Whether you’re working exclusively on Azure or with multiple cloud environments, there are certain things you should consider when moving assets to the public cloud. As with any cloud deployment, security is a top priority, and moving your workloads to the Azure cloud doesn’t mean you’re not responsible for the security of your operating system, applications, and data.
Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your environment is secure. In this session, we will discuss step-by-step what you need to do to secure access at the administrative, application and network layers.
6. Threats by Customer Industry Vertical
Source: Alert Logic CSR 2016
29%
48%
10%
11%
2%
Finance-Insurance-Real Estate
APPLICATION ATTACK
BRUTE FORCE
RECON
SUSPICIOUS ACTIVITY
TROJAN ACTIVITY
56%25%
17%
0%
2%
Retail-Wholesale
APPLICATION ATTACK
BRUTE FORCE
RECON
SUSPICIOUS ACTIVITY
TROJAN ACTIVITY
54%
21%
22%
1%
2%
Information Technology
APPLICATION ATTACK
BRUTE FORCE
RECON
SUSPICIOUS ACTIVITY
TROJAN ACTIVITY
7. 1
49
56
86
125
155
172
197
525
908
Denial of Service
Crimeware
Physical Theft / Loss
Payment Card Skimmers
Everything Else
Cyber-espionage
Privilege Misuse
Miscellaneous Errors
POS Intrusions
Web App Attacks
Security risk is shifting to unprotected web applications
Web app attacks are now the
#1 source of data breaches
But less than 5% of data center security
budgets are spent on app security
Source: Verizon
UP 500% SINCE 2014
$23 to $1
Percentage of Breaches
10% 20% 30% 40%
Source: Gartner
Web App Attacks
8. Cloud Security is a Shared, but not Equal, Responsibility
• Security Monitoring
• Log Analysis
• Vulnerability Scanning
• Network Threat Detection
• Security Monitoring
• Logical Network Segmentation
• Perimeter Security Services
• External DDOS, spoofing, and
scanning monitored
• Hypervisor Management
• System Image Library
• Root Access for Customers
• Managed Patching (PaaS, not IaaS)
• Web Application Firewall
• Vulnerability Scanning
• Secure Coding and Best Practices
• Software and Virtual Patching
• Configuration Management
• Access Management
(inc. Multi-factor Authentication)
• Application level attack monitoring
• Access Management
• Configuration Hardening
• Patch Management
• TLS/SSL Encryption
• Network Security
Configuration
CUSTOMER ALERT LOGICMICROSOFT
10. 10 Best Practices for Security
1. Understand the Cloud Providers Shared Responsibility Model
2. Secure your code
3. Create access management policies
4. Data Classification
5. Adopt a patch management approach
6. Review logs regularly
7. Build a security toolkit
8. Stay informed of the latest vulnerabilities that may affect you
9. Understand your cloud service providers security model
10. Know your adversaries
11. 1. Understand the Cloud Providers Shared Responsibility Model
The first step to securing cloud workloads
is understanding the shared responsibility
model
Microsoft will secure most of the
underlying infrastructure, including the
physical access to the datacenters, the
servers and hypervisors, and parts of the
networking infrastructure…but the
customer is responsible for the rest.
Taken from the Shared Responsibility for Cloud Computing whitepaper, published by Microsoft in March 2016
12. 2. Secure Your Code
• Test inputs that are open to the Internet
• Add delays to your code to confuse bots
• Use encryption when you can
• Test libraries
• Scan plugins
• Scan your code after every update
• Limit privileges
• DevSecOps
13. 3. Create Secure Access Management Policies
• Simplify access controls (KISS)
• Lock down Admin account in Azure
• Enable MFA (Azure, hardware/software token)
• Identify data infrastructure that requires access
(*Lock down AzureSQL)
• Define roles and responsibilities (delegating
service admins)
• Azure NSG (private vs public)
• Continually audit access (Azure Audit Logs)
• Start with a least privilege access model (RBAC)
*avoid owner role unless absolutely necessary
• Don’t store keys in code (e.g. secret keys)
• AAD Premium – (*Security analytics and alerting)
14. 4. Data Classification
• Identify data repositories and mobile
backups
• Identify classification levels and
requirements
• Analyze data to determine classification
• Build Access Management policy around
classification
• Monitor file modifications and users
15. 5. Adopt a Patch Management Approach
• Use trusted images (*Prevent users from
launching untrusted images)
• Constantly scan all vulnerabilities in your images
and patch them
• Compare reported vulnerabilities to production
infrastructure
• Classify the risk based on vulnerability and
likelihood
• Test patches before you release into production
• Setup a regular patching schedule
• Keep informed, follow bugtraqer
• Follow a SDLC
16. 6. Log Management Strategy
• Monitoring for malicious activity
• Forensic investigations
• Compliance needs
• System performance
• All sources of log data is collected
and retained
• Data types (Windows, Syslog)
• Azure AD behavior
• Azure Audit Logs (services,
instances…activity, powershell)
• Azure SQL Logs
• Azure App Services Logs
• Review process
• Live monitoring
• Correlation logic
17. 7. Build a Security Toolkit
• Recommended Security Solutions
• Antivirus
• IP tables/Firewall
• Backups
• FIM
• Intrusion Detection System (VNET ingress/egress)
• Malware Detection
• Web Application Firewalls (inspection at Layer 7)
• Forensic Image of hardware remotely
• Future Deep Packet Forensics
• Web Filters
• Mail Filters
• Encryption Solutions
• Proxies
• Log collection
• SIEM Monitoring and Escalation
• Penetration Testing
18. 8. Stay Informed of the Latest Vulnerabilities
• Websites to follow
• http://www.securityfocus.com
• http://www.exploit-db.com
• http://seclists.org/fulldisclosure/
• http://www.securitybloggersnetwork.com/
• http://cve.mitre.org/
• http://nvd.nist.gov/
• https://www.alertlogic.com/weekly-threat-report/
19. 9. Understand Your Service Providers Security Model
• Understand the security offerings from your provider
• Probe into the Security vendors to find their prime service
• Hypervisor exploits are patched by the service provider
• Questions to use when evaluating cloud service providers
21. Threats are 24x7 = Security Operations 24x7
Monitor intrusion detection and
vulnerability scan activity
Search for Industry trends and
deliver intelligence on lost or
stolen data
Collect data from OSINT and
Underground Sources to deliver
Intelligence and Content
Identify and implement
required policy changes
Escalate incidents and provide guidance to
the response team to quickly mitigate
Incidents
Monitor for Zero-Day
and New and Emerging
attacks
Cross product correlate
data sources to find
anomalies
23. Cloud Security is a Shared, but not Equal, Responsibility
• Security Monitoring
• Log Analysis
• Vulnerability Scanning
• Network Threat Detection
• Security Monitoring
• Logical Network Segmentation
• Perimeter Security Services
• External DDOS, spoofing, and
scanning monitored
• Hypervisor Management
• System Image Library
• Root Access for Customers
• Managed Patching (PaaS, not IaaS)
• Web Application Firewall
• Vulnerability Scanning
• Secure Coding and Best Practices
• Software and Virtual Patching
• Configuration Management
• Access Management
(inc. Multi-factor Authentication)
• Application level attack monitoring
• Access Management
• Configuration Hardening
• Patch Management
• TLS/SSL Encryption
• Network Security
Configuration
CUSTOMER ALERT LOGICMICROSOFT
24. Vulnerabilities
+ Change
+ Shortage
Complexity of defending web applications and workloads
Risks are moving up the stack
1. Wide range of attacks at every
layer of the stack
2. Rapidly changing codebase can
introduces unknown vulnerabilities
3. Long tail of exposures inherited
from 3rd party development tools
4. Extreme shortage of cloud and
application security expertise
Web App
Attacks
OWASP
Top 10
Platform /
Library
Attacks
System /
Network
Attacks
Perimeter & end-point security tools
fail to protect cloud attack surface
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
25. Block
Analyze
Allow
Your Data
Focus requires full stack inspection…and complex analysis
Known Good
Known Bad
Suspicious
Security DecisionYour App Stack
Web App
Attacks
OWASP
Top 10
Platform /
Library
Attacks
System /
Network
Attacks
Threats
App Transactions
Log Data
Network Traffic
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
26. APP+CONFIG
ASSESMENT
Your Data
Focus requires full stack inspection…and complex analysis
Known Bad
Web App
Attacks
OWASP
Top 10
Platform /
Library
Attacks
System /
Network
Attacks
App Transactions
Log Data
Network Traffic
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
COLLECTION
TECHNOLOGY
27. Your Data
Web App
Attacks
OWASP
Top 10
Platform /
Library
Attacks
System /
Network
Attacks
App Transactions
Log Data
Network Traffic
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
APP+CONFIG
ASSESMENT
COLLECTION
TECHNOLOGY
Integrated value chain delivering full stack security…
Signatures &
Rules
Anomaly
Detection
Machine
Learning
ANALYTICS
Petabytes of normalized data from 4000+
customers
28. Your Data
Web App
Attacks
OWASP
Top 10
Platform /
Library
Attacks
System /
Network
Attacks
App Transactions
Log Data
Network Traffic
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
APP+CONFIG
ASSESMENT
COLLECTION
TECHNOLOGY
Signatures &
Rules
Anomaly
Detection
Machine
Learning
ANALYTICS
Integrated value chain delivering full stack security, experts included
Petabytes of normalized data from 4000+
customers
• Threat Intelligence
• Security Research
• Data Science
• Security Content
• Security Operations
Center
24/7 EXPERTS
& PROCESS
29. Web App
Attacks
OWASP
Top 10
Platform /
Library
Attacks
System /
Network
Attacks
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Databases
Networking
Cloud Management
CLOUD INSIGHT
Signatures &
Rules
Anomaly
Detection
Machine
Learning
Integrated value chain delivering full stack security, experts included
• Threat Intelligence
• Security Research
• Data Science
• Security Content
• Security Operations
Center
ACTIVEWATCHDETECTION &
PROTECTION
Web Security
Manager
Log
Manager
Threat
Manager
ALERT LOGIC CLOUD DEFENDER
30. New capabilities focused on Web Attack Detection
1
Over 150 new web attack incidents
2
Improved OWASP Top 10 Coverage
powered by Anomaly Detection
3
Advanced SQL Injection Detection
powered by Machine Learning
Web App
Attacks
OWASP top
10
Platform /
library
attacks
App /
System
misconfig
attacks
Attacks
Over 250 breaches
detected in 2016
31. Alert Logic solutions are easy to deploy
• Use a combination of host based agents and appliances to collect
network and application traffic
• Agents also collect logs from the VM
• Azure Activity Logs are collected via the Azure Monitor API
• Azure SQL or App Services Logs are collected from Azure storage
accounts
• Appliances can be used to do internal scanning, or we can do
external and PCI scanning from our cloud
32. HOW IT WORKS:
Alert Logic Threat Manager for 3 Tier Application Stack + Azure SQL
VNET
RESOURCE GROUP
Alert Logic
Web Traffic
Threat Manager
Appliance
AutoScale AutoScale Azure SQL
Database
Tier
Azure Storage
Table
SQL Logs
Application Tier
VM ScaleSets
Web Tier
VM ScaleSets
Application
Gateway
VM
33. 3-Tier applications using VMs only
VNET
RESOURCE GROUP
Web Traffic
Customer B
Alert Logic
Threat Manager
Appliance
VM
AutoScale
Application Tier
VM ScaleSets
AutoScale
Web Tier
VM ScaleSets
Database Tier
SQL VM
AvailabilitySets
VNET
RESOURCE GROUP
AutoScale
Application Tier
VM ScaleSets
AutoScale
Web Tier
VM ScaleSets
Database Tier
SQL VM
AvailabilitySets
Web Traffic
Customer A
34. ARM Template automate appliance deployments
https://github.com/alertlogic/al-arm-templates
35. Agents can be baked into VM images, or automatically installed
using DevOps toolsets
https://supermarket.chef.io/cookbooks/al_agents
36. Alert Logic – a Leader in Forrester’s 2016 NA MSSP WAVETM
“Alert Logic has a head start in the
cloud, and it shows.
Alert Logic is an excellent fit for clients
looking to secure their current or
planned cloud migrations, clients
requiring a provider than can span
seamlessly between hybrid
architectures, and those that demand
strong API capabilities for integrations.”
- Forrester WAVETM Report
37. Addressing Customers with Compliance Requirements
Alert Logic
Solution PCI DSS SOX HIPAA & HITECH
Alert Logic Web
Security
Manager™
• 6.5.d Have processes in place to protect applications from
common vulnerabilities such as injection flaws, buffer overflows
and others
• 6.6 Address new threats and vulnerabilities on an ongoing
basis by installing a web application firewall in front of public-
facing web applications.
• DS 5.10 Network Security
• AI 3.2 Infrastructure resource
protection and availability
• 164.308(a)(1) Security Management
Process
• 164.308(a)(6) Security Incident
Procedures
Alert Logic Log
Manager™
• 10.2 Automated audit trails
• 10.3 Capture audit trails
• 10.5 Secure logs
• 10.6 Review logs at least daily
• 10.7 Maintain logs online for three months
• 10.7 Retain audit trail for at least one year
• DS 5.5 Security Testing,
Surveillance and Monitoring
• 164.308 (a)(1)(ii)(D) Information
System Activity Review
• 164.308 (a)(6)(i) Login Monitoring
• 164.312 (b) Audit Controls
Alert Logic
Threat
Manager™
• 5.1.1 Monitor zero day attacks not covered by anti-virus
• 6.2 Identify newly discovered security vulnerabilities
• 11.2 Perform network vulnerability scans quarterly by an ASV or
after any significant network change
• 11.4 Maintain IDS/IPS to monitor and alert personnel; keep
engines up to date
• DS5.9 Malicious Software
Prevention, Detection and
Correction
• DS 5.6 Security Incident
Definition
• DS 5.10 Network Security
• 164.308 (a)(1)(ii)(A) Risk Analysis
• 164.308 (a)(1)(ii)(B) Risk Management
• 164.308 (a)(5)(ii)(B) Protection from
Malicious Software
• 164.308 (a)(6)(iii) Response &
Reporting
Alert Logic Security Operations Center providing Monitoring, Protection, and Reporting
38. Scalable Threat Intel Process Delivers Relevant Content
FUSIONNORMALIZATION
ENTITY RESOLUTION
LINK ANALYSIS
CLUSTERING ANALYSIS
COMPLEX ANALYSIS
EXTRACTION
HONEYNET
3RD-PARTY
INTEL
VULNERABILITIES
WATCHLISTS
RESEARCH
TELEMETRY
Big
Data
ReputationReputation
BlacklistsBlacklists
Content CoverageContent Coverage
Incident ModelingIncident Modeling
Intelligence GatheringIntelligence Gathering
Relevant VulnerabilitiesRelevant Vulnerabilities
Increased Contextual Awareness
Increased Contextual Awareness
Increase Incident Understanding
Increase Incident Understanding
Key Service CapabilitiesAnalysis TechniquesThreat Analytics PlatformInput Sources
39. Stopping Imminent Data Exfiltration
INCIDENT ESCALATION
Partner and customer notified with
threat source information and
remediation tactics
8 min
FUTHER ANALYSIS
Alert Logic Analyst confirms user
IDs and password hashes leaked
as part of initial attack
2 hours
EXFILTRATION ATTEMPT
PREVENTED
Partner works with customer to mitigate
compromised accounts
6 hours
COMPROMISE ACTIVITY
Discovered through inspection
of 987 log messages indicative
of a SQL injection attack
Customer Type: Retail
Threat Type: Advanced SQL Injection
40. Preventing Ransomware Spread
INCIDENT ESCALATION
Critical risk of lateral movement
through shared drives identified
14 min
LATERAL MALWARE MOVEMENT PREVENTED
Analyst performs forensic review of additional 8,000 log
messages and 1,400 events that identifies additional attack
vectors through related events
6 hours
SUSPICOUS ACTIVITY
Cryptowall detected on key
gateway server in over 1,400
events (6,000 Packets)
Customer Type: Retail
Threat Type: Ransomware
41. To Follow our Research & Contact Information
Blog
https://www.alertlogtic.com/resources/blog
Newsletter
https://www.alertlogic.com/weekly-threat-report/
Cloud Security Report
https://www.alertlogic.com/resources/cloud-security-report/
Zero Day Magazine
https://www.alertlogic.com/zerodaymagazine/
Twitter
@AlertLogic For More Information on Alert Logic Solutions
Chris Camaclnag
ccamaclang@alertlogic.com
206-673-4387