Professional Documents
Culture Documents
Altseccon, March 2011 Winston Morton
Altseccon, March 2011 Winston Morton
Altseccon, March 2011 Winston Morton
Winston Morton
Topics of Discussion
The Definition of the Cloud
Cloud Computing and Risk Mitigation
Traditional Intrusion Prevention
Virtualized Intrusion Prevention
Intrusion Prevention in Cloud Computing
Industry Trends
Questions
What is the The Cloud
What does “To the cloud” mean?
And yes….IBM did this 20 years ago before the brief period of
customer owned client/server technologies…….(of course
the Internet as we know it didn’t exist back then)
Why has the risk model changed?
Private cloud deployments have virtualized natural
network aggregation points use for Network Security
Public cloud providers control critical elements of a
comprehensive security program
Cloud provider evaluation criteria (Gartner)
Privileged user access
Regulatory compliance
Data location
Data segregation
Recovery
Investigative support Microsoft BPOS cloud service hit with data breach
A 'small number' of Offline Address Book users had some of
Long-term viability their data accessed
By Andreas Udo de Haes, Webwereld Netherlands
December 22, 2010 11:39 AM ET
The Ownership of Risk
The Ownership of risk hasn’t changed but Controls have.
The ownership of the data clearly stays with the customer
In many cases when outsourcing you have less ancillary access
to data (in transit or at rest)
Intrusion prevention sometimes relies on ancillary data
The cloud service provider generally does not take ownership
or risk of loss of data beyond the cost of the service
Your risk tolerance needs to match the cloud delivery
model (this generally comes down to a financial decision)
In the SME market risk may go down rather than up with a
cloud model
You can’t outsource accountability!
Amazon Web Services (AWS)
Section 11. Limitations of Liability.
WE AND OUR AFFILIATES OR LICENSORS WILL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES (INCLUDING DAMAGES FOR LOSS OF
PROFITS, GOODWILL, USE, OR DATA), EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. FURTHER, NEITHER WE NOR ANY OF OUR AFFILIATES OR LICENSORS WILL BE RESPONSIBLE FOR
ANY COMPENSATION, REIMBURSEMENT, OR DAMAGES ARISING IN CONNECTION WITH:
(A) YOUR INABILITY TO USE THE SERVICES, INCLUDING AS A RESULT OF ANY (I) TERMINATION OR
SUSPENSION OF THIS AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS, (II) OUR
DISCONTINUATION OF ANY OR ALL OF THE SERVICE OFFERINGS, OR, (III) WITHOUT LIMITING ANY
OBLIGATIONS UNDER THE SLAS, ANY UNANTICIPATED OR UNSCHEDULED DOWNTIME OF ALL OR A
PORTION OF THE SERVICES FOR ANY REASON, INCLUDING AS A RESULT OF POWER OUTAGES, SYSTEM
FAILURES OR OTHER INTERRUPTIONS;
(B) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
(C) ANY INVESTMENTS, EXPENDITURES, OR COMMITMENTS BY YOU IN CONNECTION WITH THIS
AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS; OR
(D) ANY UNAUTHORIZED ACCESS TO, ALTERATION OF, OR THE DELETION, DESTRUCTION, DAMAGE, LOSS OR
FAILURE TO STORE ANY OF YOUR CONTENT OR OTHER DATA. IN ANY CASE, OUR AND OUR AFFILIATES’
AND LICENSORS’ AGGREGATE LIABILITY UNDER THIS AGREEMENT WILL BE LIMITED TO THE AMOUNT
YOU ACTUALLY PAY US UNDER THIS AGREEMENT FOR THE SERVICE THAT GAVE RISE TO THE CLAIM
DURING THE 12 MONTHS PRECEDING THE CLAIM.
Microsoft Online Services
Section 8. Limitation of liability.
Limitation on liability. Except as otherwise provided in this Section, to the extent permitted by applicable law, the
liability of Microsoft and of Microsoft’s contractors to Customer arising under this agreement is limited to direct
damages up to the amount Customer paid Microsoft for the Online Service and/or Client Software giving rise to that
liability during the (1) Term or (2) twelve months prior to the filing of the claim, whichever is less. These limitations
apply regardless of whether the liability is based on breach of contract, tort (including negligence), strict liability,
breach of warranties, or any other legal theory. However, these monetary limitations will not apply to:
Microsoft’s obligations under the Section titled "Defense of infringement and misappropriation claims";
liability for damages awarded by a court of final adjudication for Microsoft’s or its employees’ or agents’ gross negligence
or willful misconduct;
liabilities arising out of any breach by Microsoft of its obligations under the Section entitled "Confidentiality"; or
liability for personal injury or death caused by Microsoft’s negligence or that of its employees or agents or for fraudulent
misrepresentation.
EXCLUSION OF CERTAIN DAMAGES. TO THE EXTENT PERMITTED BY APPLICABLE LAW, WHATEVER THE LEGAL
BASIS FOR THE CLAIM, NEITHER PARTY, NOR ANY OF ITS AFFILIATES OR SUPPLIERS, WILL BE LIABLE FOR ANY
INDIRECT DAMAGES (INCLUDING, WITHOUT LIMITATION, CONSEQUENTIAL, SPECIAL OR INCIDENTAL
DAMAGES, DAMAGES FOR LOST PROFITS OR REVENUES, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS
INFORMATION) ARISING IN CONNECTION WITH THIS AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES OR IF SUCH POSSIBILITY WAS REASONABLY FORESEEABLE. HOWEVER, THIS EXCLUSION
DOES NOT APPLY TO EITHER PARTY’S LIABILITY TO THE OTHER FOR VIOLATION OF ITS CONFIDENTIALITY
OBLIGATIONS OR OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS.
Concept of Intrusion Prevention
Stop intrusions BEFORE they happen
As opposed to Intrusion Detection
Requires system to take action on potential risks
In-line systems can drop malicious traffic before it gets to critical
infrastructure
Automated or with human intervention
Can be programmed with very different “personalities” depending on
location (i.e. In front of firewall, In Front of a Critical Server, etc)
Modern IPS Systems have a real time database of threats
Many of which may not apply to your environment
Allows for Zero-Day detection of new threats and applies new rules
before your systems are compromised (Virtual Patching)
IPS systems also provide an important audit trail
In the case of a breach IPS events need to correlated with firewall logs,
user account logs, server access logs, virus scan logs, etc
Concept of Intrusion Prevention
Traditional Intrusion Prevention Systems
Client Based (Desktop)
Generally proactive management of accounts and potential spyware,
rootkits, etc
Watch incoming and outgoing connections for warning signs
Host Based (Server)
Very specific inspection of application requests and common exploit
techniques targeted at the host system
Account abuse detection, time of day detection, etc
Network Based
Deep packet inspection
Broad long term analysis (looking for “low and slow” attacks)
Denial of service, network scanning/mapping attempts
Exploits of know vulnerabilities
Concept of Intrusion Prevention
Traditional Enterprise Approach
Host Based
Intrusion
Prevention
Enterprise
Internet
Network Based
Client Based Intrusion
Intrusion Prevention
Prevention Correlated Event
Management
Concept of Intrusion Prevention
Virtual Intrusion Prevention
Virtual machine embedded in hardware abstraction layer
(Between the Physical Hardware and the Guest Operating System)
Can be software controlled and placed on same virtual
network as any virtual machine
Creates a scalable method to monitor multiple virtual
environments
Keep in mind intrusion prevention devices would normally be tuned
for specific Operating Systems and Applications they are protecting
These deployments are highly reliant on multiple vendor
integration
i.e. VMWare publishes API for provisioning Virtual Networks - IPS
Vendors have to conform to these specifications.
Traditional vs. Virtualized IPS
Host Based IPS
APPLICATION APP APP APP APP Same as traditional server
Host Based IPS deployments
Software Based OS OS OS OS
Application Attack Vectors
Host Based Ruleset
OPERATING SYSTEM VIRTUAL IPS VIRTUAL IPS VIRTUAL IPS VIRTUAL IPS Virtual IPS
VIRTUAL SWITCH VIRTUAL SWITCH VIRTUAL SWITCH Special Virtual Machines
PHYSICAL SERVER Vendor Specific API
Network Based IPS (VMWARE/MICROSOFT HYPER-V/CISCO NEXUS) Can be “bridged” software to
Hardware Based and virtual segment
Network Attack Vectors
Network Based Ruleset PHYSICAL SERVER
Network Based IPS
NETWORK Can be “bridged” to VLAN
associated with Virtual Machine
VIRTUAL LAN VIRTUAL LAN VIRTUAL LAN VIRTUAL LAN Most Enterprise IPS Vendors
support Multiple VLANs (802.1Q)
IPS Challenges in the Public Cloud
A holistic view is important to determine real time risk
What used to be physical and in our server room is now logical
and controlled by a 3rd party company
We may be missing infrastructure events that would trigger a
potential security threat.
Importance of event correlation
Appearances of targeted probing before an event
What happened before and after a security breach
Common time and log management is critical to determining root cause
Intrusion prevention is about recognizing potential security
threats and acting BEFORE a breach
There are ways to work with outsourced infrastructure to manage
this reduced visibility
Cloud Computing Models
Software as a Service (SaaS) SaaS Provider
Remote secure access to one
Application
Typically Web Based Service
Typically accessible from anywhere
Security Model Internet
No access to SaaS network
No access to SaaS Host OS
User Based Intrusion Prevention
User Authentication
User Auditing (Application Dependant) Enterprise
Cloud Computing Models
Platform as a Service (PaaS) PaaS Provider
Remote secure access to one Platform
Typically a Windows/Linux Server
Typically Bundled with Storage
“Bring your own” Application
Multiple locations Internet
Security Model
No access to PaaS network
Winston.Morton@GreenNeuron.com
902.406.6321