Azure 101: Shared responsibility in the Azure Cloud
1 like•571 views
The document discusses shared security responsibilities in Azure, emphasizing that while Microsoft secures much of the infrastructure, customers must manage security for their applications and data. It outlines various security best practices, threats such as web application attacks, and the shifting risk landscape. Additionally, it provides a comprehensive set of recommendations for securing cloud workloads, including understanding the shared responsibility model, adopting patch management, and regularly reviewing logs.
Azure 101: Shared responsibility in the Azure Cloud
- 1. SHARED SECURITY RESPONSIBILITY IN AZURE Speaker - Chris Camaclang
- 2. Agenda • Intro + Housecleaning + Surveys • Hybrid Cloud Landscape • Threat Landscape • Security Best Practices • Alert Logic Solutions and Value
- 3. Hybrid Cloud Today CLOUD FALLOVER (DIFFERENT GEOGRAPHY) INTERNALEXTERNAL PRIVATE CLOUD PUBLIC CLOUD DEMO SITES MOBILE PHONES PROSPECT CUSTOMER BIZ PARTNER MANAGER PM ARCHITECT DEVELOPER SUPPORT SMART PHONE SMART TV TABLET/iPAD DESKTOP CLOUDTOPNOTEBOOK NETBOOK PRODUCTION STAGING QA DEV/TEST DEMO SITESPERFORMANCE TESTING IT + DEV SUPP SERVICES OFFICE SERVICES TIM/TAM SERVICES DESKTOP SERVICES MONITORING SERVICES BIZ. SUPP. SERVICES TRANSFORMATION SERVICES ADOBE LC SERVICES MESSAGING SERVICES SECURITY SERVICES BIZ. INT. SERVICES CODE MANAGEMENT SERVICES TIM/TAM SERVICES MONITORING SERVICES SECURITY SERVICES PERFORMANCE TESTING SECURETUNNEL SECURETUNNEL SECURETUNNEL SECURE TUNNEL SECURE TUNNEL
- 4. The Impact of a Breach is Far-Reaching and Long-Lived THE CYBER KILL CHAIN¹ THE IMPACT Financial loss Harm brand and reputation Scrutiny from regulators IDENTIFY & RECON INITIAL ATTACK COMMAND & CONTROL DISCOVER & SPREAD EXTRACT & EXFILTRATE 1. http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster COMPANIES OF ALL SIZES ARE IMPACTED
- 6. Threats by Customer Industry Vertical Source: Alert Logic CSR 2016 29% 48% 10% 11% 2% Finance-Insurance-Real Estate APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY 56%25% 17% 0% 2% Retail-Wholesale APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY 54% 21% 22% 1% 2% Information Technology APPLICATION ATTACK BRUTE FORCE RECON SUSPICIOUS ACTIVITY TROJAN ACTIVITY
- 7. 1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks
- 8. Cloud Security is a Shared, but not Equal, Responsibility • Security Monitoring • Log Analysis • Vulnerability Scanning • Network Threat Detection • Security Monitoring • Logical Network Segmentation • Perimeter Security Services • External DDOS, spoofing, and scanning monitored • Hypervisor Management • System Image Library • Root Access for Customers • Managed Patching (PaaS, not IaaS) • Web Application Firewall • Vulnerability Scanning • Secure Coding and Best Practices • Software and Virtual Patching • Configuration Management • Access Management (inc. Multi-factor Authentication) • Application level attack monitoring • Access Management • Configuration Hardening • Patch Management • TLS/SSL Encryption • Network Security Configuration CUSTOMER ALERT LOGICMICROSOFT
- 10. 10 Best Practices for Security 1. Understand the Cloud Providers Shared Responsibility Model 2. Secure your code 3. Create access management policies 4. Data Classification 5. Adopt a patch management approach 6. Review logs regularly 7. Build a security toolkit 8. Stay informed of the latest vulnerabilities that may affect you 9. Understand your cloud service providers security model 10. Know your adversaries
- 11. 1. Understand the Cloud Providers Shared Responsibility Model The first step to securing cloud workloads is understanding the shared responsibility model Microsoft will secure most of the underlying infrastructure, including the physical access to the datacenters, the servers and hypervisors, and parts of the networking infrastructure…but the customer is responsible for the rest. Taken from the Shared Responsibility for Cloud Computing whitepaper, published by Microsoft in March 2016
- 12. 2. Secure Your Code • Test inputs that are open to the Internet • Add delays to your code to confuse bots • Use encryption when you can • Test libraries • Scan plugins • Scan your code after every update • Limit privileges • DevSecOps
- 13. 3. Create Secure Access Management Policies • Simplify access controls (KISS) • Lock down Admin account in Azure • Enable MFA (Azure, hardware/software token) • Identify data infrastructure that requires access (*Lock down AzureSQL) • Define roles and responsibilities (delegating service admins) • Azure NSG (private vs public) • Continually audit access (Azure Audit Logs) • Start with a least privilege access model (RBAC) *avoid owner role unless absolutely necessary • Don’t store keys in code (e.g. secret keys) • AAD Premium – (*Security analytics and alerting)
- 14. 4. Data Classification • Identify data repositories and mobile backups • Identify classification levels and requirements • Analyze data to determine classification • Build Access Management policy around classification • Monitor file modifications and users
- 15. 5. Adopt a Patch Management Approach • Use trusted images (*Prevent users from launching untrusted images) • Constantly scan all vulnerabilities in your images and patch them • Compare reported vulnerabilities to production infrastructure • Classify the risk based on vulnerability and likelihood • Test patches before you release into production • Setup a regular patching schedule • Keep informed, follow bugtraqer • Follow a SDLC
- 16. 6. Log Management Strategy • Monitoring for malicious activity • Forensic investigations • Compliance needs • System performance • All sources of log data is collected and retained • Data types (Windows, Syslog) • Azure AD behavior • Azure Audit Logs (services, instances…activity, powershell) • Azure SQL Logs • Azure App Services Logs • Review process • Live monitoring • Correlation logic
- 17. 7. Build a Security Toolkit • Recommended Security Solutions • Antivirus • IP tables/Firewall • Backups • FIM • Intrusion Detection System (VNET ingress/egress) • Malware Detection • Web Application Firewalls (inspection at Layer 7) • Forensic Image of hardware remotely • Future Deep Packet Forensics • Web Filters • Mail Filters • Encryption Solutions • Proxies • Log collection • SIEM Monitoring and Escalation • Penetration Testing
- 18. 8. Stay Informed of the Latest Vulnerabilities • Websites to follow • http://www.securityfocus.com • http://www.exploit-db.com • http://seclists.org/fulldisclosure/ • http://www.securitybloggersnetwork.com/ • http://cve.mitre.org/ • http://nvd.nist.gov/ • https://www.alertlogic.com/weekly-threat-report/
- 19. 9. Understand Your Service Providers Security Model • Understand the security offerings from your provider • Probe into the Security vendors to find their prime service • Hypervisor exploits are patched by the service provider • Questions to use when evaluating cloud service providers
- 20. 10. Understand your Adversaries
- 21. Threats are 24x7 = Security Operations 24x7 Monitor intrusion detection and vulnerability scan activity Search for Industry trends and deliver intelligence on lost or stolen data Collect data from OSINT and Underground Sources to deliver Intelligence and Content Identify and implement required policy changes Escalate incidents and provide guidance to the response team to quickly mitigate Incidents Monitor for Zero-Day and New and Emerging attacks Cross product correlate data sources to find anomalies
- 23. Cloud Security is a Shared, but not Equal, Responsibility • Security Monitoring • Log Analysis • Vulnerability Scanning • Network Threat Detection • Security Monitoring • Logical Network Segmentation • Perimeter Security Services • External DDOS, spoofing, and scanning monitored • Hypervisor Management • System Image Library • Root Access for Customers • Managed Patching (PaaS, not IaaS) • Web Application Firewall • Vulnerability Scanning • Secure Coding and Best Practices • Software and Virtual Patching • Configuration Management • Access Management (inc. Multi-factor Authentication) • Application level attack monitoring • Access Management • Configuration Hardening • Patch Management • TLS/SSL Encryption • Network Security Configuration CUSTOMER ALERT LOGICMICROSOFT
- 24. Vulnerabilities + Change + Shortage Complexity of defending web applications and workloads Risks are moving up the stack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise Web App Attacks OWASP Top 10 Platform / Library Attacks System / Network Attacks Perimeter & end-point security tools fail to protect cloud attack surface Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
- 25. Block Analyze Allow Your Data Focus requires full stack inspection…and complex analysis Known Good Known Bad Suspicious Security DecisionYour App Stack Web App Attacks OWASP Top 10 Platform / Library Attacks System / Network Attacks Threats App Transactions Log Data Network Traffic Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management
- 26. APP+CONFIG ASSESMENT Your Data Focus requires full stack inspection…and complex analysis Known Bad Web App Attacks OWASP Top 10 Platform / Library Attacks System / Network Attacks App Transactions Log Data Network Traffic Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management COLLECTION TECHNOLOGY
- 27. Your Data Web App Attacks OWASP Top 10 Platform / Library Attacks System / Network Attacks App Transactions Log Data Network Traffic Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management APP+CONFIG ASSESMENT COLLECTION TECHNOLOGY Integrated value chain delivering full stack security… Signatures & Rules Anomaly Detection Machine Learning ANALYTICS Petabytes of normalized data from 4000+ customers
- 28. Your Data Web App Attacks OWASP Top 10 Platform / Library Attacks System / Network Attacks App Transactions Log Data Network Traffic Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management APP+CONFIG ASSESMENT COLLECTION TECHNOLOGY Signatures & Rules Anomaly Detection Machine Learning ANALYTICS Integrated value chain delivering full stack security, experts included Petabytes of normalized data from 4000+ customers • Threat Intelligence • Security Research • Data Science • Security Content • Security Operations Center 24/7 EXPERTS & PROCESS
- 29. Web App Attacks OWASP Top 10 Platform / Library Attacks System / Network Attacks Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Databases Networking Cloud Management CLOUD INSIGHT Signatures & Rules Anomaly Detection Machine Learning Integrated value chain delivering full stack security, experts included • Threat Intelligence • Security Research • Data Science • Security Content • Security Operations Center ACTIVEWATCHDETECTION & PROTECTION Web Security Manager Log Manager Threat Manager ALERT LOGIC CLOUD DEFENDER
- 30. New capabilities focused on Web Attack Detection 1 Over 150 new web attack incidents 2 Improved OWASP Top 10 Coverage powered by Anomaly Detection 3 Advanced SQL Injection Detection powered by Machine Learning Web App Attacks OWASP top 10 Platform / library attacks App / System misconfig attacks Attacks Over 250 breaches detected in 2016
- 31. Alert Logic solutions are easy to deploy • Use a combination of host based agents and appliances to collect network and application traffic • Agents also collect logs from the VM • Azure Activity Logs are collected via the Azure Monitor API • Azure SQL or App Services Logs are collected from Azure storage accounts • Appliances can be used to do internal scanning, or we can do external and PCI scanning from our cloud
- 32. HOW IT WORKS: Alert Logic Threat Manager for 3 Tier Application Stack + Azure SQL VNET RESOURCE GROUP Alert Logic Web Traffic Threat Manager Appliance AutoScale AutoScale Azure SQL Database Tier Azure Storage Table SQL Logs Application Tier VM ScaleSets Web Tier VM ScaleSets Application Gateway VM
- 33. 3-Tier applications using VMs only VNET RESOURCE GROUP Web Traffic Customer B Alert Logic Threat Manager Appliance VM AutoScale Application Tier VM ScaleSets AutoScale Web Tier VM ScaleSets Database Tier SQL VM AvailabilitySets VNET RESOURCE GROUP AutoScale Application Tier VM ScaleSets AutoScale Web Tier VM ScaleSets Database Tier SQL VM AvailabilitySets Web Traffic Customer A
- 34. ARM Template automate appliance deployments https://github.com/alertlogic/al-arm-templates
- 35. Agents can be baked into VM images, or automatically installed using DevOps toolsets https://supermarket.chef.io/cookbooks/al_agents
- 36. Alert Logic – a Leader in Forrester’s 2016 NA MSSP WAVETM “Alert Logic has a head start in the cloud, and it shows. Alert Logic is an excellent fit for clients looking to secure their current or planned cloud migrations, clients requiring a provider than can span seamlessly between hybrid architectures, and those that demand strong API capabilities for integrations.” - Forrester WAVETM Report
- 37. Addressing Customers with Compliance Requirements Alert Logic Solution PCI DSS SOX HIPAA & HITECH Alert Logic Web Security Manager™ • 6.5.d Have processes in place to protect applications from common vulnerabilities such as injection flaws, buffer overflows and others • 6.6 Address new threats and vulnerabilities on an ongoing basis by installing a web application firewall in front of public- facing web applications. • DS 5.10 Network Security • AI 3.2 Infrastructure resource protection and availability • 164.308(a)(1) Security Management Process • 164.308(a)(6) Security Incident Procedures Alert Logic Log Manager™ • 10.2 Automated audit trails • 10.3 Capture audit trails • 10.5 Secure logs • 10.6 Review logs at least daily • 10.7 Maintain logs online for three months • 10.7 Retain audit trail for at least one year • DS 5.5 Security Testing, Surveillance and Monitoring • 164.308 (a)(1)(ii)(D) Information System Activity Review • 164.308 (a)(6)(i) Login Monitoring • 164.312 (b) Audit Controls Alert Logic Threat Manager™ • 5.1.1 Monitor zero day attacks not covered by anti-virus • 6.2 Identify newly discovered security vulnerabilities • 11.2 Perform network vulnerability scans quarterly by an ASV or after any significant network change • 11.4 Maintain IDS/IPS to monitor and alert personnel; keep engines up to date • DS5.9 Malicious Software Prevention, Detection and Correction • DS 5.6 Security Incident Definition • DS 5.10 Network Security • 164.308 (a)(1)(ii)(A) Risk Analysis • 164.308 (a)(1)(ii)(B) Risk Management • 164.308 (a)(5)(ii)(B) Protection from Malicious Software • 164.308 (a)(6)(iii) Response & Reporting Alert Logic Security Operations Center providing Monitoring, Protection, and Reporting
- 38. Scalable Threat Intel Process Delivers Relevant Content FUSIONNORMALIZATION ENTITY RESOLUTION LINK ANALYSIS CLUSTERING ANALYSIS COMPLEX ANALYSIS EXTRACTION HONEYNET 3RD-PARTY INTEL VULNERABILITIES WATCHLISTS RESEARCH TELEMETRY Big Data ReputationReputation BlacklistsBlacklists Content CoverageContent Coverage Incident ModelingIncident Modeling Intelligence GatheringIntelligence Gathering Relevant VulnerabilitiesRelevant Vulnerabilities Increased Contextual Awareness Increased Contextual Awareness Increase Incident Understanding Increase Incident Understanding Key Service CapabilitiesAnalysis TechniquesThreat Analytics PlatformInput Sources
- 39. Stopping Imminent Data Exfiltration INCIDENT ESCALATION Partner and customer notified with threat source information and remediation tactics 8 min FUTHER ANALYSIS Alert Logic Analyst confirms user IDs and password hashes leaked as part of initial attack 2 hours EXFILTRATION ATTEMPT PREVENTED Partner works with customer to mitigate compromised accounts 6 hours COMPROMISE ACTIVITY Discovered through inspection of 987 log messages indicative of a SQL injection attack Customer Type: Retail Threat Type: Advanced SQL Injection
- 40. Preventing Ransomware Spread INCIDENT ESCALATION Critical risk of lateral movement through shared drives identified 14 min LATERAL MALWARE MOVEMENT PREVENTED Analyst performs forensic review of additional 8,000 log messages and 1,400 events that identifies additional attack vectors through related events 6 hours SUSPICOUS ACTIVITY Cryptowall detected on key gateway server in over 1,400 events (6,000 Packets) Customer Type: Retail Threat Type: Ransomware
- 41. To Follow our Research & Contact Information Blog https://www.alertlogtic.com/resources/blog Newsletter https://www.alertlogic.com/weekly-threat-report/ Cloud Security Report https://www.alertlogic.com/resources/cloud-security-report/ Zero Day Magazine https://www.alertlogic.com/zerodaymagazine/ Twitter @AlertLogic For More Information on Alert Logic Solutions Chris Camaclnag [email protected] 206-673-4387
- 42. Thank you.