Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Cloud Security: So Many Open Source Tools, So Little Time
Tuesday May 15, 2018
9:30-10:30 AM
2018 Secure360 Twin Cities
Matt Farrar
@secure360 facebook.com/secure360 www.Secure360.org
Cloud Security: So Many Open Source Tools, So Little Time
Presented by:
Matt Farrar
@secure360 facebook.com/secure360 www.Secure360.org
About Me
• Went to the University of Notre Dame
• Manager, Security & Privacy consulting with Protiviti
• 4+ years designing, implementing, and managing cloud environments, primarily in AWS & Azure (currently working on GCP environments)
@secure360 facebook.com/secure360 www.Secure360.org
Level Setting
• This talk is intended to introduce the concepts of open source cloud security tools
• This talk will not make you an expert, but provide additional options in the toolkit
• Survey of what is out there, certainly not comprehensive
Note: All resources will be linked or listed at the end of the talk
@secure360 facebook.com/secure360 www.Secure360.org
Key Questions
• What is this open source stuff I hear about?
• Why should I care?
• Can I do use these tools at my job, and how do I know my team is ready?
• How does it work?
• What are common challenges?
• Why don’t more people use OSS/FOSS?
• How can I use free tools to help advance my cloud security capabilities?
@secure360 facebook.com/secure360 www.Secure360.org
What Is Free Software?
Roughly, it means that the users have the freedom to run, copy, distribute, study, change and improve the software.
Thus, “free software” is a matter of liberty, not price. To understand the concept, you should think of “free” as in “free speech,” not as in “free beer”.
-This guy --->
@secure360 facebook.com/secure360 www.Secure360.org
The four essential freedoms:1. The freedom to run the program as you wish, for any purpose (freedom 0).2. The freedom to study how the program works, and change it so it does your
computing as you wish (freedom 1). Access to the source code is a precondition for this.
3. The freedom to redistribute copies so you can help others (freedom 2).4. The freedom to distribute copies of your modified versions to others (freedom 3). By
doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.
Source: Free Software Foundation, What is free software?
Richard Stallman
What Is Open Source?The Open Source Initiative (OSI) was founded in 1998 to promote the spread of open-source principles.
OSI also developed the Open Source Definition—a list of ten principles which a software’s license must adhere to for it to be considered open-source:
@secure360 facebook.com/secure360 www.Secure360.org
1. Free Redistribution - The license shall not restrict any party from selling or giving away the software as a component of a larger software distribution containing programs from multiple sources.
2. Source Code - The program must include source code, and must allow distribution in source code as well as compiled form.
3. Derived Works - The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software.
4. Integrity of The Author's Source Code - The license may restrict source-code from being distributed in modified form only if the license allows the distribution of "patch files" with the source code for the purpose of modifying the program at build time.
5. No Discrimination Against Persons or Groups - The license must not discriminate against any person or group of persons.
6. No Discrimination Against Fields of Endeavor - The license must not restrict anyone from making use of the program in a specific field of endeavor.
7. Distribution of License - The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties.
8. License Must Not Be Specific to a Product - The rights attached to the program must not depend on the program's being part of a particular software distribution.
9. License Must Not Restrict Other Software - The license must not place restrictions on other software that is distributed along with the licensed software.
10. License Must Be Technology-Neutral - No provision of the license may be predicated on any individual technology or style of interface.
Source: Open Source Initiative
FOSS (or FLOSS) vs. Open Source
“The two terms describe almost the same category of software, but they stand for views based on fundamentally different values.
Open source is a development methodology; free software is a social movement.“
@secure360 facebook.com/secure360 www.Secure360.org
Source: Richard Stallman, Why Open Source Misses the Point of Free Software
DISCLAMER: For simplicity, going to use them interchangeably in this talk…
Why Open Source?
Wisdom of Crowds
@secure360 facebook.com/secure360 www.Secure360.org
CostFlexibility & Freedom
FOSS is generally just as secure as proprietary systems.
Considerations for using open source tools
• Transparency: If flaw are exposed, everyone can see them.
• Accountability: There is no specific person or entity responsible for patching flaws.
• Reliability: When a patch is created and made available, there is no mandate that it be installed.
• Risk Management: There is no one who will indemnify victims of exploited flaws.
• Legal Challenges: If there are legal problems, such as infringement on a third party’s intellectual property, it can be difficult to find another party that is liable.
• Compliance: No specific entity or person is responsible for maintaining compliance of open-source software.
@secure360 facebook.com/secure360 www.Secure360.org
Source: Taylor Armerding, Open Source: Big Benefits, Big Flaws
The State of Open Source Security 2017research by Snyk.io
@secure360 facebook.com/secure360 www.Secure360.org
Source: https://snyk.io/stateofossecurity/
Open Source Tools = Puppies!
@secure360 facebook.com/secure360 www.Secure360.org
@secure360 facebook.com/secure360 www.Secure360.org
Open Source Tools = Puppies!
@secure360 facebook.com/secure360 www.Secure360.org
What does the security team want to do in the cloud?
• Extend the current control environment?
• Rebuild and/or refactor current capabilities?
• Build something new?
@secure360 facebook.com/secure360 www.Secure360.org
Pick a cloud security framework. Ex. Cloud Security Alliance CCM v4
@secure360 facebook.com/secure360 www.Secure360.org
@secure360 facebook.com/secure360 www.Secure360.org
Understand what you can control.
Use APIs!
@secure360 facebook.com/secure360 www.Secure360.org
Did we set up the environment correctly?Prowler
References: https://github.com/Alfresco/aws-cis-security-benchmark
@secure360 facebook.com/secure360 www.Secure360.org
Made to check the items from the CIS Amazon
Web Services Foundations Benchmark.
• Identity and Access Management (24 checks)• Logging (8 checks)• Monitoring (15 checks)• Networking (5 checks)• Forensics related group of checks• Misc. (23 checks)
How do I know configuration information?Scout2, G-Scout, & Azucar
References: https://nccgroup.github.io/Scout2/ & https://github.com/nccgroup/G-Scout & https://github.com/nccgroup/azucar
@secure360 facebook.com/secure360 www.Secure360.org
Scout2, G-Scout, and Azucar are tools built and
maintained by the nccgroup used to audit
AWS/GCP/Azure configurations. Automatically
gathers a variety of configuration data and
analyzes to determine security risks
Cloud Security Suite – cs-suite
@secure360 facebook.com/secure360 www.Secure360.org
References: https://github.com/SecurityFTW/cs-suite
“One stop tool” for auditing the security posture of AWS & GCP
Includes features from Scout2, G-Scout, Prowler, Lunar, and Lynis
Netflix OSS Tools
Source: A Brief History of Open Source from the Netfilx Cloud Security Team, Jason Chan
@secure360 facebook.com/secure360 www.Secure360.org
Tool Date Released Cloud Platform Description
Security Monkey June 2014 & March 2017
AWS & GCP Monitoring and responding to misconfigurations, vulnerabilities, and other security issues
Fully Integrated Defense Operation (FIDO)
May 2015 (deprecated)
AWS Automated security incident response
Lemur September 2015
AWS System to streamline and automate the management and monitoring of SSL/TLS certs
HubCommander February 2017 Slack Slack bot framework used for ChatOps-based management of Github organizations
Stethoscope February 2017 System that collects information about various end user-related security topics and provides clear and actionable advice for impriving
Repokid & Aardvark June 2017 AWS Tools that simplify and streamline the process of implementing least privilege for AWS IAM
Netflix: Security Monkey
@secure360 facebook.com/secure360 www.Secure360.org
Features:
• Accesses AWS Cloud Resources through API calls and inspects them
• Notifies team of changes or issues found
• Maintains a history of settings
• Provides a user interface to view issues and history
• Allows for justification to be provided and tracked
• Supports creation of new rules
• Works across accounts
Resources: https://github.com/Netflix/security_monkey
Netflix: Security Monkey
Resources: https://github.com/Netflix/security_monkey
@secure360 facebook.com/secure360 www.Secure360.org
Netflix: Aardvark & Repokid
Source: OWASP, Mike Goodwin
@secure360 facebook.com/secure360 www.Secure360.org
• Aardvark is a multi-account AWS IAM Access Advisor API (and caching layer).
• Aardvark uses PhantomJS to log into the AWS Console and obtain access advisor data. It then presents a RESTful API for other apps to query.
• Repokid uses Access Advisor provided by Aardvark to remove permissions granting access to unused services from the inline policies of IAM roles in an AWS account.
+
Netflix: Aardvark
Source: https://medium.com/netflix-techblog/introducing-aardvark-and-repokid-53b081bf3a7e
@secure360 facebook.com/secure360 www.Secure360.org
AWS provides a service named Access Advisor that shows all of the various AWS services that the policies of an IAM Role permit access to and when (if at all) they were last accessed.
Today Access Advisor data is only available in the console, so Neflix created Aardvark to make it easy to retrieve at scale and across multiple environments!
Netflix: Repokid
Source: OWASP, Mike Goodwin
@secure360 facebook.com/secure360 www.Secure360.org
Old Strategy – wait until access certification period or review to remove permissions from users
New Strategy – understand usage of access permissions, turn access off, and adjust as needed
Log Collection and CorrelationELK Stack
@secure360 facebook.com/secure360 www.Secure360.org
"ELK" is the acronym for three open source projects: Elasticsearch, Logstash, and Kibana.
Elasticsearch:A search and analytics engine.
Kibana:Kibana lets users visualize data with charts and graphs in Elasticsearch.
Logstash:Logstash is a server-side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a "stash" like Elasticsearch.
Resources: https://www.elastic.co/elk-stack
Resources: https://www.elastic.co/elk-stack
@secure360 facebook.com/secure360 www.Secure360.org
Log Collection and CorrelationElasticsearch
Resources: https://www.elastic.co/elk-stack
@secure360 facebook.com/secure360 www.Secure360.org
Log Collection and CorrelationLogstash
Resources: https://www.elastic.co/elk-stack
@secure360 facebook.com/secure360 www.Secure360.org
Log Collection and CorrelationKibana
Security Onion
Resources: https://github.com/Security-Onion-Solutions/security-onion
@secure360 facebook.com/secure360 www.Secure360.org
Features:
• Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Squil,
Squert, NetworkMiner, etc.
Incident Response & ForensicsAWS_IR & ThreatResponse Workbench
Resources: https://www.threatresponse.cloud/
@secure360 facebook.com/secure360 www.Secure360.org
Source: DerbyCon 6.0 - ThreatResponse
In Review
• Best Practices – Prowler
• Configuration Audit & Enforcement – Scout2, G-Scout, Azucar
• Security Monkey
• Enforce IAM – Aardvark & Repokid
• Log Collection & Correlation – ELK Stack
• Security Operations – Security Onion
• Incident Response & Forensics – AWS_IR & ThreatResponse Workstation
@secure360 facebook.com/secure360 www.Secure360.org
Concluding Thoughts
• Open source tools can be a useful, cost-effective way to manage risks in a cloud environment
• Carefully consider current skills and investment in current tool sets
• Requires attention; YMMV
• There are a multitude of tools out there to try – set up a POC environment and experiment for yourself
@secure360 facebook.com/secure360 www.Secure360.org
Resources
• Github!
• Blogs – AWS, Azure, GCP, Netflix, Spotify, etc.
• Twitter – follow security researchers to find out latest updates
• Reddit – r/netsec
• Conferences! ☺
• Contribute to the community!
@secure360 facebook.com/secure360 www.Secure360.org
Licensing Information
Open source licensing can be difficult to navigate for enterprise use. Reference the authoritative source for more information:
• Open Source Initiative
• GNU / Free Software Foundation
@secure360 facebook.com/secure360 www.Secure360.org
Questions?
• Best way to contact me: [email protected] – @mfarrar13
Github – haplessduke0
Thank You!
@secure360 facebook.com/secure360 www.Secure360.org