Download - Alert Logic Cloud Security Summit
![Page 1: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/1.jpg)
Alert Logic Cloud Security Summit
![Page 2: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/2.jpg)
Agenda
• Key Findings: Cloud Security Report, Spring 2014• Alert Logic Customer Data• Honeypot Research
• Cloud Security Best Practices• What is Cloud Security• Top 7 Recommendations• Questions for your Service Provider
• Insights from the Real World• Q&A
![Page 3: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/3.jpg)
Deliver Superior Security & Compliance Outcomes
forIT Infrastructure
from the Data Center
to the Cloudthrough
Security-as-a-Service
![Page 4: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/4.jpg)
Key Findings: Cloud Security ReportSpring 2014
![Page 5: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/5.jpg)
Cloud Environments 101
![Page 6: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/6.jpg)
Cloud Adoption is Gaining Momentum
• Cloud market revenue will increase at a 36% annual rate• Analyst expect AWS revenues to hit $6 - $10 billion in
2014• Microsoft Azure reached $1 billion in Q4 2013• Oracle Cloud bookings increased by 35% in 2013• Gartner predicts 60% of banking institutions to migrate to
the cloud• Healthcare is expected to adopt cloud computing at a
21% year over year rate through 2017• VDI (Desktop as a Service) market reached $13.4 billion in
2013
![Page 7: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/7.jpg)
Cloud Security Report Methodology
• Cloud threat data collected since 2011• Real world Incident data direct from customer environments• No Surveys or Lab environments• HoneyPot data collected from AL Global HoneyNet• Patented correlation engine
• Incident Occurrence• Incident Frequency• Threat Diversity
• GIAC-certified SOC analyst review each incident• Constantly refining threat content
• Custom content• 3rd party content
• 80% Service Providers / 20% On-Premise
![Page 8: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/8.jpg)
Threats in the Cloud are Increasing With Adoption• Increase in attack frequency
• Traditional on-premises threats are now moving to the cloud
• Majority of cloud incidents were related to web application attacks, brute force attacks, and vulnerability scans
• Brute force attacks and vulnerability scans are now occurring at near-equivalent rates in both cloud and on-premises environments
• Malware/Botnet is increasing year over year
![Page 9: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/9.jpg)
Cloud Attacks With the Biggest Change
• Cloud environments saw significant increases with brute force attacks climbing from 30% to 44% of customers, and vulnerability scans increasing from 27% to 44%
• Malware/botnet attacks, historically the most common attacks in the on-premises datacenter, are on the rise in CHP environments
![Page 10: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/10.jpg)
Why Honeypots
• Honeypots give us a unique data set• Simulates vulnerable systems without the risk of real data
loss• Gives the ability to collect intelligence from malicious
attackers• Allows for collection of various different attacks based on
system• Helps identify what industry specific targets are out there
![Page 11: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/11.jpg)
Honeypot Locations
![Page 12: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/12.jpg)
Honeypot Designs
• The honeypot data cited was gathered using
• Low-interaction – Simulates high level services
• Medium Interaction – Delivers form pages and collects Keystrokes
• SCADA – Simulates a (Supervisory Control And Data Acquisition) system
• Web application software that emulates a vulnerable OS and application
• Fictitious business domains have been created to redirect traffic to what would be considered a legitimate business• These particular honeypots monitored connections to common
ports and gathered statistics on IP, country, and malware, if submitted
![Page 13: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/13.jpg)
Honeypot Findings
• Attacks directed at CHPs have increased significantly• Web attacks and
vulnerability scans remain the frontrunners of CHP attack types• Underscores the importance
of a diversified security solution to meet the changing needs of cloud infrastructure
12%
11%
10%
51%
8%8%
HTTP MySQL MS-SQL Server
MS-DS Service RPC FTP
![Page 14: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/14.jpg)
What are the Honeypots telling us? - Europe
35%
13%13%
13%
13%
13%MS-DS ServiceHTTPMySQLMS-SQL ServerRPCFTP
40%
22%
21%
10%
4% 2% 0% 0% 0%
RussiaBulgariaVenezuelaHungaryBrazilunclassifiedUnited StatesChinaCanada
77.19%
20.91%
1.81% 0.09% 0.01% 0.00%
Mal/Conficker-AW32/Confick-OW32/Confick-FTroj/Agent-UOBNo DetectionMal/PWS-JJ
![Page 15: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/15.jpg)
What are the Honeypots telling us? - US
12%
13%
23%
51%
0% 0%
MS-SQL Server
MySQL
HTTP
MS-DS Service
RPC
FTP
91%
4% 2% 1%1%1%
Mal/Conficker-ATroj/Agent-UOBW32/Confick-OMal/Spy-YW32/Confick-CTroj/Dload-IK
32%
21%17%9%
6%6%
4%2% 3% China
United States
India
Russia
Korea
Romania
Vietnam
Brazil
Other
![Page 16: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/16.jpg)
What are the Honeypots telling us? - Asia
4% 6%
4%
85%
1% 0%HTTP
MySQL
MS-SQL Server
MS-DS Service
RPC
FTP
63%15%
15%5% 1% 1%
United StatesJapanChinaVietnamNETHERLANDSARGENTINA
61.96%20.08%
13.53%0.04% 4.38%
Mal/Conficker-ATroj/Agent-UOBW32/Confick-CW32/Confick-DW32/Confick-O
![Page 17: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/17.jpg)
Cloud Security Best Practices
![Page 18: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/18.jpg)
Security in the Cloud is a Shared Responsibility
CustomerResponsibility
FoundationServices
Hosts
• Logical network segmentation• Perimeter security services• External DDoS, spoofing, and scanning
prevented
• Hardened hypervisor• System image library• Root access for customer
• Access management• Patch management• Configuration hardening• Security monitoring• Log analysis
Apps
• Secure coding and best practices
• Software and virtual patching• Configuration management
• Access management• Application level attack
monitoring
• Network threat detection
• Security monitoringNetworks
CloudService Provider
Responsibility
Compute Storage
DB Network
![Page 19: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/19.jpg)
Seven Best Practices of Cloud Security
1. Secure your code2. Create access management policies3. Adopt a patch management approach4. Review logs regularly 5. Build a security toolkit6. Stay informed of the latest vulnerabilities that may
affect you7. Understand your cloud service providers security model
![Page 20: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/20.jpg)
Secure Your Code
• Test inputs that are open to the Internet• Add delays to your code to confuse bots• Use Encryption when you can• Test Libraries• Scan Plugins• Scan your code after every update• Limit Privileges• Stay informed
![Page 21: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/21.jpg)
Without Secure Coding
WordPress: 162,000 sites used for distributed denial of service attack• Pingback enabled sites can be used in DDOS
• Trackback• Pingbacks• Remote Access via mobile devices
• Random query of “?4137049=643182” bypasses cache and forces full page reloads• Request originated from legitimate sites
![Page 22: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/22.jpg)
Without Secure Coding
• A total of 66 different WordPress plugins were targeted, out of which 8 received the lions share of attacks
• TimThumb is a simple, flexible, PHP script that resizes images. You give it a bunch of parameters, and it spits out a thumbnail image that you can display on your site.
• Looking at the type of vulnerabilities that hackers were trying to exploit, we saw a clear preference for Remote File Inclusion vulnerabilities, which accounted for 96% of all vulnerability types
![Page 23: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/23.jpg)
Access Management Risks
• Customer A contracts web development to a third party• Creates access to the OS and web application for the contractor• 6 month contract for services• Work complete on schedule and under budget• Customer A does not pay contractor in a timely fashion• Contractor probes site and tests access• Customer A did not remove admin access rights granted to the
contractor• Contractor removes all work done and disables customer site• Customer calls provider to complain• Provider states that access rights are the customers responsibility
![Page 24: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/24.jpg)
Create Access Management Policies
• Identify data infrastructure that requires access• Define roles and responsibilities• Simplify access controls (KISS)• Continually audit access• Start with a lease privilege access model
![Page 25: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/25.jpg)
Adopt a Patch Management Approach
• Inventory all production systems• Devise a plan for standardization, if possible• Compare reported vulnerabilities to production
infrastructure• Classify the risk based on vulnerability and likelihood• Test Patches before you release into production• Setup a regular patching schedule• Keep informed, follow bugtraqer• Follow a SDLC
![Page 26: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/26.jpg)
Log Review Scenarios
• Monitoring for malicious activity• Forensic investigations• Compliance needs• System performance
![Page 27: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/27.jpg)
Review Logs Regularly
• All sources of log data is collected• Data types (Windows, Syslog)• Review process• Live monitoring• Correlation logic
![Page 28: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/28.jpg)
Build a Security Toolkit
• Recommended Security Solutions• Antivirus• Intrusion Detection System• Malware Detection• Web Application Firewalls
![Page 29: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/29.jpg)
Understand Your Cloud Service Providers Security Model
• Review of Service Provider Responsibilities• Hypervisor Example• Questions to use when evaluating cloud service providers
![Page 30: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/30.jpg)
A Look at Service Provides Responsibilities
CloudService Provider
Responsibility
FoundationServices
Hosts
• Logical network segmentation• Perimeter security services• External DDoS, spoofing, and scanning
prevented
• Hardened hypervisor• System image library• Root access for customer
• Access management• Patch management• Configuration hardening• Security monitoring• Log analysis
Apps
• Secure coding and best practices
• Software and virtual patching• Configuration management
• Access management• Application level attack
monitoring
• Network threat detection
• Security monitoringNetworks
CustomerResponsibility
Compute Storage
DB Network
![Page 31: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/31.jpg)
Secure Cloud Architecture
![Page 32: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/32.jpg)
Cloud Server Architecture
• VM Servers are designed so that the hypervisor (or monitor, or Virtual Machine Manager) is the only fully privileged entity in the system, and has an extremely small footprint.
• It controls only the most basic resources of the system, including CPU and memory usage, privilege checks, and hardware interrupts
![Page 33: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/33.jpg)
How the Hypervisor functions
• In this model the processor provides 4 levels, also known as rings, which are arranged in a hierarchical fashion from Ring 0 to Ring 3. Only 0, 1 and 3 have privilege, some kernel designs demote curtain privileged components to ring 2
• The operating system runs in ring 0 with the operating system kernel controlling access to the underlying hardware
• To assist virtualization, VT and Pacifica insert a new privilege level beneath Ring 0. Both add nine new machine code instructions that only work at "Ring -1," intended to be used by the hypervisor
![Page 34: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/34.jpg)
Exploitation of the Hypervisor – CVE-2014-1666
• The PHYSDEVOP_{prepare,release}_msix operations are supposed to be controlled by dom0 access as it allows access to host and other vm's controlled by the host, but the necessary privilege level check was missing
• Two different functions were added to Xen in physdevop to manage resources for allocation and deallocation of msi-x devices
• This can easily result in malicious or misbehaving unprivileged guests, causing the host or other guests to malfunction. This can result in host-wide denial of service of all the vm’s and the host itself
• In physdev.c the attacker has a function:
• ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
• This has a command in switch/case values which lead us to:
![Page 35: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/35.jpg)
Exploitation of the Hypervisor – CVE-2014-1666• Knowing the attacker has seg, bus, and devfn, functions are now being passed to pci_prepare_msix which is Figure 1
• The attacker first has to pass the pos check for pci_find_cap_offset. If there's nothing there then they have to pass the pci_get_pdev check
Figure 1
Check out pci_find_cap_offset
![Page 36: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/36.jpg)
Exploitation of the Hypervisor – CVE-2014-1666• An interesting function called pci_conf_read16 shows the attacker he now has flow control
• Now the decision becomes how do I use control to do something useful?
• This is used for low-level function calls for writing and reading directly to physical device ports.
• These functions will actually lead to inb/outb calls
• To achieve this the attacker has to make sure to follow the rules to reach x function
• The attackers now has ability of interacting with some lower level device i/o with controllable arguments.
• Scoping information for privilege escalation would be quiet difficult, but surely interesting as you do have access to privileged device i/o
![Page 37: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/37.jpg)
Additional vulnerabilities – CVE-2014-1896
• libvchan (a library for inter-domain communication) does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause a libvchan-using facility to read or write past the end of the ring.
• libvchan-using facilities are vulnerable to denial of service and perhaps privilege escalation.
• All versions of libvchan are vulnerable
• Applying the appropriate attached patch resolves this issue.
• After the patch is applied to the Xen tree, any software which is statically linked against libvchan will need to be relinked against the new libvchan.a for the fix to take effect
• xsa86.patch Xen 4.2.x, 4.3.x, 4.4-RC series, and xen-unstable
• External reference:
• http://seclists.org/oss-sec/2014/q1/264
• https://bugzilla.redhat.com/show_bug.cgi?id=1062331
![Page 38: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/38.jpg)
New and emerging threats targeting the Hypervisor
• Exploitation of a critical memory corruption• Affects systems with Intel CPU hardware• Allows a Guest to Host escape
• Execute arbitrary code on the host• Privileged domain permissions (“dom0”)• Direct access to hardware• Manages unprivileged domains (“domU”)
• Vulnerability exists in all virtual platforms using Intel architecture• Patch has been deployed
![Page 39: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/39.jpg)
Memory corruption of the Hypervisor – CVE-2012-0217• Critical memory corruption vulnerability affecting Xen hypervisor discovered by Rafal Wojtczuk and Jan
Beulich in late 2012
• A local attacker within a guest virtual machine will be able to escape his restricted virtual environment and execute arbitrary code on the host system with permissions of the most privileged domain ("dom0") which has direct access to hardware and can manage unprivileged domains ("domU")
![Page 40: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/40.jpg)
Questions to ask your Service Provider
1. What is the data encryption strategy and how is it implemented?
2. What is the hypervisor and provider infrastructure patching schedule?
3. What is the drive wiping standard used for recycled instances?
4. How does your provider support your implementation of endpoint security?
5. How do you isolate and safeguard my data from other customers?
6. How is user access monitored, modified and documented?
7. Regulatory requirements – PCI, SOX, SSAE16?
8. What is the provider’s back-up and disaster recovery strategy?
9. What visibility will the provider offer your organization into security processes and events affecting your data from both front and backend of your instance?
10. How does the provider ensure that legal actions taken against other tenants will not affect the privacy of your data?
![Page 41: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/41.jpg)
What should you take away from this session
• Cloud adoption is on the rise• Attacks are growing with further cloud adoption• Organizations need to be prepared for new security
challenges in the cloud• Work closely with your cloud service provider• Keep informed of current vulnerabilities• Have a least privilege access model
![Page 42: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/42.jpg)
Real World Insights
![Page 43: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/43.jpg)
Q&A
![Page 44: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/44.jpg)
Background on Alert Logic
![Page 45: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/45.jpg)
Alert Logic: The Past Four Years...
2014Revenue Run
Rate
$11M $52M
Alert Logic is One of the fastest growing security
vendors in the industry
2010Revenue Run
Rate
![Page 46: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/46.jpg)
Over 2,500 Organizations Worldwide Trust Alert Logic
250,000 devices managed
2.8 Petabytesof log data under
management
8.2 Millionsecurity events
correlated per day
40,000incidents identified
and reviewedper month
![Page 47: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/47.jpg)
Recognized as Leading Cloud Security and Compliance Provider
Named Cool Vendorin Security Services 2013
![Page 48: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/48.jpg)
Applications
Systems
Networks
Integrated Solutions Drive Better Security and Compliance
Products Automated Analysis
People & Process
• Delivered through an integrated security as a service solution
• Specifically designed for applications and infrastructure
• Easy, flexible deployment options for any environment
• Multi-factor correlation for fast, accurate results
• Dynamic security intelligence including third party feeds
• Content updated regularly across all solutions
• 24 x 7 coverage from certified experts
• Multi-disciplined, highly specialized team
• Effective response via repeatable engagement process
![Page 49: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/49.jpg)
Appendix
![Page 50: Alert Logic Cloud Security Summit](https://reader034.vdocuments.net/reader034/viewer/2022042815/55758184d8b42adb7e8b51ec/html5/thumbnails/50.jpg)
Links to additional data
• http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php• https://bugzilla.redhat.com/show_bug.cgi?id=1062326• https://bugzilla.redhat.com/show_bug.cgi?id=1062329• https://bugzilla.redhat.com/show_bug.cgi?id=1062331• https://bugzilla.redhat.com/show_bug.cgi?id=1058395• http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-
privilege-escalation/• https://www.alertlogic.com/resources/cloud-security-report
/• http://seclists.org/oss-sec/2014/q1/264