CLOUD THREAT

HUNTING

Jim Reavis
CEO and Founder
Cloud Security Alliance
December 2017
 BUILDING SECURITY BEST PRACTICES
ABOUT THE FOR NEXT GENERATION IT

CLOUD
SECURITY GLOBAL, NOT-FOR-PROFIT

ALLIANCE ORGANIZATION

RESEARCH AND EDUCATIONAL

PROGRAMS

CLOUD PROVIDER CERTIFICATION –

CSA STAR

“To promote the use of best practices

for providing security assurance within USER CERTIFICATION – CCSK
Cloud Computing, and provide
education on the uses of Cloud
Computing to help secure all other THE GLOBALLY AUTHORITATIVE
forms of computing.” SOURCE FOR TRUST IN THE CLOUD
88,000+ 80+
INDIVIDUAL CHAPTERS 2009
MEMBERS
CSA FOUNDED
OUR COMMUNITY
400+ 35+ SEATTLE/BELLINGHAM, WA //
US HEADQUARTERS
CORPORATE ACTIVE WORKING
EDINBURGH //
MEMBERS GROUPS
EMEA HEADQUARTERS

Strategic partnerships
with governments,
research institutions,
professional associations
and industry

SINGAPORE //
CSA research is ASIA PACIFIC
FREE! HEADQUARTERS
 Cloud Definitions

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

NIST

CSA Cloud Reference Model

 Cloud Security Focus

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

S O F T W A R E
This is where
A S A
S E R V I C E the security
action is

D E V E L O P E R P L A T F O R M A S
T O O L S A S E R V I C E

M A N A G I N G I N F R A S T R U C T U R
H A R D W A R E / O S E A S A S E R V I C E

CSA Cloud Reference Model

 Stakes are high for Data Protection

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

• General Data Protection Requirements
(GDPR)
• 4% of annual global turnover or €20
Million (whichever is greater)

• I will spare you a logo wall of shame listing

of breached companies, fired CEOs, etc

https://gdpr.cloudsecurityalliance.org/
 CSA Top Threats Report

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

1. Data Breaches 7. APTs
2. Compromised Credentials and 8. Data Loss
IAM
9. Insufficient Due Diligence
3. Insecure APIs
10. Nefarious Use and Abuse
4. System and App Vulnerabilities
11. Denial of Service
5. Account Hijacking
12. Shared Technology
6. Malicious Insiders Vulnerabilities
Only threat
IaaS-specific

https://cloudsecurityalliance.org/group/top-threats/
 Threat 1: Data Breach

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

• Ranking based upon impact rather than
prevalence
• Compromised credentials, sloppy admin & poor
programming practices loom large
• Incidents primarily have a root cause in cloud
user mistakes, e.g., “AWS bucket slosh” (S3)

Shared Responsibility
 Threat 2: Insufficient Identity,

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

Credential and Access Management

• Compromised credentials a path of least

resistance
• Multi-factor authentication recommended –
mandatory for privileged accounts
• Identity federation to prevent credential sprawl
• See also Threat 5: Account Hijacking
 Threat 3: Insecure APIs and

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

Interfaces

• Agility, “on demand”, continuous deployment

creates pressure to develop “too quickly”
• Vetting of all 3rd party API services and the cloud
layers lacking
• Secure development lifecycle practices as critical
as ever
 Threat 12: Shared Technology

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

Vulnerabilities

• VM Side channel attacks

• VENOM vulnerability
• Hypervisor??
• Hardware bugs, supply chain
 About Security Guidance V4

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

• Fundamental cloud security research that started CSA
• 4th version, released July 2017
• Architecture
• Governing in the Cloud
• Governance and Enterprise Risk Management
• Legal
• Compliance & Audit Management
• Information Governance

• Operating in the Cloud

• Management Plane & Business Continuity
• Infrastructure Security
• Virtualization & Containers
• Incident Response
• Application Security
• Data Security & Encryption
• Identity Management
• Security as a Service
• Related Technologies
Related advice from CSA Guidance V4

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

• SLAs and setting expectations between provider and
customer responsibilities
• Cloud customers must understand the content and
format of data that the cloud provider will supply for
analysis purposes and evaluate whether the
available forensics data satisfies legal chain of
custody requirements.
• Cloud customers should also embrace continuous
and serverless monitoring of cloud-based resources
to detect potential issues earlier than in traditional
data centers.
Related advice from CSA Guidance V4

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

• Data sources should be stored or copied into
locations that maintain availability during incidents.
• Cloud-based applications should leverage automation
and orchestration to streamline and accelerate the
response, including containment and recovery.
• For each cloud service provider used, the approach to
detecting and handling incident involving the
resources hosted at that provider must be planned
and described in the enterprise incident response
plan.
Related advice from CSA Guidance V4

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

• The SLA with each cloud service provider must
guarantee support for the incident handling
required for the effective execution of the
enterprise incident response plan. This must
cover each stage of the incident handling
process: detection, analysis, containment,
eradication, and recovery.
• Testing will be conducted at least annually or
whenever there are significant changes to the
application architecture. Customers should seek
to integrate their testing procedures with that of
their provider (and other partners) to the greatest
extent possible.
 Why IaaS not the primary focus?

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

• Well funded, mature security teams
• State of the art technology
• Collaboration with competitors could be
better, but they do communicate

Inherit Security
• We need IaaS cloud providers to enable
their customers for threat intelligence
sharing & secure-by-default usage of
platforms (among many other things)
• Need to solve the “provider within a
provider” problem – it’s the ecosystem
stupid!
 The cloud ecosystem threat problem

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

• Attacks may take on very different meaning in the context of an ecosystem

Galactic Bank’s
cloud presence

IaaS Provider 1 IaaS Provider 2 IaaS Provider 3

Cloud Security Industry Summit

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

• Started by Intel
• Participation from major cloud providers
and major tech companies
• Cloud Security Alliance participates
• Strength is a focus on firmware/BIOS
issues
• Recent firmware integrity whitepaper
CSA Cloud CISC

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

• CSA Cloud Cyber Incident Sharing Center
• Our effort to drive standards in incident
response and threat intelligence sharing in
the cloud
• Features an operation threat intelligence
exchange
• Initial data indicates a lot of common
actors hitting cloud customers separately
• Addressing issues such as anonymization,
attribution and legal/SLAs related to the
cloud reference model
Looking to the future: Dynamic Digital Enterprise

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

• Massive increase in compute
• Cloud Computing is the back end
• Internet of Things is the endpoint
• Compute is Everywhere …
• But, you won’t know where Anything is
• Devices, software, network routes continuously modified
• The corporation is a virtual, software-defined construct –
the Dynamic Digital Enterprise
• The corporation will have many more software partners
than today – but some will exist for only seconds at a time
• Existing security will not scale
Automation for securing the Dynamic Digital

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

Enterprise
• Artificial Intelligence is the brain managing the
digital enterprise
• Blockchain provides the trusted language & rules
• Software Defined Networking dynamically
organizes computers
• DevOps automates the Cloud
• Autonomics automates the IoT
• We call this “Self-Driving Information Security”
 To sum it up

COPYRIGHT © 2017 CLOUD SECURITY ALLIANCE

• Familiar threats exist in cloud, but can take on new dimensions and
consequences
• More cloud-specific threats exist as well
• Tier 1 cloud providers have excellent security programs, but the ecosystem
does not necessarily benefit as they might
• Enabling the SaaS layer (commercial or end user) essential for threat
hunting
• Tricky legal & SLA issues are as big of an impediment as the PR &
competitive issues
• Look to the future and understand the scale needed. Automation needed,
cannot rely on the historical backchannels
• CSA has a lot of free research and a community to assist
THANK YOU!
Contact CSA

Email: [email protected]
Twitter: @Cloudsa
Site: www.cloudsecurityalliance.org
Learn: www.cloudsecurityalliance.org/research/cloudbytes
Download: www.cloudsecurityalliance.org/download

H T T P S : / / C L O U D S E C U R I T Y A L L I A N C E . O R G /
23