Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on...
Transcript of Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on...
![Page 1: Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on customer research and breach analysis ... Visibility / Configurations / Compliance Runtime](https://reader034.fdocuments.net/reader034/viewer/2022042222/5ec816cefa23d970fc0a30c7/html5/thumbnails/1.jpg)
Top 5 Security Errors and
How to Avoid Them
James Brown
Head of Public Cloud
Palo Alto Networks
![Page 2: Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on customer research and breach analysis ... Visibility / Configurations / Compliance Runtime](https://reader034.fdocuments.net/reader034/viewer/2022042222/5ec816cefa23d970fc0a30c7/html5/thumbnails/2.jpg)
Key findings based on customer
research and breach analysis
July – October 2018
![Page 3: Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on customer research and breach analysis ... Visibility / Configurations / Compliance Runtime](https://reader034.fdocuments.net/reader034/viewer/2022042222/5ec816cefa23d970fc0a30c7/html5/thumbnails/3.jpg)
49%Of organizations leave their
databases unencrypted
• Encrypt, encrypt, encrypt!
• Encryption of S3 buckets allows for
that data to remain untampered with
and valid for said audits down the road
• Encryption of RDS protect information
even if databases are compromised or
copied in a malicious manner
![Page 4: Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on customer research and breach analysis ... Visibility / Configurations / Compliance Runtime](https://reader034.fdocuments.net/reader034/viewer/2022042222/5ec816cefa23d970fc0a30c7/html5/thumbnails/4.jpg)
41%Of account access keys
have not been rotated in
more than 90 days
• Rotate Keys Regularly
• Rotate ALL credentials, passwords,
and API Access Keys on a regular
basis
![Page 5: Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on customer research and breach analysis ... Visibility / Configurations / Compliance Runtime](https://reader034.fdocuments.net/reader034/viewer/2022042222/5ec816cefa23d970fc0a30c7/html5/thumbnails/5.jpg)
32%Of organizations
publicly exposed at
least 1 S3 bucket
• Don’t let your S3 bucket policies
atrophy
• Strengthen S3 buckets with either IAM
Policies, S3 Bucket Policies, or S3
Access Control Lists
![Page 6: Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on customer research and breach analysis ... Visibility / Configurations / Compliance Runtime](https://reader034.fdocuments.net/reader034/viewer/2022042222/5ec816cefa23d970fc0a30c7/html5/thumbnails/6.jpg)
29%Of organizations enable
root user activities
• Disable Root Account API Access Key
• Create IAM admin users. At least 2, no
more than 3 per IAM group
• Grant access to billing information and
tools
• Disable/Remove the default AWS root
user API access keys
![Page 7: Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on customer research and breach analysis ... Visibility / Configurations / Compliance Runtime](https://reader034.fdocuments.net/reader034/viewer/2022042222/5ec816cefa23d970fc0a30c7/html5/thumbnails/7.jpg)
27%Of organizations leave
default network settings
for at least 1 account
• Always lock down the IP and port of
which you will gain access to your
AWS environment
• Only turn on access when it is needed
and off again once administrative work
has been accomplished
![Page 8: Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on customer research and breach analysis ... Visibility / Configurations / Compliance Runtime](https://reader034.fdocuments.net/reader034/viewer/2022042222/5ec816cefa23d970fc0a30c7/html5/thumbnails/8.jpg)
Why So Many Security Errors? Disparate Point Product Offerings
CSP NATIVE
TOOLS
CONTAINER
SECURITY TOOLS
8 | © 2019 Palo Alto Networks, Inc. Confidential and Proprietary.
OPSDEV
SIEM
NETWORK
MONITORING TOOLS
• Silo'd tools• Can’t correlate across
network, user and config
• Not multi-cloud• Limited Compliance• AWS Well Architected
framework
• DIY security - too much data, too much noise
• Very expensive
• Only provides part of the story
CASB
• IP addresses are elastic in cloud
• Lacks cloud-native context
GRC TOOLS
• Not built for cloud
• Great user & data context, lacks infrastructure context (network traffic, vuln, etc.)
• Lacks threat hunting and incident response
• Higher TCO, requires constant upkeep with CSPs
• Limited coverage
OPEN SOURCE TOOLS
![Page 9: Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on customer research and breach analysis ... Visibility / Configurations / Compliance Runtime](https://reader034.fdocuments.net/reader034/viewer/2022042222/5ec816cefa23d970fc0a30c7/html5/thumbnails/9.jpg)
Effective Cloud Security: Series of Integrated Security Requirements
9 | © 2016, Palo Alto Networks. Confidential and Proprietary.
What’s actually happening?
Who is making changes and why?
What do I have in the cloud?
Are my hosts and containers secure?
Is my app & data secure?
Network Security / Flow Logs / Threat Intel
Credentials / Actions / Identity
Asset Inventory
Runtime Security / Image & Vuln Scanning
DLP / Serverless / AppSec
Am I compliant? Configurations / Compliance Reporting
![Page 10: Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on customer research and breach analysis ... Visibility / Configurations / Compliance Runtime](https://reader034.fdocuments.net/reader034/viewer/2022042222/5ec816cefa23d970fc0a30c7/html5/thumbnails/10.jpg)
The Problems We Can Help You Solve
10 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Network Security / Flow Logs / Threat Intel
Credentials / Actions / Identity
Visibility / Configurations / Compliance
Runtime Security / Image & Vuln Scanning
DLP / Serverless / AppSec
• Real-time network visibility and incident investigations
• Suspicious/malicious traffic detection
• Virtual firewall for in-line protection (VM-series)
• Account & access key compromise detection
• Anomalous insider activity detection
• Privileged activity monitoring
• Asset inventory tracking and cloud “time machine”
• Compliance scanning (CIS, PCI, GDPR, etc.)
• Configuration best practices
• Runtime security*
• Static image analysis (vulnerabilities and compliance)*
• Configuration monitoring (for cloud native)
• Serverless*
• DLP & malware scanning
* Potential future roadmap
![Page 11: Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on customer research and breach analysis ... Visibility / Configurations / Compliance Runtime](https://reader034.fdocuments.net/reader034/viewer/2022042222/5ec816cefa23d970fc0a30c7/html5/thumbnails/11.jpg)
The Most Complete Cloud Security Offering
11 | © 2018, Palo Alto Networks. All Rights Reserved.
Detective
control
Infrastructure
security
Incident
response
Data
protection
Visit Our Booth to Learn More
![Page 12: Top 5 Security Errors and How to Avoid Them... · Palo Alto Networks. Key findings based on customer research and breach analysis ... Visibility / Configurations / Compliance Runtime](https://reader034.fdocuments.net/reader034/viewer/2022042222/5ec816cefa23d970fc0a30c7/html5/thumbnails/12.jpg)
THANK YOU