Transcription
SECURITY IN MICROSOFTAZUREMarija Strazdas – Sr. Solutions Engineer
Infrastructure Has ChangedBuying HardwareEARLY 2000’sMID 2000’sNOW
Infrastructure Has ChangedBuying HardwareEARLY 2000’sInfrastructure As CodeMID 2000’sNOW
Cybercrime Has Also ChangedSingle ActorsEARLY 2000’sMID 2000’sNOW
Cybercrime Has Also ChangedSingle ActorsEARLY 2000’sHighly Organized GroupsMID 2000’sNOW
Today’s Attacks Have Several Stages
Modern Bank Robbery – The Carbanak APT Over 1 Billion Total Stolen Losses per bank range from 2.5 Million - 10 Million Stealing money directlyrather than through sale ofstolen data Targets banks rather thanendpoints Attacks multiple bankingservice channels: Databases,ATMs, E-Payment systems, /Carbanak APT eng.pdf
Lasers!!! - Making Cars Slam on the Brakes 60
Internet of Things - Car Edition
Internet of Things – Human Body EditionBoston, Meet Stan.Stan, Meet Boston.
Case Study: Tewksbury Police DepartmentAttack Phishing email (package delivered – click this link for details) Employee clicked, malware was launched Attacker gained access and encrypted data on mapped servers Ransom demand of only 500 (if a million people give you 1,you have 1 million.)Impact Total Police Operations Disruption Reverted to broken manual processes No access to arrest records/warrants Unable to conduct ID verificationFive days with no computing. Public and private security experts unable to decrypt. No technical mitigation.
Ransomware as a Managed ServiceRansom32 Hacking Staff Aug Tracking Dashboard BitCoin Payment Alerts Malware Configuration Assistance Zero Days Used You Got a Target List? – We’ll giveyou a finder’s fee Customize the Ransom Amount Customize the Ransom Message
If Ransomware Hits – Haggle! Act Quickly Before They Pack Up Most Attackers HappyWith Much Lesser Amount In Larger Cases, FBI RecommendsProfessional Negotiators Be Hired
THE GOOD NEWS
Research Shows - You’re Better Off In The Cloud“Public cloud workloads can be at least as secure asthose in your own data center, likely better.”- Neil McDonald – Gartner Security and Risk Management Summit
The security built into Azure meets the requirements of severalcompliance frameworksAttestations for Microsoft Azure
Cloud Security is a Shared Responsibility Web Application FirewallApplication Scanning Hypervisor ManagementSystem Image LibraryRoot Access for CustomersManaged Patching (PaaS, not IaaS) Logical Network SegmentationPerimeter Security ServicesExternal DDOS, spoofing, andscanning monitored Secure Coding and Best PracticesSoftware and Virtual PatchingConfiguration Management Security MonitoringLog AnalysisVulnerability Management Network Packet InspectionSecurity MonitoringAccess Management(inc. Multi-factor Authentication)Application level attack monitoring Access ManagementConfiguration HardeningPatch Management TLS/SSL EncryptionNetwork SecurityConfigurationMICROSOFTCUSTOMER
The 5 Key Components for Cloud Security12345Achieve VisibilityKeep LogsAddress VulnerabilitiesLimit AccessAutomate
1. Achieve Visibility
2. Keep LogsEverything you do in Azure is an API call New VM CreatedVM Spun DownSecurity Group Deleted / ChangedAzure AD User CreatedAzure AD Role ModifiedFailed Console LoginsTag Modified
3. Address Vulnerabilities% of Global 2000OrganizationsVulnerable toHeartbleed inAugust 2014: 76%April, 2015: 74%SHELLSHOCKSource: SC Magazine: hreat/article/407803/HEARTBLEED
Patching Involves The Whole StackWeb AppsServer-side AppsApp FrameworksDev PlatformsDatabasesServer OSCloud ManagementHypervisorNetworking
4. Limit AccessDigitalMarketingFinanceLeast Privilege ModelRBAC allows for granular access control at the resource level
5. AutomateRather thandrawing aa pictureeach time .Use aprintingPress.Security can be baked into the process
Data Security and Access Management Lock down Admin account in Azure Enable MFA (Azure, hardware/software token) Start with a least privilege access model (e.g. UseRBAC) *avoid owner role unless absolutely necessary Identify data infrastructure that requires access (e.g.Lock down AzureSQL) Azure NSG (private vs public) Continually audit access (Azure Activity Logs) AAD Premium – (*Security analytics and alerting) Manage with Secure Workstations (e.g. DMZ, MGMT) Protect data in transit and at rest Encrypt Azure Virtual Machines Enable SQL Data Encryption
Additional Azure-Specific Security Best Practices Logically segment subnets Control routing behavior Enable Forced Tunneling (e.g. forcing internet through on-premiseand/or DC) Use Virtual network appliances (e.g FW, IDS/IPS, AV, Web Filtering,Application ELB) Deploy DMZs for security zoning Optimize uptime and performance Use global load balancing Disable RDP or SSH Access to Azure Virtual Machines Enable Azure Security Center Extend your datacenter into Azure
Thank you.
ALERT LOGICSOLUTIONS
What Organizations Hope To AchieveDESIREDCAPABILITIESProtect web TISEWeb application firewall (WAF)Whitelists, blacklistsWAF rules expertIntrusion detection/ protectionSignatures, rulesNetwork security expertLog managementLog parsers andcorrelation rulesLog analyst expertThreat analytics platformTaxonomy, correlation rulesCorrelation rules expertThreat intel andsecurity contentVulnerability managementCVE coverageScanning expert24x7 monitoringand analysisDatabases, informationmanagement, malwareEmerging threats,zero days, malwareExpert knowledge of criminalundergroundAvailability and performancemonitoringAnalysis toolsIncident informationSecurity analystsMiddleware, APIs, andmonitoring toolsAvailability andperformance metricsNetwork ops experts,system adminsIdentify network threatsUncover incidents ofcompromise in logsDiscover advanced multivector attacksFind vulnerabilities
Cloud Security is a Shared Responsibility Web Application FirewallVulnerability Scanning Secure Coding and Best PracticesSoftware and Virtual PatchingConfiguration Management Hypervisor ManagementSystem Image LibraryRoot Access for CustomersManaged Patching (PaaS, not IaaS) Security MonitoringLog AnalysisVulnerability Scanning Logical Network SegmentationPerimeter Security ServicesExternal DDOS, spoofing, andscanning monitored Access Management(inc. Multi-factor Authentication)Application level attack monitoring Access ManagementConfiguration HardeningPatch ManagementNetwork Threat DetectionSecurity Monitoring TLS/SSL EncryptionNetwork SecurityConfigurationMICROSOFTALERT LOGICCUSTOMER
Focus requires full stack inspection and complex analysisWeb AppsServer-side AppsWeb AppAttacksOWASPTop 10App FrameworksDev PlatformsKnown GoodAppDatabasesPlatform /LibraryAttacksTransactionsSuspiciousAnalyzeKnown BadBlockServer OSLog DataCloud ManagementSystem /NetworkAttacksHypervisorNetwork TrafficNetworkingThreatsAllowYour App StackYour DataSecurity Decision
Thank you.
Over 4,100 Organizations Worldwide Trust Alert LogicAUTOMOTIVEHEALTHCARETECHNOLOGY & RGY & CHEMICALSFINANCIAL SERVICESMEDIA/PUBLISHINGNON-PROFIT
HOW IT WORKS:Alert Logic Threat Manager for 3 Tier Application Stack Azure SQLVNETAzure StorageTableSQL LogsVMAlert LogicThreat ManagerApplianceApplicationGatewayWeb TrafficWeb TierVM ScaleSetsApplication TierVM ScaleSetsDatabaseTierAutoScaleAutoScaleAzure SQLRESOURCE GROUP
3-Tier applications using VMs onlyVNETAlert LogicWeb TrafficCustomer AWeb TierVM ScaleSetsApplication TierVM ScaleSetsAutoScaleAutoScaleDatabase TierSQL VMAvailabilitySetsRESOURCE GROUPVMWeb TrafficCustomer BWeb TierVM ScaleSetsApplication TierVM ScaleSetsAutoScaleAutoScaleDatabase TierSQL VMAvailabilitySetsRESOURCE GROUPThreat ManagerApplianceVNET
Agents can be baked into VM images, or automatically installedusing DevOps toolsetshttps://supermarket.chef.io/cookbooks/al agents
ARM Template automate appliance mplates
Addressing Customers with Compliance RequirementsAlert LogicSolutionAlert LogicWeb SecurityManager Alert Logic LogManager PCI DSSSOX6.5.d Have processes in place to protect applications fromcommon vulnerabilities such as injection flaws, bufferoverflows and others6.6 Address new threats and vulnerabilities on anongoing basis by installing a web application firewall infront of public-facing web applications. 10.210.310.510.610.710.7 5.1.1 Monitor zero day attacks not covered by anti-virus6.2 Identify newly discovered security vulnerabilities11.2 Perform network vulnerability scans quarterly by anASV or after any significant network change11.4 Maintain IDS/IPS to monitor and alert personnel; keepengines up to date Automated audit trailsCapture audit trailsSecure logsReview logs at least dailyMaintain logs online for three monthsRetain audit trail for at least one year DS 5.10 Network SecurityAI 3.2 Infrastructure resourceprotection and availability DS 5.5 Security Testing,Surveillance and Monitoring Alert LogicThreatManager HIPAA & HITECH DS5.9 Malicious SoftwarePrevention, Detection andCorrectionDS 5.6 Security IncidentDefinitionDS 5.10 Network Security 164.308(a)(1) Security ManagementProcess164.308(a)(6) Security IncidentProcedures164.308 (a)(1)(ii)(D) InformationSystem Activity Review164.308 (a)(6)(i) Login Monitoring164.312 (b) Audit Controls164.308 (a)(1)(ii)(A) Risk Analysis164.308 (a)(1)(ii)(B) RiskManagement164.308 (a)(5)(ii)(B) Protection fromMalicious Software164.308 (a)(6)(iii) Response &ReportingAlert Logic Security Operations Center providing Monitoring, Protection, and Reporting
Stopping Imminent Data TheftCustomer Type: RetailThreat Type: Advanced SQL InjectionCOMPROMISE ACTIVITYDiscovered through inspectionof 987 log messages indicativeof a SQL injection attack8 minINCIDENT ESCALATIONPartner and customer notified withthreat source information andremediation tacticsFUTHER ANALYSISAlert Logic Analyst confirms userIDs and password hashes leakedas part of initial attack2 hours6 hoursEXFILTRATION ATTEMPTPREVENTEDPartner works with customer to mitigatecompromised accounts
Thank you.
Web App Attacks OWASP Top 10 Platform / Library Attacks System / Network Attacks Threats App Transactions Log Data Network Traffic Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management. Thank
