rightscale webinar: security monitoring in the cloud: how rightscale does it

24
#rightscale Security Monitoring in IaaS How We Do It at RightScale Watch the video of this presentation

Upload: rightscale

Post on 20-Aug-2015

640 views

Category:

Technology


3 download

TRANSCRIPT

Page 1: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#rightscale

Security Monitoring in IaaSHow We Do It at RightScale

Watch the video of this presentation

Page 2: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Your Panel TodayPresenting• Phil Cox, Director of Security & Compliance, RightScale• Tony Spataro, Senior Security Engineer, RightScale

Q&A • Spencer Adams, Account Manager, RightScale• James Brown, Security Analyst, RightScale

Please use the “Questions” windowto ask questions any time!

Page 3: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Agenda• Talk about the problem in general

• State general premise and assumptions

• Walk through the “Why?”, “How?”, and “What?”

• Conclusion

Page 4: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

The problem• Folks don't do security monitoring well in the first place

• Puzzlement about how to actually “do” security in Cloud and IaaS in particular

• What do you do when you don't own the hardware or network

• Vendor cloud washing and sales FUD that is being perpetuated

Page 5: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

What is Security Monitoring?• The ability to collect, analyze, and alert on security related

system and application events

Collect Analyze Alert• System Logs• Databases• Applications• Host Network

Traffic

• Need a tool• The space

varies widely, and cost is an issues

• Don't get too complicated, you'll give up

• First 2 steps are worthless without this

Page 6: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

One More: Monitoring is log analysis• In this context "monitoring” == "log analysis”

• Real question: How does one classify a log entry as "interesting"?

• Answer: You guessed it -> It depends• You need to know your environment and refer back to your “Why?”

answers

• A couple examples I use:• Interactive login to our database server• Database access from an unsuspected system• Past staff user account access attempts

Page 7: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Some starting premises• Cloud, and thus IaaS, is a new way to deliver

IT• If you try to shoehorn old solutions, you will likely fail

• Security fundamentals in cloud are similar to any other environment

• There is no secret sauce!

• Monitoring in IaaS is a subset of monitoring in a traditional enterprise

• Main difference is visibility into the network

Page 8: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

As in iRobot, start with "Why?"• You need to start the whole process of by asking "Why?”

• Not "How?" or "What?”

• Answer the following question: Why are you implementing security monitoring?• Make sure to get buy-in from the entire organization as to this answer, you

may be surprised what you hear.

Detective Spooner: Why would you kill yourself? Dr. Alfred Lanning: That, detective, is the right question. Program terminated.

Page 9: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Our "Why?"• This part was easy, as I had done my

homework

• We wanted• To meet compliance requirements: SSAE 16

and PCI• To have a system that would notify us if

something we knew was not supposed to happen did: Burglar Alarms

• To be able to look at past events if needed: Forensics

• No more, no less.

Page 10: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Some other “Why?” I have encountered• Determine if folks are taking data via removable media

• Identify excessive file transfers outbound

• Identify abnormal print activity

• Identify abnormal user activity

• Identify anomalous network traffic

• Yours will be different and the same as others

Page 11: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Considerations for "How?"• Once you determine “Why?”, the next step is to determine an

architecture, the “How?• The things we care about and need

• Need to identify the things that are critical to ensuring you can meet your “Why?”

• Host Intrusion Detection System (HIDS)• Application logs• System logs• Host network traffic• Create a network choke point to pass all traffic• Performance requirements• Etc.

Page 12: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Our "How?”• In our security monitoring environment, we identified the

following critical items that needed consideration:

• Alert latency

• Bandwidth and data transfer costs

• Reliability of log stream

• Deployment models:• (A) Local agent & alerting, Central correlation & archive• (B) Local agent, Central alerting, correlation & archive• (C) Agentless, Central collection, alerting, correlation, & archive

Page 13: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

More on our "How?"• Alert latency: Fire within 3 minutes of minutes of a “burglar

alarm” event – Part of our SSAE 16 control

• Bandwidth: Limit cost by using systems in zones/regions that have free (ideally) or minimal cost for large bandwidth usage

• Reliability: Ensure that logs are available in a central store by using a reliable transport

• Deploy model: Have use for all three models – Help to accommodate our PCI and SSAE 16 compliance

Page 14: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

How: Straight from the Source• Many cloud workloads are an application of some sort

• The best burglar alarms come from inside your house• Login, logout, lockout, signup• Authorization successes and failures• Role evolution• Resource consumption

• Work with developers to build monitoring into your application

Page 15: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Lastly you decide on the "What?"• After identifying "Why?" and "How?”• This is about finding technology solutions that fit into your

“How?” and meet your “Why?

• Identify limitations of the technologies that are available to you• Cost: What can you afford to do?• Platform support: Is the desired solution supported by your platform?• Product support: What type of product support will you need?• Education: Can you get adequate education on the solutions?

Vendor Products Open Source Internally Develop

Page 16: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Our “What?”• OSSEC standalone mode, rsyslog and RELP (Reliable Event

Logging Protocol)• Local agent, local alerting, central correlation, central archive• Allows for more detailed alerting on our Critical servers (e.g., database

servers)

• Commercial CloudPassage product Halo• Local agent, central alerting, central correlation, central archive• To meet PCI and give “additional” benefits for PCI compliance

• Syslog via RELP to a central log collector. OSSEC (server mode) for alerting and correlation

• Deploy central collectors in locations that meet the "bandwidth cost reduction" requirement

• Easiest for admin; deployed to all other systems

Page 17: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Global OSSEC: It’s easy• We use RightScale to configure every server to send syslogs to

central server• Use RightScale to scale syslog collectors as needed, and

launch OSSEC servers as needed• Use RightScale to configure Syslog servers to feed the “local”

OSSEC server• OSSEC configuration and rules are managed via Git for proper

source control• We tuned all the noise out prior to rolling into production: Burglar Alarms

are our focus

• Test new rules in Staging, then globally deploy to production with a click of a button

• The beauty of RightScale!

Page 18: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Local OSSEC: It’s focused• One one our SSAE16 controls relies on it• Use RightScale to install and configure OSSEC server in

standalone mode• OSSEC rules:

• Same as global rules• Plus a couple specific to actions we don’t expect on the critical servers• Also File Integrity Monitoring of certain critical files

• OSSEC configuration and rules are managed via Git for proper source control

• Test new rules in Staging, then globally deploy to production with a click of a button

Page 19: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

CloudPassage: Provides added benefits• Gives us alerting, plus more for our PCI compliance:

• Separation of duties• Configuration review• Malicious process watching• Host based firewall management*

• It is a known and accepted cloud security tool, that PCI auditors are comfortable with

Page 20: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

RELP caveats• “Reliable” implies…

• Buffered: extra disk and memory consumption at the source• Stateful: extra bandwidth consumption

• Gotcha’s• RELP is not compatible with TLS encryption, so had to use stunnel• Rsyslog versions built into distro’s are WAY behind• Have to tune the memory queues to avoid performance issues

• 10 MBps logs + rsyslogd memory buffering + network hiccup = log bomb!• Needed a lot of testing, since the docs never really said what did and didn't work.

• imfile plugin (which reads logs from apps that don't natively support syslog protocol) seems buggy when you give it a large file to consume

• This is PROBABLY fixed in a later version, but haven’t confirmed yet

Page 21: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

SSAE16 Control process• Working with the auditors we identified certain actions and

events that our customers would care about

• Need certain functionality on specific systems

• Need certain functionality for all systems in the platform

• We wrote custom OSSEC rules

Page 22: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Our OSSEC Burglar alarms• Focus was the database (imagine that) and systems that directly

access the database• Decided that implementing specific local alerting on the critical

systems was the best solution• Some examples of these type of alerts:

• Successful interactive login• Integrity of sensitive files• Failed login to the database itself• Failed DROP commands• Etc.

• There are a number of default OSSEC alerts that are noise in our environment, as we ignore

• 1002, 5710, 5706, 551, 5402, 17101, 5403, 5901, 5902, 17102

Page 23: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Conclusion• Must start with the "Why?" question

• Ease of administration, especially in a highly elastic IaaS environment, is very important

• Start with things you know are problems: limits false positives

Page 24: RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

#

#rightscale

Next Steps1. Learn: Read Phil’s blog

blog.rightscale.com/author/philcoxrs/

2. Learn more: Visit our security supportal

support.rightscale.com/Security

3. Try: Free Edition www.rightscale.com/free

Contact RightScale

(866) [email protected]

The next big RightScale Community Event!April 25-26 in San Francisco

www.RightScaleCompute.com• Attend technical breakout sessions

• Get RightScale training• Talk with RightScale customers• Ask questions at the Expert Bar