Welche Hürden existieren und wie sehen praxisnahe Lösungsansätze aus für die
Absicherung Ihrer Workload in der Cloud
Die sichere Workload-Transition in die Cloud
Rainer FunkIT Security Solution Manager
Controlware GmbH
Alexander KrakhoferHead of Solution Architects
Radware
Controlware – RadwareDie sichere Workload-Transition in die Cloud
Alexander Krakhofer
Head of Pre-Sales DACH
June 2019
3
Workload Evolution
Private Cloudvirtualization, SDDC
Legacy DC Public Cloudsomeone else’s computer
Cloud Nativeservices, services, …
Improved OperationsFlexibility of placing workloads---Invest multiple DCInvest in hardware---Manage DCManage Infrastructure--OverprovisionedIdle infrastructure
Remote Operations---No capital investments---No DC or HW infrastructure to manageOS and software management, hardening, patching, updatesManual scaling by adding machines---On demand infrastructureOptimized infrastructure
Consuming servicesNo infrastructureNo OS or software to manage, harden, patch, updateElastic and Dynamic ScaleOn demand, pay-as-you-go
4 Cloud shared responsibility model
*source https://docs.microsoft.com/en-us/azure/security/azure-security-infrastructure
5
Example AWS Shared Responsibility Model
6
MOVING TO THE CLOUD MEANS LOSING CONTROL
On-Prem Data Center Public Cloud
Hacker
IT DevOps
• Network resources hosted on-site
• Protected against insider threats
• Perimeter defenses against external threats
• Workloads hosted on the public cloud
• Organizations lose direct over resources
• All access is ‘remote’
Hacker IT DevOps
7
Will AWS / Azure / GCP / Alibaba manage your permissions?
Shared Responsibility = No Responsibility
That means the biggest threat to your cloud is
“you don’t know what you don’t know”
-- Gartner 2018
95%OF CLOUD SECURITY FAILURES THROUGH 2020
WILL BE THE CUSTOMERS FAULT.
APPLICATIONS
DATA
RUNTIME
MIDDLEWARE
OS
VIRTUALIZATION
SERVERS
STORAGE
NETWORKING
IaaS(Infrastructure as a Service)
Customer
Cloud Provider
8
Radware CLOUD SECURITY SERVICES
Cloud DDoS Protection Service
Infrastructure Protection
Cloud Malware Protection Service
IT Network Protection
2018 WAF MQVisionary Vendor
2018 WAF Vendor of the Year
2017 Wave DDoS Leader
Cloud WAF Service
Application and Workload Protection
Cloud Workload Protection
BotManager
Fully-managed enterprise-grade cloud services that protectfrom multi-vector threats and optimize application performance
www.radware.com9
Radware Cloud WAF Service
10
Case Study: Protecting Carlsberg
11
Case Study: Protecting Carlsberg
4 datacenters + 150 applications on public cloud (Azure)
Carlsberg an Official Sponsor for Euro 2016 games
Expected massive web attack campaign during the games
Incapsula cloud security services severely breached in Dec/15
Received ransom e-mails in February 2016
Luckily, Carlsberg prepared in advance…
12
Case Study: Protecting Carlsberg
Radware Cloud Security Services for Carlsberg
Infrastructure Protection Application Protection
Cloud DDoS Protection Service
4 data centers
1 Gbps legitimate traffic
Fully Managed
Cloud WAF Service
150 applications on Azure
500 Mbps legitimate traffic
Fully Managed
13
Unmatched Protection | Continuously Adaptive | Fully Managed
Case Study: Protecting Carlsberg
Quarter-finals
Semi-finals
Final
Games open on Friday
First Sunday…
balticom-73-111-29.balticom.lv Latvia
061244096238.ctinets.com Hong Kong
62-210-152-84.rev.poneytelecom.eu France
St. Petersburg Internet Network Russian Federation
seo998.heilink.com Ukraine
June 10th July 10th
>175,000 web application attackssuccessfully blocked
Zero false-negatives and zero false-positivesreported by Carlsberg
Massive attack campaign had no impact on the availability or performance of Carlsberg’s services
14 A very happy customer!
16
Radware Cloud WAF Service
Fully-managed cloud-based service for comprehensive application protection
BETTER PROTECTION
FASTER DEPLOYMENT
LESS OVERHEAD
GREATER VISIBILITY
With Positive Security Model & full OWASP
Top-10 coverage
With continuously adaptive policies &
false-positive correction
With automated defenses & fully-managed service
With integrated security solutions and centralized
management
www.radware.com17
Industry-Leading Technology
18
Uniquely Employing Positive Security Model
Negative Security Model
• Standard across most cloud WAF services and WAF technologies
• Blocks known attacks via known signatures and rules
• Cannot provide FULL protection against OWASP TOP-10
• Cannot protect from unknown vulnerabilities: 0-day attacks
Positive Security Model
• Learns and defines what actions are legitimate traffic
• Blocks unauthorized access or actions that are not permitted
• Uniquely protects from 0-day attacks and unknown vulnerabilities
• Higher layer of protection: FULL OWASP TOP-10 protection, minimum false-positives
19
Recommended Capabilities (page 5)A web application firewall should be able to:
• Enforce both positive and negative security models. The positive model defines acceptable, permitted behavior, input, data ranges, etc., and denies everything else. The negative model (“black list”) defines what is NOT allowed; messages matching those signatures are blocked, and traffic not matching the signatures (not “black listed”) is permitted
• Prevent data leakageMeaning have the ability to inspect web application output and respond (allow, block, mask and/or alert) based on the active policy or rules, and log actions taken.
Full support for all PCI DSS Recommended Capabilities
21
Dynamic Application Protection
Machine-learning Algorithms to Automatically Generate Policies
Continuously detect changes in the application and acceptable user behavior to keep protection current
Auto Threat Analysis Covering ALL OWASP Top-10
and 150+ attack vectors
App Mapping to detect new/changes in web
application
Auto Policy Activation adding tailored app rules and optimizing for best accuracy
Policy Generation with Auto-Optimization
for out-of-the-box rules to minimize false positives
22
Radware Bot Manager
Complete Protection
Account Takeover, Web scraping, Brute force, DDoS, Carding fraud & other bot attacks
Proactively stop automated attacks
Proprietary Intent-based Deep Behavior Analysis (IDBA)
Semi-supervised machine-learning models
Extensive bot fingerprints DB
Threat intelligence from 80K+ properties across 70 countries
Non Intrusive
API-based approach, no impact to technology stack
On-premise & cloud delivery
Leader, 2018 Bot Management Wave Report
www.radware.com23
Robust Network
24
Robust Global Cloud Security Network
Regional Cloud Scrubbing Center
Radware Cloud Security PoP
5 Tbps of global DDoSmitigation capacity
Unmatched ability to guarantee long-term mitigation capacity ahead of DDoS threat
Segregate clean and attack traffic with dedicated scrubbing centers
25
Unmatched Resilience >99.999% Availability
Internal Resilience Multiple Tier-1 providers, multiple links per provider
Full resilience mesh topology
Full redundancy of all components
Global Resilience Scrubbing centers connected in full mesh topology
Each scrubbing centers automatically backed-up
Scrubbing centers replace each other in case of failure
27
Unmatched Compliance to the Strictest Standards
ISO 27001 Information Security Management Systems
ISO 27002 Information technology — Security techniques — Code of practice for security controls
ISO 27032 Security Techniques -- Guidelines for Cybersecurity
ISO 27017 Information Security for Cloud Services
ISO 27018 Information Security Protection of Personally identifiable information (PII) in public clouds
ISO 28000 Specification for Security Management Systems for the Supply Chain
EU GDPR EU General Data Protection Regulation
PCI-DSS Payment Card Industry Data Security Standard
HIPAA Health Insurance Portability and Accountability Act
US SSAE16 SOC-1 Type II, SOC-2 Type II
28
The Only Azure Native Cloud WAF Service
In addition to its own cloud security network, Radware Cloud WAF Service runs native from within Microsoft Azure’s network
The only cloud WAF service to run natively from within Azure’s data centers
Enterprise grade protection, based on Radware’s WAF technology
Minimal latency, based on Microsoft’s fiber-optic backbone
www.radware.com29
Cloud Workload ProtectionCWP
30
Any asset or computing resource deployed in the cloud
Servers Services Databases Applications Data
WHAT IS A WORKLOAD?
31
CLOUD SECURITY IS A SHARED RESPONSIBILITY
Public cloud providers are
responsible for security
of the cloud…
…but not of workloads
in the cloud
APPLICATIONS
DATA
RUNTIME
MIDDLEWARE
OS
VIRTUALIZATION
HYPERVISIOR
STORAGE
NETWORKING
IaaS(Infrastructure as a Service)
Customer
Amazon Web Services
32
TIMEHOP DATA BREACH: THE ATTACK ‘KILL CHAIN’
The attack could have been detected and blocked in multiple stages;
each step was an anomaly, but only correlating all steps could reveal attack
AWS Spear Phishing Attack
Enumerating Permissions
Launching New DB from Snapshot
Logging into DB, Exfiltrating Data
Step 1 Step 3 Step 5 Step 7
Taking Snapshot of Production DB
Creating New Access Keys
Resetting Production DB Password
Step 2 Step 4 Step 6
33
THE RESULT: 21 MILLION USER ACCOUNTS EXPOSED
34
TIMEHOP BREACH – LESSONS LEARNED
CONTINUOUS HARDENING is key:
Always assume your credentials have already been exposed
DETECTION is important, but CORRELATION is critical:
Each activity may be legitimate, but together they lead to a breach
AUTOMATIC RESPONSE is required:
Hackers move quickly, you need to keep up
1
2
3
35
EXISTING SOLUTIONS ARE NOT ENOUGH
COMPLIANCE & GOVERNANCE
TOOLS
AGENT-BASED SOLUTIONS
NATIVEPUBLIC CLOUD
SECURITY SOLUTIONS
Oversee overall cloud account, but does not
protect individual workloads
Protect individual servers, but lack
visibility to overall account context and cloud-native services
Provide basic, security features which
do not provide alert correlation or
automatic response
36
CLOUD WORKLOAD PROTECTION SERVICE
AUTOMATIC RESPONSE
COMPREHENSIVE PROTECTION
SMART HARDENING
Cloud-native solution for comprehensive protection of your AWS assets
Protects overall cloud security posture as well as workloads
Reduce attack surface by eliminating unnecessary permissions
Automatically blocks attacks before they turn into a breach
CONTEXTUAL DETECTION
Advanced machine-learning to detect and correlate suspicious activities
37
HOW RADWARE SECURES YOUR CLOUD
Reduces attack surface
by identifying and
removing excessive
permissions which can
be exploited
Provides automated
response mechanisms
that mitigate attacks
as soon as they are
detected
REDUCE RISK FAST MITIGATION
PREVENT RESPOND
Detects suspicious
activity indicative of
hacking activities and
correlates them into
unified attack storylines
TIMELY DISCOVERY
DETECT
38
CONTEXT-AWARE, SMART HARDENING
• Analyzes GAP between defined
and used permissions
• Applies PRINCIPLE OF
LEAST PRIVILEGES
• Provides SMART HARDENING
recommendations
• FORTIFIES SECURITY POSTURE
and reduce attack surface
39
ATTACK DETECTION BASED ON ADVANCED AI
• CORRELATES
individual events
• Uses advanced MACHINE-
LEARNING algorithms
• Creates streamlined
attack STORYLINES
• Shows STEP-BY-STEP
attack progression
40
AUTOMATIC RESPONSE MECHANISMS
• AUTOMATED RESPONSE
mechanisms to block attacks
instantly
• Leverage AWS LAMBDA service
• CUSTOM-DEFINED SCRIPTS to
respond to attack alerts
• BLOCK DATA THEFT ATTEMPTS
before they result in breach
41
AGENTLESS, CLOUD NATIVE SOLUTION
• Cloud-native,
AGENTLESS solution
• NO INSTALLATION of
additional hardware or
software required
• Low-touch,
EASY DEPLOYMENT
42
SERVICE FLOW
Custom-defined response
mechanisms for fast mitigation
1. METADATA AND LOGS
Collection of configuration data
from Cloud Trail, Flow, OS logs
Public exposure alerts and
configuration hardening
recommendations
4. CONFIGURATION
WARNINGS3. BREACH
ALERTS
Behavioral and Attack Surface
analysis using cloud-based
machine-learning algorithms
RADWARE
Upon detection of
attacks as they evolve
2. AI ANALYSIS
5. RESPONSE
43
OneLogin ATTACK KILL CHAIN
AWS Spear Phishing Attack
Listen to all instances
Port scanning to find available web server
Connect to DB, and exfiltrate data
Step 1 Step 3 Step 5 Step 7
Launch new instance with privileged role
Access keys stolen Use Apache exploit to install backdoor
Step 2 Step 4 Step 6
45
HOW IT WOULD HAVE LOOKED WITH RADWARE…
DEMOCloud Workload
Protection Service
Fragen
Controlware ist ein herstellerunabhängiger Berater, Systemintegrator und Betreiber von IT-Lösungen.
Controlware – Zahlen und Fakten
16 Standorte in D-A-CH,
davon 12 in Deutschland
Ca. 840 Mitarbeiter D-A-CH
Seit 1996 eigenes
Customer Service Center
> 470 System-Ingenieure und
Consultants in Deutschland
Seit der Gründung 1980 eigenständiges
Familienunternehmen
300 Mio. € Umsatz
Vielen Dank für Ihre
Aufmerksamkeit!
THANK YOU!
Top Related