Upload
nguyendan
View
238
Download
3
Embed Size (px)
Citation preview
Cover Your SaaS
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 2
IAN TRUMP@[email protected]
• Ian Trump, CD, CPM, BA, CEH is Global Cyber Security Strategist at SolarWinds working across all lines of business to define, create and execute security solutions and promote a safe, secure Internet for enterprises world-wide.
• 1989 to 1992 Canadian Forces (CF), Military Intelligence Branch
• 2002 to 2013, CF Military Police (Reserves), retired as a Public Affairs Officer in 2013.
• 2009 to 2010, Royal Canadian Mounted Police, Criminal Intelligence Analyst.
• 2010 Founding Partner and CTO Octopi Managed Services Inc. (OMS).
Cover Your SaaS
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 3
• Malware connoisseur and aficionado.
• First Home in Edinburgh, Scotland.
• Second Home in Terminal 5, Heathrow.
• Third Home in Winnipeg, Manitoba.
IAN TRUMP@[email protected]
DARPA & DEFCON
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 4
Seven team projects were invited to Las Vegas to compete on the floor in a 96-round game of “Capture the Flag.”
The difference in this game is that the players in the game were totally autonomous.
ForAllSecure’s “Mayhem,” took first place and a 2 million dollar prize
Mayhem was trounced, by human competitors.
This was a powerful and public message to all other nations.
These 7 systems have the capability of discovering vulnerabilities, building exploits and autonomously attacking systems.
GLOBAL TRENDS DRIVING GROWTH
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 5
SaaSPopularity continues to drive growth (stats) Trust Model is VitalCustomer is placing important data into customer hands
SaaS Security Has Unique Attack VectorsTraditional security controls fail, attack surface is amplified (end-point & platform)
SAAS ATTACK VECTORS
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 6
ExternalHackers, DDOS, etc. (Carbonite, Teamviewer, etc.) InternalMalicious insider (Shionogi)
PhysicalData center catastrophe (Delta Airlines)
MarketDisplacement and innovation (Shadow IT)
CustomerThe most important part of your business
IMPORTANCE OF SAAS SECURITY
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 7
60% would take legal action against an organization if their details were stolen and used for criminal purposes as a result of a data breach. 70% consumer respondents would now give less personal information to organizations in light of recent data breaches.
51% now consider security to be a main or important consideration when purchasing. 48% would be willing to pay more in order to work with a provider that has better data security.
COMPTIA WORLD-WIDE VIEW
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 8
Top drivers for changing approaches to cybersecurity
1. Change in IT operations (e.g. cloud, mobility)
2. Reports of security breaches at other firms
3. Internal security breach or incident
4. Change in business operations or client base
5. Knowledge gained from training/certification
SNAPSHOT OF AMERICAN CYBER CRIME 2015
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 9
By Victim Top 4
1. Non-Payment/Non-Delivery
2. 419/Overpayment
3. Identity Theft
4. Auction
SNAPSHOT OF AMERICAN CYBER CRIME 2015
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 10
By Loss Top 4
1. Business Email Compromise
2. Confidence Fraud/Romance
3. Non-Payment/Non-Delivery
4. Investment
WHAT DO THESE NUMBER MEAN?
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 11
FBI/DOJ Metrics are not tracking Hosted Services Vs. On Premise Cyber Crime.
Cyber crime is not just a technical problem, to be solved by technology alone.
The vast majority of breaches are against (and successful) On Premise infrastructure.
Analysis indicates user education provides the largest cyber crime reduction
Technological solutions are promoted over best practices.
If cyber crime goes unreported, policy makers have no visibility on the cyber crime problem.
EXAMPLE: WORDPRESS ATTACKS
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 12
• NEVER use “admin” as your primary WordPress username.
• Use complex passwords.
• Don’t publicly display your WordPress username.
• Limit the number of IPs users can login from in order to prevent brute force login
attempts.
• Use a hosted service.
• Move SSH to a non-standard port.
• Keep your WordPress plugins up to date with your current version of WordPress.
• If at all possible, use a Gmail account for your admin login rather than one attached to
your domain name.
• Backup server in the cloud and local.
STOP DOING THIS
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 13
FoxGlove Security penetration tester Justin Kennedy:
1. SQL Injection;2. Insecure Authorization;3. Insecure Direct Object Reference;4. Stored Cross-site Scripting;5. Insecure Authentication;6. Insecure Password Reset;7. Guessed Password;8. Default Credentials;9. Single Factor Authentication,10. Insecurely Configured Application Server.
COMBATING THE FUD
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 14
When reporting and discussing the scale and impact of malware and cyber crime in general:
Move away from sensationalism
Move away from the consequence of breach
Who is not as important as how
Compromise indicators are more important than financial costs
Data derived from large enterprise is not relevant to SMB/SME
We need a standards-based scorecard free from disclosure litigation
END POINT SECURITY STRATEGY 2017
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 15
In August 2016, CompTIA identified and recommended a “Foundational Security Package” which all MSPs should be offering to their customers. It identifies the key technologies required and is supported by UK cyber security essentials, SANS institute and multiple best practice recommendations world wide.
BackupAnti-VirusMail Scanning/ProtectionAccess ControlPatching and UpdatingSecure WirelessControl Physical Access
OUR SAAS
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 17
Entered the hosted RMM tool vertical approximately 7 years ago, 30% + growth, recently acquired by SolarWinds
17,000 + Customers world wide in 110 countries.
Rackspace & AWS for hosting.
3M+ endpoints under management by customers.
1 TB of log and external data per day.
70+ Analytical “LogicCards” provided by algorithms examining the customer data.
OUR ALGORITHIMS
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 18
Data Science team creates algorithms for a variety of insights, not just security needs.
Data Science team and Dev Ops Team working together
Protect customer instances & the platform
Vital ground is authentication of users for customer instances
Vital ground is infrastructure network heuristics and behavior for platform
Protection of customer data & customer instances is vital!
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 21
MITIGATIONMATRIX
Pro
tecti
on, W
eb
Prote
ction
, Fire
wall,
Defini
tion
(san
dbox
) Ant
i-
Virus,
User A
waren
ess
Train
ing Attack
Sur
face
Red
uctio
n,
Patch
Man
agem
ent,
Behav
ior
Based
AV,
Use
r Awar
enes
s
Trai
ning Har
den
Syste
ms
(GPOs)
,
Remov
e Adm
in, B
ehav
ior-
base
d AV
, Use
r Awar
enes
s
Trai
ning Fire
Wall
Rule
s/Cap
abilit
y,
Networ
k Seg
men
tatio
n, W
eb
Prote
ction
, NID
S, SIE
M,
Open
DNS
Anti-V
irus,
HIDS, B
acku
p &
Recov
ery,
Heuris
tic A
V
WAN to LAN End Point End Point LAN to WAN End Point
PREVENTION & DETECTION
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 30
Daily External Vulnerability Scan – Evolving into an external web application vulnerability scanner or an external open port based scanner this provides the an external “attacker” view of the the infrastructure.
Daily External IP(s) Black List Check* – Leverages the work being done to secure our SaaS infrastructure comparing customer IP’s to a black list threat intel feed would yield Indications of Compromise in customer networks and SaaS IoC at the load balancers.
REACTIVE
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 31
Brute Force Attacks – Ban Hammer the offending IP address, or send the attack into a honey pot network, accounts for most SaaS attacks; password re-use is a problem.
Reconnaissance – Look for IP’s attempting to gain access to multiple accounts, as part of a wider scale breach attempt.
SQL Injection – Easy to spot with modern tools to detect attacks in the data flow; usually not a single attack.
DDOS – Hard to crush the cloud using SaaS hosted services such as AWS and Rackspace, CloudFlare & others.
https://www.logicnow.com/ctg-ian
THE CYBER THREAT GUIDENine types of internet threats and how to stop them
CIA - LAYERED SECURITY
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 35
Security Best Practices + Security Services= Robust Layered Defence (12+)
Proactive Security Services
Reactive Security Services
Detective Security Services
Managed from one console
Hosted Services
Scalable Services
MOVE TO AN ANTI–CYBER CRIME ARCHITECTURE
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 36
Servers192.168.2.XSAN/NAS File Sharing Over HttpsEvent LoggingHIDS/HIPS
Firewall192.168.1.XCommunicationRules, Detective RulesWAP in DMZ
Admins192.168.3.XNo admin emailEvent LoggingHIDS/HIPS
Users192.168.4.XGPO: No Coms192.168.4.XLocal Admin forMAX & Mgt
Printers192.168.5.X
EGRESS FIREWALL RULES TO STOP CYBER CRIME
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 37
• Deny rules for Workstation Subnet: No external DNS, IRC, NTP, FTP, ICMP, SMTP, SNMP, RDP
• Deny rules for Admins (open as required) No external DNS, IRC, NTP, FTP, ICMP, SMTP, SNMP, RDP
• Deny rules for Printer Subnet: Everything. No printers on the Internet!
• Servers: Deny everything. Only DNS, NTP to specific IPs, HTTPS.
• Network segmentation, event logs are key to prevent and detect hostile movement in the network and C&C activity.
HACK ALL THE IOT
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 38
PLAGUE
That is the virus. Leonardo da Vinci. The problem is we have twenty six ships at sea and we don't know which ones are infected.
DUKE ELLINGSON
Well then, put the ships' ballasts under manual control.
PLAGUE
There's no such thing anymore, Duke. These ships are totally computerized. They rely on satellite navigation, which links them to our network, and the virus, wherever they are in the world.
THANK YOU & QA
11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 39
One of the few quirks of my military career was to convince the recruiter and command to partially fund a liberal arts degree in History, specifically Eastern European and Religious Studies, specifically Apocalyptic Studies of the non-zombie related kind. One could argue that knowing a little about the countries we may be fighting in/for and who the crazy-nut-bar-going-to-die-for-the-cause groups were may prove to be militarily useful.
– Ian Trump 2014