What do you mean I have to secure this thing?!

Transcript

1. WHAT DO YOU MEAN I HAVE TO SECURE THIS THING?!

   Chad Gibbons, Distinguished Engineer Code Beam STO 2018

2. Who is Alert Logic? Security-as-a-Service Solution Provider - Monitor and

   Ingest customer data – lots of it - Analyze and Detect Security Vulnerabilities and Incidents - Security Operations Center expert analysis and guidance

3. What is this all about? You’ve shipped an application and

   now you’re told to secure it, or realize you have to

4. Yes, Security Really Does Matter February, 2018 – FedEx (Bongo

   International) November, 2017 – Uber

5. Some Important Points about Security Securing an application is not

   just following secure coding practices Security posture is a sliding scale and not a destination

6. What even is Deployment Security? There’s PCI (payment card industry)

   Compliance… There’s ISO 27001… There’s the ever-vague security best practices…

7. And then there was GDPR… What does GDPR do to

   all of this?

8. Caution! Beware: some vendors, consultants, and analysts will frequently over-hype

   the requirements, driving you towards more complex solutions that do not actually improve your security posture.

9. RISK ASSESSMENT

10. Identity Your Risk Risk Classification Criteria High • Contains customer

    data • Contains sensitive employee data such as PII • Contains production credentials • Outage would be customer impacting Moderate • Contains sensitive data such as: product source code, internal product and/or service research and/or development • Outage would impact internal business operations • No connectivity to accounts with a higher security risk classification Low • Contains no customer or sensitive data • Outage would not impact service delivery or internal business operations • No connectivity to accounts with a higher security risk classification

11. Configuration & Vulnerability Scanning These tools examine your infrastructure and

    software to determine if any vulnerabilities exist Cloud environments make these tools extremely effective

12. Log Management Collect all application and system logs from all

    systems Enables active and ad-hoc auditing via search

13. Intrusion Detection Systems (IDS) Intrusion Detection Systems analyze network traffic

    in real-time for attacks and active breaches

14. Firewalls Network Firewalls limit traffic Web Application Firewalls keep web

    apps from being abused

15. File Integrity Monitoring (FIM) File Integrity Monitoring looks for changes

    to protected system files

16. Endpoint management Endpoint management ensures that only certain devices can

    make it to the network

17. Use Controls that Match Risk Risk Classification Tooling Required High

    • Config & Vulnerability Scanning • Log Monitoring • IDS • WAF • Firewalls Moderate • Config & Vulnerability Scanning • Log Monitoring • Firewalls Low • Config Scanning • Firewalls

18. ACTIONS TO TAKE

19. Document your Security Policies As you develop and expand your

    security posture, keep it documented

20. Protect your Deployment Use a network firewall Use a Web

    Application Firewall that offers active protection for web applications

21. Implement Secure Access Controls Use a strong access control policy

    for user and system Audit privileged access to critical environments

22. Use Systems Management Best Practices Keep your software systems up

    to date! - In Cloud deployments, you should not have special servers, so this should be very easy... Backup your data Metric & Log Storage and Auditing

23. Use Least Privileged Access Cloud APIs make this easier and

    much more powerful than before You can declaratively and precisely control what resources and operations an application can perform on a resource with security policies

24. Data Encryption Absolutely do encryption-in-transit and make sure staff understands

    the technology Encryption-at-rest yes – but judiciously

25. Use Configuration and Vulnerability Scanning Tools Crucial for all risk

    profiles Most attacks occur because of configuration issues and known vulnerabilities

26. What You Are Likely to Find Top 10 AWS Configuration

    Errors 1. Unencrypted AMI Discovered 2. Unencrypted EBS Volume 3. S3 Logging Not Enabled 4. Un-configured EC2 Instance Single-Point-of- Failure and/or Auto Scaling Issue 5. S3 Object Versioning is not Enabled 6. Unrestricted Outbound Access on All Ports 7. User not Configured for MFA 8. User Access Key not Configured with Rotation 9. IAM Policies are Attached Directly to User 10. Dangerous User Privileged Access to S3 Top 10 Scanning Vulnerabilities 1. Web Service is Running 2. SSL – Server Supports Weak SSL Ciphers 3. ICMP Timestamp Request 4. TLS 1.0 & TLS 1.1 Weak Encryption Protocol 5. TCP Timestamp 6. SSL – Certificate Hostname Discrepancy 7. CVE-2013-2566 RC4 Plaintext Recovery Issue 8. CVE-2004-2761 MD5 – Hash-collision Issue 9. SSL Protocol – BEAST Attack – Server-Side Mitigation 10. Certificate Authenticity & Trust Chain Validation Issue

27. Code Audits Find and eliminate anywhere you have system credentials

    stored in source code Find and eliminate anywhere the application is asking for more privileges than it needs

28. CONTAINERS

29. Intrusion Detection Systems and Containers IDS systems work fine with

    container deployments, but typically offer reduced visibility into what application/container is being attacked New container-aware IDS systems can isolate attacks to specific containers

30. A Container-focused Malware Attack Crypto-miner malware is especially common for

    container platforms https://www.alertlogic.com/blog/alert-logic-container-ids-detects- cryptomining-attack-on-aws/

31. Are Container Platforms Less Secure? No, but as relatively new

    technologies there will be new attack vectors to discover and mitigate

32. Thank you.