Implementing high-velocity security best practices. - Threat Stack [PDF]

Implementing high-velocity security best practices.

A STEP-BY-STEP GUIDE TO RUNNING SECURE, COMPLIANT AND OPERATIONALLY EFFICIENT IN AWS.

T H E S TAT E O F C LO U D S EC U R I T Y

Infrastructure has changed It’s no surprise that as more businesses move to the cloud, Infrastructure-as-a-service (IaaS) is growing rapidly along with it. IaaS allows businesses to improve efficiency, reduce risk, tighten controls and lower costs by providing a new, elastic infrastructure that grows and shrinks with the needs of a business. IaaS lets you host all the hardware, software, servers and storage you need. This new infrastructure is consistent and uniform in design and makes deployment, upgrades and maintenance much easier to manage. Amazon Web Services (AWS), the leader in IaaS, offers one of the most flexible and highly scalable cloud-computing platforms on the market today. Its popularity and growing user-base was underscored when it surpassed 1 million visitors in November 2014.[1] However, the security required for cloud computing demands a much more sophisticated, “hands off” approach than that of the traditional on premise data center. For all the benefits the cloud has to offer, there is still a lot of uncertainty around: • The level of security provided by cloud vendors • How to identify and report on lost or stolen data • The best way to gain visibility into who is accessing cloud data and applications

What is your No. 1 issue with security and privacy in public cloud? 30

No. of Responders

23 15 8 0

Insider attack by cloud provider administrators

Multitenant infrastructure means competitors might be able to see my workloads or data

Data may be lost if the cloud service crashes

The cloud service may be unavailable for extended periods

Data may be lost if the cloud provider goes out of business

Unclear liability if there is an attack and loss data

Figure 1: Gartner Cloud Security Survey

Lack of confidence in the cloud provider’s security capabilities

Lack of visibility into who is accessing your data and applications

Governments may have access to my data without my consent

Clouds are attractive targets for hackers, they concentrate risk

02

NEW SECURITY

Challenges

ABOUND

How do you implement security controls in the cloud when you have replaced the network edge with a virtual perimeter, so there is no longer an egress point to deploy your traditional hardware solutions? Cloud-based infrastructure requires modern security and a software-only approach to solve the problem. Traditional intrusion detection/prevention systems (IDS/IPS), unified threat management (UTM) and next generation firewalls that require physical access will not work in this remote environment. Amazon provides and secures the basic infrastructure (locks on data centers, restricted access to hardware, etc.), but it is your responsibility to secure the data that runs on it. Many customers today store critical personal information including healthcare and financial details in files or databases on specific virtual machines. In addition to sensitive customer data, many files contain intellectual property such as proprietary designs or processes. Given the amount of sensitive data saved in the cloud, continuous security monitoring and the ability to contextualize data to provide insight into breaches and potential threat has become essential.

Threats

ARE REAL

As recent news headlines tell us, efforts to protect the cloud from attacks often fail. After attackers compromised the AWS account of Code Spaces, a cloud-based hosting platform that enabled development and collaboration for software teams, it was forced out of business. Within 12 hours, the company’s Apache Subversion repositories and Elastic Block Store volumes and nearly all of its virtual machines were destroyed. By the time the company reclaimed its dashboard, the attackers had created alternative AWS logins, weakening the overall security of the system further. At that point, the company decided its best course of action was to shut down and help its customers migrate any recoverable data to other services. [2] One More Cloud, another hosted provider, fared better. The company had a mislabeled, old API that a third party collaborator may have had access too. For one week, the company struggled to regain control of its dashboard and recover its customer accounts. One More Cloud remains operational today. [3] More recently, the Ashley-Madison data breach demonstrated the danger of storing AWS tokens and SSL certificates in the Cloud ​ without sufficient monitoring systems. This provided the data breach attackers with free rein over the online service and its data. [4] These examples are cautionary tales of the dangers of running fast in the cloud without the proper security measures in place.

03

Understanding

THE MOST COMMON THREATS

The first step to ensureyou​r company do​esn’t meet the same fate as Code Spaces, is to understand the most common threats to your cloud infrastructure:

DATA LOSS / INSID ER T H REAT S

Without proper vigilance and insight, suspicious behavior such as accessing or copying data without permission may go unnoticed. Oftentimes, bad actors are within the organization and may be missed by existing, outward-facing security solutions. In addition to customer records, cloud instances sometimes contain copies of internal configurations. These might include passwords, certifications and encryption keys—the many “keys to the kingdom.” The data breach at Ashley Madison, for example, revealed AWS credentials hard coded into various files. The presence of AWS tokens may have allowed those responsible for the data breach to access all Ashley Madison digital assets, including emails and other sensitive documents. [5] To avoid this, having a record of deep system activity around logins, processes, system activity and file changes can trigger alerts around insider activity.

E XTE RNAL T HR EAT S / Z ERO - DAY AT TAC K S / ADVA NC E D PE R S I S T E NT T HR E AT S

In addition to internal threats, there are external threats as well. However, the external threat today might not be Chinese hackers but people putting up boxes quickly and mis-configuring those virtual machines. Another threat is a side-channel attack. While this is typically done by measuring any meaningful status in hardware, it can also be carried out in the cloud, in this case placing an attacking VM alongside a target VM co-located on the same physical machine. One attack works by flushing the shared cache and then waiting for the target VM to refill it with new data, which the attackers will then steal. Other attacks target the overall integrity of the image in the cloud.

Leaving a port open or escalating a privilege can also expose data in the cloud to malware. According to Symantec, only one in five malware will terminate if it is running on a virtual machine, meaning most malware today will run in the cloud.[6] In 2009, some AWS servers hosted copies of the banking Trojan Zeus before they were shut down.[7] Some threats leverage previously unknown vulnerabilities known as zero-days or launch multiple phases of attacks over time in what’s known as Advanced Persistent Threats (APTs). A recent Ponemon Report finds that diminished brand or reputation due to an APT attack could cost an organization an estimated $9.4 million.[8]

04

A 10-Step Plan

TO BETTER CLOUD SECURITY

How can you stay out of the “cloud security breach” headlines? We’ve compiled a checklist of best practices and key considerations to guard against these attacks in the cloud.

1

INT EGR AT E SEC URIT Y IN TO YOU R CONT INUO US D EP LOYM EN T

6

M A I NTA I N A PO S T U R E O F CO NT I NU O U S COV E R AG E

Embrace security and DevOps best practices by leveraging configuration

To stay on top of your ever changing AWS environment, you need

management tools (Chef, Puppet, Ansible, Salt) that enable automation

continuous data, not random polling. Specifically, you need detection

of software, updates and patches. Make sure your software-defined

up and down the kill chain of any compromise so that you can stop the

security can leverage these tools as well for improved security coverage.

bad activity before it causes too much damage.

2

SCALE WIT HO UT H ARDWARE RES T RAIN T S As you spin up or down new boxes to the cloud, you need

7

TA K E A N I NS I DE - O U T PE R S PEC T I V E If you don’t know what’s happening on a host or workload, you

security that can scale with your business with no additional hardware

need more knowledge from more sources than just an IDS log. For example,

(Amazon Machine Images). You need a security solution that knows

you need to know more than the fact that a certain packet went out

AWS thoroughly, not one ported into the cloud. And preferably, the

over the wire. In order to determine an appropriate response, you need a

solution integrates and auto-scales with AWS.

solution that shows you specific events, over time, on specific servers.

3

D EPLOY INT EL L IG EN T S EC URIT Y T HAT RESPON D S TO C H AN G E

8

PROT EC T AGA I NS T T HE I NS I DE R T HR E AT Should an incident occur, it is important to understand the bad

As threats evolve, your protection needs to be agile and (to prevent

actors – either internal or external. What are the unauthorized process

false positives) contextual. Signature-based protection is static, filtering

connections? Were there any unauthorized installs? And who has been

only what is known, and only effective when it is updated and current.

accessing or copying key files? Prior to the compromise, were there

A better approach is to employ a behavioral-based solution, capable of

abnormal login attempts and failures? Maybe some unauthorized external

identifying new or anomalous activity so you can stay on top of zero-day

connections? Where are unauthorized commands being run? When you

attacks and new behaviors that threaten your security posture.

need to make fact-based judgments you need a trail of logins, processes, network activity and file changes to answer the who, what, where, when and why.

4

GO BEYOND LO G S While logs are essential, they often provide only a narrow

9

G E T A N E A R LY WA R NI NG A B O U T Z E RO DAY T HR E AT S

view of what’s going on. It is one thing to see who is entering and

Zero-day attacks are best detected through behavioral analysis and

leaving the building and quite another to know what they are doing

heuristic testing. Understanding how different events, when taken together,

once they are inside. Typical network-based intrusion detection (HIDS)

might produce an undesirable result is critical to security these days.

doesn’t give you much to work with after the compromise. Typically,

Behavioral analysis can also be used to identify internal threats as well. For

the ability to identify behavior leading up to an attack is limited.

that, you need historical data for both current and transient instances across your AWS infrastructure.

5

ID EN T IFY SU S P IC IO US US ER B EH AVIO R It’s important to catch suspicious user behaviors early. For

example, sometimes developers unintentionally copy files from the

10

DE FE ND L I K E A N AT TAC K E R Apply the Cyber Kill Chain® to your internal security process

to remediate threats before they compromise your security and data.

production server. You need to be informed when such activity occurs and take corrective actions.

05

DEFEND LIKE AN ATTACKER

Apply the Cyber Kill Chain ® Before you solve security in the cloud, you first have to understand how attackers work. You need a solution that maps to and addresses the attack vectors of a breach. You need to think like the bad guys to defeat them.

1

RECO N N A I SSA N C E

Get An Early Warning

Scanning activity Abnormal login attempts/failures Wide open security groups

2

W EA P O N I ZAT I O N

3

D EL I V ERY

Uncover Zero-Day Exploits

Launching new processes, kernel modules User session information Process stops

4

EX P LO I TAT I O N

Recognize Unauthorized Actions Escalation of user privileges Unauthorized installs New users added/deleted Suspicious commands Changes to security groups

5

I N STA L L AT I O N

Detect Advanced Persistent Threats

External connections for command and control User session information Process stops

6

CO MMA N D & CO N T RO L

Verify Data Is Safe

Copying of customer/personal data Copying of intellectual property Copying of internal configuration, passwords, certs and keys

7

ACT I O N O N O B J EC T I V ES

06

A S O LU T I O N B U I LT I N AWS

To Serve AWS

A smarter approach to security in the cloud starts with a solution that autoscales to meet the demands of elastic infrastructure, supports thousands of instances and provides continuous coverage so you can scale with confidence. Threat Stack arms AWS customers with unique and unparalleled visibility into the processes, users and file activity within your infrastructure. Agents monitor all the activity associated with your servers and provides the full details and context that lead to actionable insights around workload security. Threat Stack surfaces previously undiscovered or overlooked information to give you useful alerts and actionable recommendations..

07

HOW DOES

Threat Stack

WORK?

Our lightweight agent installs in the user space of the Linux

Threat Stack brings that rich, contextual data to your fingertips,

operating system. Our agent deploys in minutes using your favorite

along with intelligent, security-relevant analytics gleaned by our

automation software—Chef, Puppet, or Ansible—so security is no

backend.

longer the bottleneck for operational efficiency. The workload security begins the moment the agent is deployed. By residing in the infrastructure level, Threat Stack agents are optimally positioned to oversee system activity and record activity history. Running an agent on the system itself means they capture the really deep information that agentless security solutions simply cannot provide. The data from the underlying Linux kernel is the ultimate authority when it comes to knowing exactly what’s happening in your cloud infrastructure. Threat Stack constantly watches and records deep system activity around logins, processes, system activity and file changes to ensure that nothing out of the ordinary happens without your knowledge. The Threat Stack agent pulls that data from the Linux kernel file system and adds metadata to the events collection. This data is communicated securely to our big data analytics—powered

Figure 2: Threat Stack continuous

backend. There we get to work, peeling back the onion to discover

security monitoring for your cloud.

any suspicious activity.

HOW IS THREAT STACK

Different

FROM SIEM?

Traditional SIEMs only aggregate log data. Additionally, they use

Another advantage of having all that historical data is that in the

signatures to pull out log data that could be the basis for alerts.

event of a compromise, Threat Stack allows you to investigate

Threat Stack also aggregates events, but differs from SIEM by

what was used for the exploit. Similarly, if you have an employee

storing all events and providing a rich context for your analysis.

leave the company, you can go back and see what—if anything— happened leading up to that departure.

In the world of the auto-scaling cloud, machines appear and disappear. Sometimes you need to look back to de-construct

Once deployed, Threat Stack lets you focus on your full-time

the story of what happened. Our “User Session Tracking” feature

job, knowing that it auto-scales with your environment to make

enables you to rewind, zoom in and play back any user’s actions at

sure you are always covered. It’s the perfect security solution for

any point in time, even if the machine no longer exists. Events can

organizations that embrace DevOps in order to rapidly improve

be color-coded for easy reference. And our source and destination

their applications and services.

port tracking allows you to follow a user throughout your network, including through jump hosts. Threat Stack is built to handle the scale and processing power needed to retain this kind of audit history by taking care of the analytics and data retention.

08

Scale Your Business

WITH CONFIDENCE

Infrastructure-as-a-Service (IaaS) is growing rapidly, but cloud computing requires a much more sophisticated security than traditional perimeter-based computing. Cloud-based infrastructure requires modern security and a software-only approach. While Amazon provides and secures the basic infrastructure (locks on data centers, restricted access to hardware, etc.), it is your responsibility to secure the data that runs on it. Today the most common threats to your cloud infrastructure include data loss, insider threats, external threats, zero-day attacks and Advanced Persistent Threats (APTs). Keeping data secure in the cloud requires continuous yet agile monitoring. Also essential is the ability to contextualize data to provide insight into breaches and potential threats. Threat Stack agents are optimally positioned to oversee system activity and record activity history. Like SIEM, Threat Stack aggregates events, but it also stores all events to provide a richer context for your threat analysis. This enables you to re-play events, even from machines that no longer exist. Threat Stack understands that no two companies running in AWS are exactly alike. We’ve designed our service offerings to provide the ultimate in flexibility when selecting a continuous security monitoring solution for your organization. Choose from three application packages (basic, advanced, pro) based on your needs and feature set. Next select a storage option, offered in 2-, 7-, 10-, 15-, and 30day data retention periods. Finally, decide whether you want to manage the service yourself or put Threat Stack’s team of experts to work for you by adding our managed security service, Oversight. Whether you’re a small, early-stage startup, established fast-growing SaaS brand, or a large enterprise transitioning over to the cloud, Threat Stack has you covered every step of the way so you can scale with confidence.

T O L EARN MO RE OR STA RT A FRE E TR IA L Visit ThreatStack.com

[1]

http://www.zdnet.com/article/aws-with-more-than-1-million-active-customers-were-your-stack/.

[2]

http://www.pcworld.com/article/2365602/hacker-puts-full-redundancy-codehosting-firm-out-of-business.html

[3]

http://www.information-age.com/technology/cloud-and-virtualisation/123458406/catastrophe-cloud-what-aws-hacks-mean-cloud-providers

[4]

https://blog.gaborszathmari.me/2015/09/07/credentials-in-the-ashley-madison-sources/

[5]

http://www.pcworld.com/article/2981226/credentials-stored-in-ashley-madisons-source-code-might-have-helped-attackers.html

[6]

http://www.symantec.com/connect/blogs/does-malware-still-detect-virtual-machines

[7]

https://aws.amazon.com/security/security-bulletins/zeus-botnet-controller/

[8]

https://securityintelligence.com/media/2014-ponemon-study-economic-impact-advanced-persistent-threats-apts/

09