SlideShare una empresa de Scribd logo

Reducing Your Attack Surface & Your Role in Cloud Workload Protection

Alert Logic
Alert Logic

- The document discusses reducing attack surfaces, particularly in cloud environments. It notes that understanding your attack surface is critical for deploying proper security controls and that cloud attack surfaces differ from on-premises environments. - Web application attacks are now the leading cause of data breaches, but less than 5% of security budgets are spent on application security. Various case studies of breaches are presented that resulted from vulnerabilities in web applications and misconfigurations in cloud infrastructure. - Common issues discussed include vulnerabilities in WordPress, exposed AWS S3 buckets, and credential compromises. The importance of rapidly detecting and eliminating threats is also covered.

Tecnología
1 de 24
Descargar para leer sin conexión
Thank you.
Thank you.Reducing Your Attack Surface Ryan Holland – Senior Director of Cloud Architecture, Alert Logic
Summary • Understanding your attack surface is critical to deploying the right security controls • Attack surface in cloud environments is significantly different than on-premises • Dominant cloud exposures are often misunderstood
2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked #1 Sands Casino Breach
2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked • Compromised admin credentials • Moved laterally through Windows AD • Used malware to destroy all hosts on the network Sands Casino Breach
1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks
1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks Underreported. Misunderstood.
What Drives This Awareness Disconnect? • Breach disclosure in a number of states is mandatory, but technical details are not in disclosure scope • News media naturally gravitates towards human interest security stories • Mobile phones • Endpoint malware • Email theft Ransomware Malware All other terms: SQL injection, web application attack, Wordpress vulnerability, PHP vulnerability, Apache Struts vulnerability
Our Perspective on Cloud Attack Surface • 4,000+ customers • 80% of deployments in data centers • 50% of deployments in public and hybrid cloud • Dominant workload: business critical web applications
Real world view from our SOC
#2 Yahoo Impact Number of exposed accounts increased from 1B to 3B. How it happened Exploited a WordPress/PHP vulnerability in 2013 Where are they now? Sold to Verizon. Valuation revised by $350M
Meet “M4g” AKA Alexsey Belan • One of the most prolific hackers between 2013 - 2015 • Estimated to have compromised 1.2 billion user accounts • Prime suspect in numerous breaches
Alexsey Belan’s Techniques 1. Identified peripheral sites and key people via Google and LinkedIn 2. Initial compromise via CVE-2011–4106 WordPress vulnerability. Modified authentication mechanisms to capture credentials 3. Used NMAP & internal Wiki to learn the environment and move laterally 4. Reused cookies from development staging systems, client certificates from emails and trouble tickets 5. Used developer credentials to introduce backdoors into code Source: https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551
Why WordPress? Used in 28% of all web sites on the internet • WP CVE-2011–4106 vulnerability in resulted in 1.2 million compromised sites • 53 similar vulnerabilities in last 10 years (CVSS 6+)
#3 RNC breach Impact 200M voter records exposed How it happened Misconfiguration in Amazon Web Services S3 service Where are they now? Survived the breach. Operational impact unclear.
AWS S3 Data Leaks Due To Misconfigurations
#4 Code Spaces Impact Nearly all customer data, including backups, deleted. How it happened Credential compromise. Where are they now? Closed down immediately after event.
60 Most Common AWS Configuration Remediations Unencrypted AMI Discovered Unencrypted EBS Volume S3 Logging not Enabled Unrestricted Outbound Access on All Ports User not configured to use MFA User Access Key not configured with Rotation IAM Policies are attached directly to User Dangerous User Privileged Access to S3 Dangerous IAM Role for S3 Dangerous User Privileged Access to RDS Disable Automatic Access Key Creation Dangerous User Privileged Access to DDB Dangerous User Privileged Access to IAM IAM Access Keys Unused for 90 Days ELB Listener Security (2 of 4) ELB Listener Security (1 of 4) Dangerous IAM Role for RDS RDS Encryption is not Enabled Dangerous IAM Role for DDB Unrestricted Inbound Access - Specific Ports 2 Dangerous IAM Role for IAM Unrestricted Inbound Access to SSH Port 22/tcp Unrestricted Inbound Access to HTTP Port 80/tcp Amazon S3 Bucket Permissions (2 of 2) Inactive user account Ensure AWS CloudTrail is Enabled in All Regions ELB Listener Security (4 of 4) Unrestricted Inbound Access Publicly Accessible RDS Database Instance Passwords not set to enforce complexity ACL permissions enabled for Authenticated Users in an S3 Bucket CloudTrail Logging Disabled Passwords not configured to expire Ensure Hardware Multi-Factor Authentication is Enabled for the Root Account Unrestricted Inbound Access to Windows RDP Port 3389/tcp Enable Amazon GuardDuty on AWS Account Unrestricted Inbound Access to PostgreSQL Port 5432/tcp Global View ACL permissions enabled in an S3 Bucket Unrestricted Inbound Access to mySQL Port 3306/tcp Unrestricted Inbound Access to NetBIOS over TCP/IP 137/udp/tcp, 138/udp or 139/udp/tcp Unrestricted Inbound Access to SMTP Port 25/tcp Root account not using MFA Unrestricted Inbound Access to FTP Port 21/tcp Unrestricted Inbound Access to DNS Port 53/tcp Unrestricted Inbound Access to SQLServer Port 1433,1434/tcp Unrestricted Inbound Access to FTP Port 20/tcp Unrestricted Inbound Access to VNC Port 5500,5900/tcp Unrestricted Inbound Access to MSQL Port 4333/tcp Unrestricted Inbound Access to SMTP over TLS/SSL Port 465/tcp Unrestricted Inbound Access to ElasticSearch Port 9300/tcp Unrestricted Inbound Access to CIFS/SMB over TCP 445/tcp Root Account Used Recently Unrestricted Inbound Access to Windows RPC Port 135/tcp Publicly Accessible AMI Discovered Unrestricted Inbound Access to Telnet Port 23/tcp Unencrypted Redshift Cluster Unrestricted Inbound Access to DNS Port 53/udp Publicly Accessible Redshift Cluster Nodes Dangerous use of Root Access Keys Unrestricted Inbound Access to CIFS/SMB over TCP 445/udp Across 31,235 EC2 instances / workloads 155,911 vulnerabilities and exposures sampled On 381 VPC’s in Dec 2017
Cloud Insight Essentials check Misconfigurations
Cloud Attack Surface Attacks Web App Attacks OWASP top 10 Platform / library attacks App / System misconfig attacks Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Hardware The Application Stack Databases Attackersaremovingupthestack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise
Attack Surface Factors
Importance of Eliminating Dwell Time
The Realities of Dwell Time 1. Ponemon Institute 2017 Cost of Data Breach Study
Thank you.

Recomendados

Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
Alert Logic
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
Alert Logic
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
Alert Logic
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
 

Recomendados

Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
Alert Logic
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
Alert Logic
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
Alert Logic
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
 
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
Alert Logic
 
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAASecuring Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAA
Alert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach
Alert Logic
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
Alert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
Realities of Security in the Cloud - CSS ATX 2017
Realities of Security in the Cloud - CSS ATX 2017Realities of Security in the Cloud - CSS ATX 2017
Realities of Security in the Cloud - CSS ATX 2017
Alert Logic
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
Alert Logic
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
Alert Logic
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Alert Logic
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
MarkAnnati
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Alert Logic
 

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAASecuring Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAA
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Realities of Security in the Cloud - CSS ATX 2017
Realities of Security in the Cloud - CSS ATX 2017Realities of Security in the Cloud - CSS ATX 2017
Realities of Security in the Cloud - CSS ATX 2017
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
 
#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration#ALSummit: Live Cyber Hack Demonstration
#ALSummit: Live Cyber Hack Demonstration
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
 
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017
 

Similar a Reducing Your Attack Surface & Your Role in Cloud Workload Protection

Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
Sreerag Gopinath
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 

Similar a Reducing Your Attack Surface & Your Role in Cloud Workload Protection (20)

Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
 
Escalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployEscalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deploy
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
PASTA: Risk-centric Threat Modeling
PASTA: Risk-centric Threat ModelingPASTA: Risk-centric Threat Modeling
PASTA: Risk-centric Threat Modeling
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
 

Más de Alert Logic

Más de Alert Logic (19)

Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
Security Spotlight: Rent-A-Center
Security Spotlight: Rent-A-CenterSecurity Spotlight: Rent-A-Center
Security Spotlight: Rent-A-Center
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
CSS 2018 Trivia
CSS 2018 TriviaCSS 2018 Trivia
CSS 2018 Trivia
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The Intersection of Security and DevOps
The Intersection of Security and DevOpsThe Intersection of Security and DevOps
The Intersection of Security and DevOps
 
Security Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola CompanySecurity Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola Company
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas Azure
 
Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure
Microsoft Azure Security Overview - Microsoft - CSS Dallas AzureMicrosoft Azure Security Overview - Microsoft - CSS Dallas Azure
Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure
 
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

Reducing Your Attack Surface & Your Role in Cloud Workload Protection

  • 2. Thank you.Reducing Your Attack Surface Ryan Holland – Senior Director of Cloud Architecture, Alert Logic
  • 3. Summary • Understanding your attack surface is critical to deploying the right security controls • Attack surface in cloud environments is significantly different than on-premises • Dominant cloud exposures are often misunderstood
  • 4. 2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked #1 Sands Casino Breach
  • 5. 2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked • Compromised admin credentials • Moved laterally through Windows AD • Used malware to destroy all hosts on the network Sands Casino Breach
  • 6. 1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks
  • 7. 1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks Underreported. Misunderstood.
  • 8. What Drives This Awareness Disconnect? • Breach disclosure in a number of states is mandatory, but technical details are not in disclosure scope • News media naturally gravitates towards human interest security stories • Mobile phones • Endpoint malware • Email theft Ransomware Malware All other terms: SQL injection, web application attack, Wordpress vulnerability, PHP vulnerability, Apache Struts vulnerability
  • 9. Our Perspective on Cloud Attack Surface • 4,000+ customers • 80% of deployments in data centers • 50% of deployments in public and hybrid cloud • Dominant workload: business critical web applications
  • 10. Real world view from our SOC
  • 11. #2 Yahoo Impact Number of exposed accounts increased from 1B to 3B. How it happened Exploited a WordPress/PHP vulnerability in 2013 Where are they now? Sold to Verizon. Valuation revised by $350M
  • 12. Meet “M4g” AKA Alexsey Belan • One of the most prolific hackers between 2013 - 2015 • Estimated to have compromised 1.2 billion user accounts • Prime suspect in numerous breaches
  • 13. Alexsey Belan’s Techniques 1. Identified peripheral sites and key people via Google and LinkedIn 2. Initial compromise via CVE-2011–4106 WordPress vulnerability. Modified authentication mechanisms to capture credentials 3. Used NMAP & internal Wiki to learn the environment and move laterally 4. Reused cookies from development staging systems, client certificates from emails and trouble tickets 5. Used developer credentials to introduce backdoors into code Source: https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551
  • 14. Why WordPress? Used in 28% of all web sites on the internet • WP CVE-2011–4106 vulnerability in resulted in 1.2 million compromised sites • 53 similar vulnerabilities in last 10 years (CVSS 6+)
  • 15. #3 RNC breach Impact 200M voter records exposed How it happened Misconfiguration in Amazon Web Services S3 service Where are they now? Survived the breach. Operational impact unclear.
  • 16. AWS S3 Data Leaks Due To Misconfigurations
  • 17. #4 Code Spaces Impact Nearly all customer data, including backups, deleted. How it happened Credential compromise. Where are they now? Closed down immediately after event.
  • 18. 60 Most Common AWS Configuration Remediations Unencrypted AMI Discovered Unencrypted EBS Volume S3 Logging not Enabled Unrestricted Outbound Access on All Ports User not configured to use MFA User Access Key not configured with Rotation IAM Policies are attached directly to User Dangerous User Privileged Access to S3 Dangerous IAM Role for S3 Dangerous User Privileged Access to RDS Disable Automatic Access Key Creation Dangerous User Privileged Access to DDB Dangerous User Privileged Access to IAM IAM Access Keys Unused for 90 Days ELB Listener Security (2 of 4) ELB Listener Security (1 of 4) Dangerous IAM Role for RDS RDS Encryption is not Enabled Dangerous IAM Role for DDB Unrestricted Inbound Access - Specific Ports 2 Dangerous IAM Role for IAM Unrestricted Inbound Access to SSH Port 22/tcp Unrestricted Inbound Access to HTTP Port 80/tcp Amazon S3 Bucket Permissions (2 of 2) Inactive user account Ensure AWS CloudTrail is Enabled in All Regions ELB Listener Security (4 of 4) Unrestricted Inbound Access Publicly Accessible RDS Database Instance Passwords not set to enforce complexity ACL permissions enabled for Authenticated Users in an S3 Bucket CloudTrail Logging Disabled Passwords not configured to expire Ensure Hardware Multi-Factor Authentication is Enabled for the Root Account Unrestricted Inbound Access to Windows RDP Port 3389/tcp Enable Amazon GuardDuty on AWS Account Unrestricted Inbound Access to PostgreSQL Port 5432/tcp Global View ACL permissions enabled in an S3 Bucket Unrestricted Inbound Access to mySQL Port 3306/tcp Unrestricted Inbound Access to NetBIOS over TCP/IP 137/udp/tcp, 138/udp or 139/udp/tcp Unrestricted Inbound Access to SMTP Port 25/tcp Root account not using MFA Unrestricted Inbound Access to FTP Port 21/tcp Unrestricted Inbound Access to DNS Port 53/tcp Unrestricted Inbound Access to SQLServer Port 1433,1434/tcp Unrestricted Inbound Access to FTP Port 20/tcp Unrestricted Inbound Access to VNC Port 5500,5900/tcp Unrestricted Inbound Access to MSQL Port 4333/tcp Unrestricted Inbound Access to SMTP over TLS/SSL Port 465/tcp Unrestricted Inbound Access to ElasticSearch Port 9300/tcp Unrestricted Inbound Access to CIFS/SMB over TCP 445/tcp Root Account Used Recently Unrestricted Inbound Access to Windows RPC Port 135/tcp Publicly Accessible AMI Discovered Unrestricted Inbound Access to Telnet Port 23/tcp Unencrypted Redshift Cluster Unrestricted Inbound Access to DNS Port 53/udp Publicly Accessible Redshift Cluster Nodes Dangerous use of Root Access Keys Unrestricted Inbound Access to CIFS/SMB over TCP 445/udp Across 31,235 EC2 instances / workloads 155,911 vulnerabilities and exposures sampled On 381 VPC’s in Dec 2017
  • 19. Cloud Insight Essentials check Misconfigurations
  • 20. Cloud Attack Surface Attacks Web App Attacks OWASP top 10 Platform / library attacks App / System misconfig attacks Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Hardware The Application Stack Databases Attackersaremovingupthestack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise
  • 23. The Realities of Dwell Time 1. Ponemon Institute 2017 Cost of Data Breach Study