37
SecureWorks My Neighbor Runs a Crack House: Aggregate Risk Model for the Cloud
SecureWorks
My Neighbor Runs a Crack House: Aggregate Risk Model for the Cloud
Crack Houses Attract Criminals
Overall crime rate is higher in the regions which have a higher drug crime rate
The size of the dots is proportional to the drug related arrests normalized by population, and the darkness of the dots is proportional to the total arrests normalized by population
2
In the Cloud, Anyone Can Move in Next Door
3
The Neighborhood – IP Reputation
• Public IPs are routinely being re-used by Cloud Providers
• Customer assumes reputation of IP they are assigned– But a security researcher just burned that IP probing a botnet…– …and it now under DDoS as retaliation, so we released it back into pool ;)– Or we hosted research bots at that IP, and reputation providers noticed
4
Neighbors Drawing Attention
5
Risks in Virtualized & Cloud Environments
• Based on Threat Intelligence data and IDS data collected over last year– vulnerabilities reported in virtualized technologies nearly doubled.– IDS events detecting these attacks increased by more than 500%
• Risk due to vulnerabilities in virtualization-related tech is amplified within the Cloud
6
VulnsAlerts
7
Security is the Major Issue
Adversaries Target the Cloud: Data & Privacy
8
Statistics of Adoption of Virtualization & Cloud
• 96% of respondents had virtualized at some portion of their infrastructure.
• 52% had moved data and applications into a Cloud environment, and of those that had not, 46% planned to within 12 months.
• 58% believed their Cloud environment was not adequately secured.
9
*****Results based on customer survey at SecureWorks Enterprise Security Summit 2010
Open Kitchen Dining Experience Analogy
10
Open Kitchen Dining Experience Analogy
11
Simple Model of IT Stack
Users
Applications
Platform
Infrastructure
12
NIST Working Definition of Cloud Computing – Visual Model
13
Your Neighbors and You:IaaS, PaaS and SaaS
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Hypervisor
Hardware Network Storage
IaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’sUserbase
Neighbor’s Userbase
Your Org’s Platform Stack
Neighbor’s Platform Stack
What You Share w/ Your Neighbor
Your Organization
Your Neighbor
Your Org’s Guest OS
Neighbor’s Guest OS
14
Your Neighbors and You:IaaS, PaaS and SaaS
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Platform Stack
Guest OS
Hardware Network Storage
PaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’s Userbase
Neighbor’s Userbase
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Hypervisor
Hardware Network Storage
IaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’sUserbase
Neighbor’s Userbase
Your Org’s Platform Stack
Neighbor’s Platform Stack
What You Share w/ Your Neighbor
Your Organization
Your Neighbor
Hypervisor
Your Org’s Guest OS
Neighbor’s Guest OS
15
Your Neighbors and You:IaaS, PaaS and SaaS
Your Org’s Userbase
Neighbor’s Userbase
Software Application Stack
Hardware Network Storage
SaaS Provider Platform
Software Application
Platform Stack
Guest OS
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Platform Stack
Guest OS
Hardware Network Storage
PaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’s Userbase
Neighbor’s Userbase
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Hypervisor
Hardware Network Storage
IaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’sUserbase
Neighbor’s Userbase
Your Org’s Platform Stack
Neighbor’s Platform Stack
What You Share w/ Your Neighbor
Your Organization
Your Neighbor
Hypervisor Hypervisor
Your Org’s Guest OS
Neighbor’s Guest OS
16
Your Neighbors and You: SaaS
Your Org’s Userbase
Neighbor’s Userbase
Software Application Stack
Hardware Network Storage
SaaS Provider Platform
Software Application
Platform Stack
Guest OS
Hypervisor
• In addition to shared virtualized infrastructure,shared Guest OS, and shared Platform Stack, Software Application Stack and Software Application are shared with Neighbor
• Potential for exploitation of vulnerabilities in Software Application Stack and Software Application expose Organizations using SaaS to some risk from Neighbor
What You Share w/ Your Neighbor
Your Organization
Your Neighbor
17
Loss of Governance: Malicious Insiders
19
Your Neighbors and You: PaaS
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Platform Stack
Guest OS
Hardware Network Storage
PaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’s Userbase
Neighbor’s Userbase
What You Share w/ Your Neighbor
Your Organization
Your Neighbor
Hypervisor
• In addition to shared virtualized infrastructure, Guest OS and Platform Stack are shared with Neighbor
• Potential for exploitation of vulnerabilities in Platform and Guest OS expose Organizations using PaaS to some risk from Neighbor
20
Social Graph API
Adversaries Target the Cloud: Web APIs
23
API vulnerability that allowed open posting of status messages to fan pages.
Your Neighbors and You: IaaS
Your Org’s App 1
Your Org’s App 2
Neighbor’s
App 1
Neighbor’s
App 2
Hypervisor
Hardware Network Storage
IaaS Provider Platform
Your Org’s App Stack
Neighbor’s App Stack
Your Org’sUserbase
Neighbor’s Userbase
Your Org’s Platform Stack
Neighbor’s Platform Stack
What You Share w/ Your Neighbor
Your Organization
Your Neighbor
Your Org’s Guest OS
Neighbor’s Guest OS
• Virtualized infrastructure shared with Neighbor
– “from concrete to Hypervisor”
• Potential for exploitation of vulnerabilities in the shared virtual infrastructure expose Organizations using IaaS to some level of risk from Neighbor
• Exploitation of shared physical infrastructure also a consideration
25
PCI Goes to the (IaaS) Cloud
• Challenge of migrating data and applications to Cloud while maintaining significant investments in regulatory compliance– Can Cloud provider provide evidence of compliance with relevant
requirements?– Does Cloud provider permit audits by relevant certifying bodies?
• Dec 5, Amazon Web Service (AWS) announces Level 1 PCI DSS certification– AWS certified from “concrete to hypervisor”– AWS customer must certify their in-scope elements on top of IaaS
› Guest OS, Application Stack, Apps, Controls, Operational Processes
– “Merchants and other service providers can now run their applications on AWS PCI-compliant technology infrastructure to store, process and transmit credit card information in the cloud.
26
Simple Model of Cloud Stack
SaaS
PaaS
IaaSCustomer Has
Less Shared Exposure
Customer Has Less Direct
Operational Control
Customer Has More Direct Operational
Control
Customer Has More Shared
Exposure
27
L
E
S
S
L
E
S
S
M
O
R
E
M
O
R
E
ExposureControl
Multi-Tenancy
28
Multitenancy: Shared Technology
Multitenancy: Unfriendly Neighbors
Confidential30 3/7/2011
House With Poor Foundation
31
Thought On Going to the Cloud
• “…what one gives up in terms of direct operational control, one must gain back in terms of visibility and transparency.”
– Christopher “beaker” Hoff
32
“2-Step Verification” for Google Accounts
33 Source: Official Google Blog
MitB-Resistant Authentication DevicesImage sources are the respective vendors public websites.
Offline Cryptographic Transaction Verification
Visual Cryptogram
Prediction: Malware Targets the Cloud
• Target and steal credentials related to Cloud providers– AWS
› Amazon username/password› Certificate and private key› SSH key pairs› “Access Secret Key”
• Automate exploitation of Cloud provider APIs
• MitB compromise of Cloud provider credentials– spin up malicious Hypervisors (e.g. Worm)– Manipulate Data
• New, advanced malware capabilities– Attack multi-tenancy– Bypass processor-level isolation and/or hyper escalation– Exploit vulnerabilities in Virtual OS controls
35
Other Predictions
• Phishing targets Cloud provider credentials
• Incident Response is slowed by involvement of 3rd parties
• Post-compromise forensic analysis made more difficult in Cloud
• Time to Remediate vulnerabilities may increase– Lower priority for Cloud provider?– Use of canned VM Images impact to vulnerability management
• Insider Threat– e.g., Amazon has their own Pfc. Bradley Manning employed as sysadmin
• Physical breach / loss of device may be more damaging– Lose laptop w/ cloud creds vs. laptop with creds to corp. servers (behind
FW)
36
SecureWorks
My Neighbor Runs a Crack House: Aggregate Risk Model for the Cloud
