Top Banner

of 20

Winston morton - intrusion prevention - atlseccon2011

Feb 07, 2017

ReportDownload

Technology

  • AltSecCon, March 2011

    Winston Morton

  • Topics of DiscussionThe Definition of the Cloud

    Cloud Computing and Risk Mitigation

    Traditional Intrusion Prevention

    Virtualized Intrusion Prevention

    Intrusion Prevention in Cloud Computing

    Industry Trends

    Questions

  • What is the The Cloud What does To the cloud mean?

    Why do they always spin something to get to the cloud?

  • Definition of the Cloud About 432 definitions out there A shared computing resource with the ability to be

    delivered via Internet from multiple locations to multiple locations Public Cloud - Delivered to Multiple Customers Private Cloud - Delivered to one Customer Virtual Private Cloud An isolated subset of the public

    cloud with dedicated network and computing resources to one customer.

    And yes.IBM did this 20 years ago before the brief period of customer owned client/server technologies.(of course the Internet as we know it didnt exist back then)

  • Why has the risk model changed? Private cloud deployments have virtualized natural

    network aggregation points use for Network Security Public cloud providers control critical elements of a

    comprehensive security program Cloud provider evaluation criteria (Gartner)

    Privileged user access Regulatory compliance Data location Data segregation Recovery Investigative support Long-term viability

    Microsoft BPOS cloud service hit with data breachA 'small number' of Offline Address Book users had some of their data accessedBy Andreas Udo de Haes, Webwereld NetherlandsDecember 22, 2010 11:39 AM ET

  • The Ownership of Risk The Ownership of risk hasnt changed but Controls have.

    The ownership of the data clearly stays with the customer

    In many cases when outsourcing you have less ancillary access to data (in transit or at rest)

    Intrusion prevention sometimes relies on ancillary data

    The cloud service provider generally does not take ownership or risk of loss of data beyond the cost of the service

    Your risk tolerance needs to match the cloud delivery model (this generally comes down to a financial decision)

    In the SME market risk may go down rather than up with a cloud model

    You cant outsource accountability!

  • Amazon Web Services (AWS) Section 11. Limitations of Liability.

    WE AND OUR AFFILIATES OR LICENSORS WILL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES (INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, OR DATA), EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHER, NEITHER WE NOR ANY OF OUR AFFILIATES OR LICENSORS WILL BE RESPONSIBLE FOR ANY COMPENSATION, REIMBURSEMENT, OR DAMAGES ARISING IN CONNECTION WITH:

    (A) YOUR INABILITY TO USE THE SERVICES, INCLUDING AS A RESULT OF ANY (I) TERMINATION OR SUSPENSION OF THIS AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS, (II) OUR DISCONTINUATION OF ANY OR ALL OF THE SERVICE OFFERINGS, OR, (III) WITHOUT LIMITING ANY OBLIGATIONS UNDER THE SLAS, ANY UNANTICIPATED OR UNSCHEDULED DOWNTIME OF ALL OR A PORTION OF THE SERVICES FOR ANY REASON, INCLUDING AS A RESULT OF POWER OUTAGES, SYSTEM FAILURES OR OTHER INTERRUPTIONS;

    (B) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; (C) ANY INVESTMENTS, EXPENDITURES, OR COMMITMENTS BY YOU IN CONNECTION WITH THIS

    AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS; OR(D) ANY UNAUTHORIZED ACCESS TO, ALTERATION OF, OR THE DELETION, DESTRUCTION, DAMAGE, LOSS OR

    FAILURE TO STORE ANY OF YOUR CONTENT OR OTHER DATA. IN ANY CASE, OUR AND OUR AFFILIATES AND LICENSORS AGGREGATE LIABILITY UNDER THIS AGREEMENT WILL BE LIMITED TO THE AMOUNT YOU ACTUALLY PAY US UNDER THIS AGREEMENT FOR THE SERVICE THAT GAVE RISE TO THE CLAIM DURING THE 12 MONTHS PRECEDING THE CLAIM.

  • Microsoft Online Services Section 8. Limitation of liability. Limitation on liability. Except as otherwise provided in this Section, to the extent permitted by applicable law, the

    liability of Microsoft and of Microsofts contractors to Customer arising under this agreement is limited to direct damages up to the amount Customer paid Microsoft for the Online Service and/or Client Software giving rise to that liability during the (1) Term or (2) twelve months prior to the filing of the claim, whichever is less. These limitations apply regardless of whether the liability is based on breach of contract, tort (including negligence), strict liability, breach of warranties, or any other legal theory. However, these monetary limitations will not apply to: Microsofts obligations under the Section titled "Defense of infringement and misappropriation claims"; liability for damages awarded by a court of final adjudication for Microsofts or its employees or agents gross negligence

    or willful misconduct; liabilities arising out of any breach by Microsoft of its obligations under the Section entitled "Confidentiality"; or liability for personal injury or death caused by Microsofts negligence or that of its employees or agents or for fraudulent

    misrepresentation.

    EXCLUSION OF CERTAIN DAMAGES. TO THE EXTENT PERMITTED BY APPLICABLE LAW, WHATEVER THE LEGAL BASIS FOR THE CLAIM, NEITHER PARTY, NOR ANY OF ITS AFFILIATES OR SUPPLIERS, WILL BE LIABLE FOR ANY INDIRECT DAMAGES (INCLUDING, WITHOUT LIMITATION, CONSEQUENTIAL, SPECIAL OR INCIDENTAL DAMAGES, DAMAGES FOR LOST PROFITS OR REVENUES, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING IN CONNECTION WITH THIS AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF SUCH POSSIBILITY WAS REASONABLY FORESEEABLE. HOWEVER, THIS EXCLUSION DOES NOT APPLY TO EITHER PARTYS LIABILITY TO THE OTHER FOR VIOLATION OF ITS CONFIDENTIALITY OBLIGATIONS OR OF THE OTHER PARTYS INTELLECTUAL PROPERTY RIGHTS.

  • Concept of Intrusion Prevention Stop intrusions BEFORE they happen

    As opposed to Intrusion Detection Requires system to take action on potential risks

    In-line systems can drop malicious traffic before it gets to critical infrastructure

    Automated or with human intervention Can be programmed with very different personalities depending on

    location (i.e. In front of firewall, In Front of a Critical Server, etc)

    Modern IPS Systems have a real time database of threats Many of which may not apply to your environment Allows for Zero-Day detection of new threats and applies new rules

    before your systems are compromised (Virtual Patching)

    IPS systems also provide an important audit trail In the case of a breach IPS events need to correlated with firewall logs,

    user account logs, server access logs, virus scan logs, etc

  • Concept of Intrusion Prevention Traditional Intrusion Prevention Systems

    Client Based (Desktop) Generally proactive management of accounts and potential spyware,

    rootkits, etc Watch incoming and outgoing connections for warning signs

    Host Based (Server) Very specific inspection of application requests and common exploit

    techniques targeted at the host system Account abuse detection, time of day detection, etc

    Network Based Deep packet inspection Broad long term analysis (looking for low and slow attacks) Denial of service, network scanning/mapping attempts Exploits of know vulnerabilities

  • Concept of Intrusion Prevention Traditional Enterprise Approach

    EnterpriseInternet

    Host Based Intrusion

    Prevention

    Client Based Intrusion

    Prevention

    Network Based Intrusion

    PreventionCorrelated Event

    Management

  • Concept of Intrusion Prevention Virtual Intrusion Prevention

    Virtual machine embedded in hardware abstraction layer (Between the Physical Hardware and the Guest Operating System)

    Can be software controlled and placed on same virtual network as any virtual machine

    Creates a scalable method to monitor multiple virtual environments Keep in mind intrusion prevention devices would normally be tuned

    for specific Operating Systems and Applications they are protecting

    These deployments are highly reliant on multiple vendor integration i.e. VMWare publishes API for provisioning Virtual Networks - IPS

    Vendors have to conform to these specifications.

  • VIRTUAL SWITCH VIRTUAL SWITCH VIRTUAL SWITCH

    VIRTUAL IPS VIRTUAL IPS VIRTUAL IPS VIRTUAL IPS

    VIRTUAL LAN VIRTUAL LAN VIRTUAL LAN VIRTUAL LAN

    NETWORK

    Traditional vs. Virtualized IPS

    PHYSICAL SERVER

    (VMWARE/MICROSOFT HYPER-V/CISCO NEXUS)

    OS

    APP

    OS

    APP

    OS

    APP

    OS

    APP

    PHYSICAL SERVER

    OPERATING SYSTEM

    APPLICATIONHost Based IPS Software Based Application Attack VectorsHost Based Ruleset

    Network Based IPSHardware Based Network Attack VectorsNetwork Based Ruleset

    Host Based IPS Same as traditional server deployments

    Virtual IPS Special Virtual Machines Vendor Specific API Can be bridged software to and virtual segment

    Network Based IPS Can be bridged to VLAN associated with Virtual Machine Most Enterprise IPS Vendors support Multiple VLANs (802.1Q)

  • IPS Challenges in the Public Cloud A holistic view is important to determine real time risk

    What used to be physical and in our server room is now logical and controlled by a 3rd party company

    We may be missing infrastructure events that would trigger a potential security threat. Importance of event correlation

    Appearances of targeted probing before an event

    What happened before and after a security breach

    Common time and log management is critical to determining root cause

    Intrusion prevention is about recognizing potential security threat