Welche Hürden existieren und wie sehen praxisnahe Lösungsansätze aus für die

Absicherung Ihrer Workload in der Cloud

Die sichere Workload-Transition in die Cloud

Rainer FunkIT Security Solution Manager

Controlware GmbH

Alexander KrakhoferHead of Solution Architects

Radware

Controlware – RadwareDie sichere Workload-Transition in die Cloud

Alexander Krakhofer

Head of Pre-Sales DACH

June 2019

3

Workload Evolution

Private Cloudvirtualization, SDDC

Legacy DC Public Cloudsomeone else’s computer

Cloud Nativeservices, services, …

Improved OperationsFlexibility of placing workloads---Invest multiple DCInvest in hardware---Manage DCManage Infrastructure--OverprovisionedIdle infrastructure

Remote Operations---No capital investments---No DC or HW infrastructure to manageOS and software management, hardening, patching, updatesManual scaling by adding machines---On demand infrastructureOptimized infrastructure

Consuming servicesNo infrastructureNo OS or software to manage, harden, patch, updateElastic and Dynamic ScaleOn demand, pay-as-you-go

4 Cloud shared responsibility model

*source https://docs.microsoft.com/en-us/azure/security/azure-security-infrastructure

5

Example AWS Shared Responsibility Model

6

MOVING TO THE CLOUD MEANS LOSING CONTROL

On-Prem Data Center Public Cloud

Hacker

IT DevOps

• Network resources hosted on-site

• Protected against insider threats

• Perimeter defenses against external threats

• Workloads hosted on the public cloud

• Organizations lose direct over resources

• All access is ‘remote’

Hacker IT DevOps

7

Will AWS / Azure / GCP / Alibaba manage your permissions?

Shared Responsibility = No Responsibility

That means the biggest threat to your cloud is

“you don’t know what you don’t know”

-- Gartner 2018

95%OF CLOUD SECURITY FAILURES THROUGH 2020

WILL BE THE CUSTOMERS FAULT.

APPLICATIONS

DATA

RUNTIME

MIDDLEWARE

OS

VIRTUALIZATION

SERVERS

STORAGE

NETWORKING

IaaS(Infrastructure as a Service)

Customer

Cloud Provider

8

Radware CLOUD SECURITY SERVICES

Cloud DDoS Protection Service

Infrastructure Protection

Cloud Malware Protection Service

IT Network Protection

2018 WAF MQVisionary Vendor

2018 WAF Vendor of the Year

2017 Wave DDoS Leader

Cloud WAF Service

Application and Workload Protection

Cloud Workload Protection

BotManager

Fully-managed enterprise-grade cloud services that protectfrom multi-vector threats and optimize application performance

www.radware.com9

Radware Cloud WAF Service

10

Case Study: Protecting Carlsberg

11

Case Study: Protecting Carlsberg

4 datacenters + 150 applications on public cloud (Azure)

Carlsberg an Official Sponsor for Euro 2016 games

Expected massive web attack campaign during the games

Incapsula cloud security services severely breached in Dec/15

Received ransom e-mails in February 2016

Luckily, Carlsberg prepared in advance…

12

Case Study: Protecting Carlsberg

Radware Cloud Security Services for Carlsberg

Infrastructure Protection Application Protection

Cloud DDoS Protection Service

4 data centers

1 Gbps legitimate traffic

Fully Managed

Cloud WAF Service

150 applications on Azure

500 Mbps legitimate traffic

Fully Managed

13

Unmatched Protection | Continuously Adaptive | Fully Managed

Case Study: Protecting Carlsberg

Quarter-finals

Semi-finals

Final

Games open on Friday

First Sunday…

balticom-73-111-29.balticom.lv Latvia

061244096238.ctinets.com Hong Kong

62-210-152-84.rev.poneytelecom.eu France

St. Petersburg Internet Network Russian Federation

seo998.heilink.com Ukraine

June 10th July 10th

>175,000 web application attackssuccessfully blocked

Zero false-negatives and zero false-positivesreported by Carlsberg

Massive attack campaign had no impact on the availability or performance of Carlsberg’s services

14 A very happy customer!

16

Radware Cloud WAF Service

Fully-managed cloud-based service for comprehensive application protection

BETTER PROTECTION

FASTER DEPLOYMENT

LESS OVERHEAD

GREATER VISIBILITY

With Positive Security Model & full OWASP

Top-10 coverage

With continuously adaptive policies &

false-positive correction

With automated defenses & fully-managed service

With integrated security solutions and centralized

management

www.radware.com17

Industry-Leading Technology

18

Uniquely Employing Positive Security Model

Negative Security Model

• Standard across most cloud WAF services and WAF technologies

• Blocks known attacks via known signatures and rules

• Cannot provide FULL protection against OWASP TOP-10

• Cannot protect from unknown vulnerabilities: 0-day attacks

Positive Security Model

• Learns and defines what actions are legitimate traffic

• Blocks unauthorized access or actions that are not permitted

• Uniquely protects from 0-day attacks and unknown vulnerabilities

• Higher layer of protection: FULL OWASP TOP-10 protection, minimum false-positives

19

Recommended Capabilities (page 5)A web application firewall should be able to:

• Enforce both positive and negative security models. The positive model defines acceptable, permitted behavior, input, data ranges, etc., and denies everything else. The negative model (“black list”) defines what is NOT allowed; messages matching those signatures are blocked, and traffic not matching the signatures (not “black listed”) is permitted

• Prevent data leakageMeaning have the ability to inspect web application output and respond (allow, block, mask and/or alert) based on the active policy or rules, and log actions taken.

Full support for all PCI DSS Recommended Capabilities

21

Dynamic Application Protection

Machine-learning Algorithms to Automatically Generate Policies

Continuously detect changes in the application and acceptable user behavior to keep protection current

Auto Threat Analysis Covering ALL OWASP Top-10

and 150+ attack vectors

App Mapping to detect new/changes in web

application

Auto Policy Activation adding tailored app rules and optimizing for best accuracy

Policy Generation with Auto-Optimization

for out-of-the-box rules to minimize false positives

22

Radware Bot Manager

Complete Protection

Account Takeover, Web scraping, Brute force, DDoS, Carding fraud & other bot attacks

Proactively stop automated attacks

Proprietary Intent-based Deep Behavior Analysis (IDBA)

Semi-supervised machine-learning models

Extensive bot fingerprints DB

Threat intelligence from 80K+ properties across 70 countries

Non Intrusive

API-based approach, no impact to technology stack

On-premise & cloud delivery

Leader, 2018 Bot Management Wave Report

www.radware.com23

Robust Network

24

Robust Global Cloud Security Network

Regional Cloud Scrubbing Center

Radware Cloud Security PoP

5 Tbps of global DDoSmitigation capacity

Unmatched ability to guarantee long-term mitigation capacity ahead of DDoS threat

Segregate clean and attack traffic with dedicated scrubbing centers

25

Unmatched Resilience >99.999% Availability

Internal Resilience Multiple Tier-1 providers, multiple links per provider

Full resilience mesh topology

Full redundancy of all components

Global Resilience Scrubbing centers connected in full mesh topology

Each scrubbing centers automatically backed-up

Scrubbing centers replace each other in case of failure

27

Unmatched Compliance to the Strictest Standards

ISO 27001 Information Security Management Systems

ISO 27002 Information technology — Security techniques — Code of practice for security controls

ISO 27032 Security Techniques -- Guidelines for Cybersecurity

ISO 27017 Information Security for Cloud Services

ISO 27018 Information Security Protection of Personally identifiable information (PII) in public clouds

ISO 28000 Specification for Security Management Systems for the Supply Chain

EU GDPR EU General Data Protection Regulation

PCI-DSS Payment Card Industry Data Security Standard

HIPAA Health Insurance Portability and Accountability Act

US SSAE16 SOC-1 Type II, SOC-2 Type II

28

The Only Azure Native Cloud WAF Service

In addition to its own cloud security network, Radware Cloud WAF Service runs native from within Microsoft Azure’s network

The only cloud WAF service to run natively from within Azure’s data centers

Enterprise grade protection, based on Radware’s WAF technology

Minimal latency, based on Microsoft’s fiber-optic backbone

www.radware.com29

Cloud Workload ProtectionCWP

30

Any asset or computing resource deployed in the cloud

Servers Services Databases Applications Data

WHAT IS A WORKLOAD?

31

CLOUD SECURITY IS A SHARED RESPONSIBILITY

Public cloud providers are

responsible for security

of the cloud…

…but not of workloads

in the cloud

APPLICATIONS

DATA

RUNTIME

MIDDLEWARE

OS

VIRTUALIZATION

HYPERVISIOR

STORAGE

NETWORKING

IaaS(Infrastructure as a Service)

Customer

Amazon Web Services

32

TIMEHOP DATA BREACH: THE ATTACK ‘KILL CHAIN’

The attack could have been detected and blocked in multiple stages;

each step was an anomaly, but only correlating all steps could reveal attack

AWS Spear Phishing Attack

Enumerating Permissions

Launching New DB from Snapshot

Logging into DB, Exfiltrating Data

Step 1 Step 3 Step 5 Step 7

Taking Snapshot of Production DB

Creating New Access Keys

Resetting Production DB Password

Step 2 Step 4 Step 6

33

THE RESULT: 21 MILLION USER ACCOUNTS EXPOSED

34

TIMEHOP BREACH – LESSONS LEARNED

CONTINUOUS HARDENING is key:

Always assume your credentials have already been exposed

DETECTION is important, but CORRELATION is critical:

Each activity may be legitimate, but together they lead to a breach

AUTOMATIC RESPONSE is required:

Hackers move quickly, you need to keep up

1

2

3

35

EXISTING SOLUTIONS ARE NOT ENOUGH

COMPLIANCE & GOVERNANCE

TOOLS

AGENT-BASED SOLUTIONS

NATIVEPUBLIC CLOUD

SECURITY SOLUTIONS

Oversee overall cloud account, but does not

protect individual workloads

Protect individual servers, but lack

visibility to overall account context and cloud-native services

Provide basic, security features which

do not provide alert correlation or

automatic response

36

CLOUD WORKLOAD PROTECTION SERVICE

AUTOMATIC RESPONSE

COMPREHENSIVE PROTECTION

SMART HARDENING

Cloud-native solution for comprehensive protection of your AWS assets

Protects overall cloud security posture as well as workloads

Reduce attack surface by eliminating unnecessary permissions

Automatically blocks attacks before they turn into a breach

CONTEXTUAL DETECTION

Advanced machine-learning to detect and correlate suspicious activities

37

HOW RADWARE SECURES YOUR CLOUD

Reduces attack surface

by identifying and

removing excessive

permissions which can

be exploited

Provides automated

response mechanisms

that mitigate attacks

as soon as they are

detected

REDUCE RISK FAST MITIGATION

PREVENT RESPOND

Detects suspicious

activity indicative of

hacking activities and

correlates them into

unified attack storylines

TIMELY DISCOVERY

DETECT

38

CONTEXT-AWARE, SMART HARDENING

• Analyzes GAP between defined

and used permissions

• Applies PRINCIPLE OF

LEAST PRIVILEGES

• Provides SMART HARDENING

recommendations

• FORTIFIES SECURITY POSTURE

and reduce attack surface

39

ATTACK DETECTION BASED ON ADVANCED AI

• CORRELATES

individual events

• Uses advanced MACHINE-

LEARNING algorithms

• Creates streamlined

attack STORYLINES

• Shows STEP-BY-STEP

attack progression

40

AUTOMATIC RESPONSE MECHANISMS

• AUTOMATED RESPONSE

mechanisms to block attacks

instantly

• Leverage AWS LAMBDA service

• CUSTOM-DEFINED SCRIPTS to

respond to attack alerts

• BLOCK DATA THEFT ATTEMPTS

before they result in breach

41

AGENTLESS, CLOUD NATIVE SOLUTION

• Cloud-native,

AGENTLESS solution

• NO INSTALLATION of

additional hardware or

software required

• Low-touch,

EASY DEPLOYMENT

42

SERVICE FLOW

Custom-defined response

mechanisms for fast mitigation

1. METADATA AND LOGS

Collection of configuration data

from Cloud Trail, Flow, OS logs

Public exposure alerts and

configuration hardening

recommendations

4. CONFIGURATION

WARNINGS3. BREACH

ALERTS

Behavioral and Attack Surface

analysis using cloud-based

machine-learning algorithms

RADWARE

Upon detection of

attacks as they evolve

2. AI ANALYSIS

5. RESPONSE

43

OneLogin ATTACK KILL CHAIN

AWS Spear Phishing Attack

Listen to all instances

Port scanning to find available web server

Connect to DB, and exfiltrate data

Step 1 Step 3 Step 5 Step 7

Launch new instance with privileged role

Access keys stolen Use Apache exploit to install backdoor

Step 2 Step 4 Step 6

45

HOW IT WOULD HAVE LOOKED WITH RADWARE…

DEMOCloud Workload

Protection Service

Fragen

Controlware ist ein herstellerunabhängiger Berater, Systemintegrator und Betreiber von IT-Lösungen.

Controlware – Zahlen und Fakten

16 Standorte in D-A-CH,

davon 12 in Deutschland

Ca. 840 Mitarbeiter D-A-CH

Seit 1996 eigenes

Customer Service Center

> 470 System-Ingenieure und

Consultants in Deutschland

Seit der Gründung 1980 eigenständiges

Familienunternehmen

300 Mio. € Umsatz

Vielen Dank für Ihre

Aufmerksamkeit!

THANK YOU!