testing Web Proxy Content Filtering Integration & Middleware Vulnerability Assessment NAC Endpoint Security Enforcement APIs Core Connectivity WAF Dynamic App Testing & Delivery PKI Abstraction Identity & Access DAR/DIM/DIU Management Protection Hardware Right Data Wiping Cleansing Enterprise Management Facilities Mission Critical Assets Enterprise Message Security FDCC Compliance Database Monitoring /Scanning Data Classification Data Integrity Monitoring Data/Drive Encryption Escalation Management Enterprise Wireless Security Enterprise Remote Access Patch Management Database Secure Gateway (Shield) Focused Ops Continuous Monitoring and Assessment Situational Awareness DHS Einstein SOC/NOC Monitoring (24x7) Incident Reporting, Detection, Response (CIRT) Security Dashboard SIEM Digital Forensics Security SLA/SLO Reporting 2009 Cloud Security Alliance, Cloud Security Alliance Guidance Version 2.1

Result - Fan Applied to The Cloud Layered Cyber Security Defense Framework Automated Compliance Automated Enforcement Policy Enforcement Vulnerability Mgmt Patch Update CM OUTSIDE THREAT Server Virtualization ENGINEERING & INFRASTRUCTURE Virtual Infrastructure Layered Cyber Security Defense Framework Virtual Desktop (VDI) Virtual Applications Secure DMZs Message Security (anti-virus, anti-malware) Honeypot Mobile NAC Enforce AV FDCC Enforce Continuous C&A Perimeter IT Security Governance Security Architecture & Design Security Policies & Compliance Perimeter IDS/IPS Enclave/ DataCenter Threat Modeling VoIP Protection Enterprise IDS/IPS Desktop Cyber Threat Intelligence Inline Patching Host IDS/IPS Security Technology Evaluation Risk Management Security Awareness Training Web Proxy Content Filtering Content Security (anti-virus, anti-malware) Dynamic App Testing Static App Testing/Code Review DAR/DIM/DIU Protection PKI Penetration Testing Data Wiping Cleansing Vulnerability Assessment NAC Endpoint Security Enforcement WAF Identity & Access Management Enterprise Right Management Mission Critical Assets Enterprise Message Security Enterprise Wireless Security FDCC Compliance Enterprise Patch Remote Access Database Monitoring /Scanning Data/Drive Encryption Management Database Data Secure Gateway Classification (Shield) Data Integrity Monitoring SOC/NOC Monitoring (24x7) Security Dashboard DHS Einstein Incident Reporting, Detection, Response (CIRT) Escalation Continuous Management Monitoring and Assessment Situational Focused Ops Awareness SIEM Digital Forensics Security SLA/SLO Reporting Managed Security Services Virt Security SaaS Storage Services 39 Acronyms & Abbreviations: 2010 Northrop Grumman Corporation DAR: Data At Rest DIM: Data In Motion DIU: Data In Use : Data Loss Prevention FDCC: Federal Desktop Core Configuration IDP: Intrusion Detection and Prevention NAC: Network Access Control PKI: Public Key Infrastructure SIEM: Security Information Event Management

BENEFIT A reference architecture that provides the framework to develop: Better Cloud Security Layered Cyber Security Defense Framework CM Automated Compliance Automated Enforcement Policy Enforcement Vulnerability Mgmt Patch Update Secure DMZs OUTSIDE THREAT ENGINEERING & INFRASTRUCTURE Message Security (anti-virus, anti-malware) Server Virtualization Virtual Infrastructure Honeypot Layered Cyber Security Defense Framework Virtual Desktop (VDI) Virtual Applications Enforce AV Mobile NAC FDCC Enforce Perimeter Perimeter IDS/IPS Enclave/ DataCenter Enterprise IDS/IPS Web Proxy Content Filtering Inline Patching VoIP Protection Host IDS/IPS Content Security (anti-virus, anti-malware) NAC Endpoint Security Enforcement Enterprise Message Security Enterprise Wireless Security FDCC Compliance Enterprise Patch Remote Access DHS Einstein WAF Database Management Dynamic App Testing IT Security Desktop Monitoring /Scanning Governance Static App Database Incident Reporting, Testing/Code Data Secure Gateway Security Identity & Access Detection, Response Review (Shield) Architecture Threat DAR/DIM/DIU Classification Management (CIRT) & Design Modeling Protection Data Integrity Escalation Cyber Threat Intelligence PKI Enterprise Right Monitoring Continuous Management Data Wiping Security Policies Management Monitoring Data/Drive Security Cleansing SOC/NOC Monitoring (24x7) and Assessment & Compliance Technology Evaluation Penetration Encryption Situational Testing Mission Security Dashboard Focused Ops Awareness Continuous Risk Security Awareness Vulnerability C&A Management Training Assessment Critical Assets SIEM Digital Forensics Security SLA/SLO Reporting Managed Security Services Virt Security SaaS Storage Services 40 BUT WAIT! There s more

What About Application Security? Layered Cyber Security Defense Framework Automated Compliance Automated Enforcement Policy Enforcement Vulnerability Mgmt Patch Update CM OUTSIDE THREAT Server Virtualization ENGINEERING & INFRASTRUCTURE Virtual Infrastructure Layered Cyber Security Defense Framework Virtual Desktop (VDI) Virtual Applications Secure DMZs Message Security (anti-virus, anti-malware) Honeypot Mobile NAC Enforce AV FDCC Enforce Continuous C&A Perimeter IT Security Governance Security Architecture & Design Security Policies & Compliance Perimeter IDS/IPS Enclave/ DataCenter Threat Modeling VoIP Protection Enterprise IDS/IPS Desktop Cyber Threat Intelligence Inline Patching Host IDS/IPS Security Technology Evaluation Risk Management Security Awareness Training Web Proxy Content Filtering Content Security (anti-virus, anti-malware) Dynamic App Testing Static App Testing/Code Review DAR/DIM/DIU Protection PKI Penetration Testing Data Wiping Cleansing Vulnerability Assessment NAC Endpoint Security Enforcement WAF Identity & Access Management Enterprise Right Management Mission Critical Assets Enterprise Message Security Enterprise Wireless Security FDCC Compliance Enterprise Patch Remote Access Database Monitoring /Scanning Data/Drive Encryption Management Database Data Secure Gateway Classification (Shield) Data Integrity Monitoring SOC/NOC Monitoring (24x7) Security Dashboard DHS Einstein Incident Reporting, Detection, Response (CIRT) Escalation Continuous Management Monitoring and Assessment Situational Focused Ops Awareness SIEM Digital Forensics Security SLA/SLO Reporting Managed Security Services Virt Security SaaS Storage Services 41 Acronyms & Abbreviations: 2010 Northrop Grumman Corporation DAR: Data At Rest DIM: Data In Motion DIU: Data In Use : Data Loss Prevention FDCC: Federal Desktop Core Configuration IDP: Intrusion Detection and Prevention NAC: Network Access Control PKI: Public Key Infrastructure SIEM: Security Information Event Management

Organizations that think they have secure code, BUT The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/main_page OWASP Top 10 Application Vulnerabilities Injection Cross-Site Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery (CSRF) Security Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards 42

43 What is the solution?

We need to address two scenarios: Applications on the drawing board Applications that are already deployed 44

Software Not Yet Developed Define the SECURITY REQUIREMENTS! 45

Software development 101 Software Engineering Activities Security Engineering Activities 1. Determine Needs 1. Determine Information Protection Needs 2. Define Requirements 2. Define Security Requirements 3. Design Architecture 3. Embed Security Elements Within Architecture 4. Develop Detailed Design 4. Embed Security Elements Within Design 5. Develop Software 5. Test s/w as it is being developed to confirm security is built into the code 6. Assess Effectiveness 6. Assess Information Protection Effectiveness 46

Security Engineering Must Be Included Software Engineering Activities Security Engineering Activities 1. Determine Needs 1. Determine Information Protection Needs 2. Define Requirements 2. Define Security Requirements 3. Design Architecture 3. Embed Security Elements Within Architecture 4. Develop Detailed Design 4. Embed Security Elements Within Design 5. Develop Software 5. Test s/w as it is being developed to confirm security is built into the code 6. Assess Effectiveness 6. Assess Information Protection Effectiveness 47

Test s/w as it is being developed Run application vulnerability scans* against executable code: (example products) AppScan (IBM) Cenzic Webinspect (HP) Beyond security Then do yourself one more favor *You can also perform Source Code scanning; those use different tools 48

3 rd Party Pen Test Have a 3 rd party penetration test organization (example: White Hat) come in and truly confirm the code is clean!

50 Pen Test Flow Chart

But what about my existing applications? 51

Deploy an Application Enclave Defense-in-Depth Approach Three building blocks: Application vulnerability scanner File integrity monitor Web application firewall 52

Traditional Defense-in-Depth (DnD) Web Enabled Applications Enclave Traditional Network Defense-in-Depth Traditional HIDS Intelligent Configurable Pen Tool Network Remote User Traditional HIDS IDS ` IDS Content Monitor Local Users Honeypot NAC Behavioral Anomaly Monitoring 53

Traditional Defense-in-Depth (DnD) Web Enabled Applications Enclave Traditional Network Defense-in-Depth Traditional HIDS Cross Site Scripting / Command Insertion Intelligent Configurable Pen Tool Network Remote User Traditional HIDS IDS ` IDS Content Monitor Local Users Honeypot NAC Behavioral Anomaly Monitoring 54

Web Enabled Application DnD: Block One Application Defense-in-Depth Traditional Network Defense-in-Depth Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 55

Web Enabled Application DnD: Block One Application Defense-in-Depth Traditional Network Defense-in-Depth Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 56

Web Enabled Application DnD: Block One Application Defense-in-Depth Traditional Network Defense-in-Depth Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 57

Web Enabled Application DnD: Block One Application Defense-in-Depth Traditional Network Defense-in-Depth Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 58

Web Enabled Application DnD: Block Two Application Defense-in-Depth Traditional Network Defense-in-Depth Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User Web Application (WAF) ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 59

Web Enabled Application DnD: Block Three Application Defense-in-Depth Traditional Network Defense-in-Depth Real Time File Integrity Monitor Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User Real Time File Integrity Monitor Web Application (WAF) ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 60

Scan, Fix, Then Run Multiple Pen Tests! From outside the network Application Defense-in-Depth Traditional Network Defense-in-Depth Real Time File Integrity Monitor Application Vulnerability Scanner Intelligent Configurable Pen Tool Network Remote User Real Time File Integrity Monitor Web Application (WAF) ` IDS/IPS Content Monitor Local Users Honeypot NAC Event Correlation Tool 61 From inside the network

Product Examples WAFs F5 TrafficShield Breach WebDefend Barracuda / NetContinuum Citrix Application Imperva SecureSphere Web Application AppliCure dotdefender File Integrity Monitors TripWire ISS HIDS Sanctuary Veracity Application Vulnerability Scanners: IBM s AppScan (Formerly WatchFire) HP s WebInspect (Formerly SPI Dynamics) Cenzic N-Stealth Nikto (Open Source) Acunetix Web Vulnerability Scanner More at: http://sectools.org/web-scanners.html 62 More at: http://www.networkintrusion.co.uk/integrity.htm

What did we learn today Simple steps to build security into the S/W development process We can protect existing applications We can have a cloud security framework Resulting in 63

How to achieve Better Cloud Security Stronger Application Security 64