Download - Cover Your SaaS - DeepSec Your SaaS Protecting Your Cloud With Analytics ... Cover Your SaaS ... Customer is placing important data into customer hands SaaS …

Cover Your SaaSProtecting Your Cloud With Analytics and Machine Learning

Cover Your SaaS

11/30/16 © 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 2

IAN TRUMP@[email protected]

• Ian Trump, CD, CPM, BA, CEH is Global Cyber Security Strategist at SolarWinds working across all lines of business to define, create and execute security solutions and promote a safe, secure Internet for enterprises world-wide.

• 1989 to 1992 Canadian Forces (CF), Military Intelligence Branch

• 2002 to 2013, CF Military Police (Reserves), retired as a Public Affairs Officer in 2013.

• 2009 to 2010, Royal Canadian Mounted Police, Criminal Intelligence Analyst.

• 2010 Founding Partner and CTO Octopi Managed Services Inc. (OMS).

Cover Your SaaS


• Malware connoisseur and aficionado.

• First Home in Edinburgh, Scotland.

• Second Home in Terminal 5, Heathrow.

• Third Home in Winnipeg, Manitoba.

IAN TRUMP@[email protected]

DARPA & DEFCON


Seven team projects were invited to Las Vegas to compete on the floor in a 96-round game of “Capture the Flag.”

The difference in this game is that the players in the game were totally autonomous.

ForAllSecure’s “Mayhem,” took first place and a 2 million dollar prize

Mayhem was trounced, by human competitors.

This was a powerful and public message to all other nations.

These 7 systems have the capability of discovering vulnerabilities, building exploits and autonomously attacking systems.

GLOBAL TRENDS DRIVING GROWTH


SaaSPopularity continues to drive growth (stats) Trust Model is VitalCustomer is placing important data into customer hands

SaaS Security Has Unique Attack VectorsTraditional security controls fail, attack surface is amplified (end-point & platform)

SAAS ATTACK VECTORS


ExternalHackers, DDOS, etc. (Carbonite, Teamviewer, etc.) InternalMalicious insider (Shionogi)

PhysicalData center catastrophe (Delta Airlines)

MarketDisplacement and innovation (Shadow IT)

CustomerThe most important part of your business

IMPORTANCE OF SAAS SECURITY


60% would take legal action against an organization if their details were stolen and used for criminal purposes as a result of a data breach. 70% consumer respondents would now give less personal information to organizations in light of recent data breaches.

51% now consider security to be a main or important consideration when purchasing. 48% would be willing to pay more in order to work with a provider that has better data security.

COMPTIA WORLD-WIDE VIEW


Top drivers for changing approaches to cybersecurity

1. Change in IT operations (e.g. cloud, mobility)

2. Reports of security breaches at other firms

3. Internal security breach or incident

4. Change in business operations or client base

5. Knowledge gained from training/certification

SNAPSHOT OF AMERICAN CYBER CRIME 2015


By Victim Top 4

1. Non-Payment/Non-Delivery

2. 419/Overpayment

3. Identity Theft

4. Auction

SNAPSHOT OF AMERICAN CYBER CRIME 2015


By Loss Top 4

1. Business Email Compromise

2. Confidence Fraud/Romance

3. Non-Payment/Non-Delivery

4. Investment

WHAT DO THESE NUMBER MEAN?


FBI/DOJ Metrics are not tracking Hosted Services Vs. On Premise Cyber Crime.

Cyber crime is not just a technical problem, to be solved by technology alone.

The vast majority of breaches are against (and successful) On Premise infrastructure.

Analysis indicates user education provides the largest cyber crime reduction

Technological solutions are promoted over best practices.

If cyber crime goes unreported, policy makers have no visibility on the cyber crime problem.

EXAMPLE: WORDPRESS ATTACKS


• NEVER use “admin” as your primary WordPress username.

• Use complex passwords.

• Don’t publicly display your WordPress username.

• Limit the number of IPs users can login from in order to prevent brute force login

attempts.

• Use a hosted service.

• Move SSH to a non-standard port.

• Keep your WordPress plugins up to date with your current version of WordPress.

• If at all possible, use a Gmail account for your admin login rather than one attached to

your domain name.

• Backup server in the cloud and local.

STOP DOING THIS


FoxGlove Security penetration tester Justin Kennedy:

1. SQL Injection;2. Insecure Authorization;3. Insecure Direct Object Reference;4. Stored Cross-site Scripting;5. Insecure Authentication;6. Insecure Password Reset;7. Guessed Password;8. Default Credentials;9. Single Factor Authentication,10. Insecurely Configured Application Server.

COMBATING THE FUD


When reporting and discussing the scale and impact of malware and cyber crime in general:

Move away from sensationalism

Move away from the consequence of breach

Who is not as important as how

Compromise indicators are more important than financial costs

Data derived from large enterprise is not relevant to SMB/SME

We need a standards-based scorecard free from disclosure litigation

END POINT SECURITY STRATEGY 2017


In August 2016, CompTIA identified and recommended a “Foundational Security Package” which all MSPs should be offering to their customers. It identifies the key technologies required and is supported by UK cyber security essentials, SANS institute and multiple best practice recommendations world wide.

BackupAnti-VirusMail Scanning/ProtectionAccess ControlPatching and UpdatingSecure WirelessControl Physical Access

OUR SAAS


Entered the hosted RMM tool vertical approximately 7 years ago, 30% + growth, recently acquired by SolarWinds

17,000 + Customers world wide in 110 countries.

Rackspace & AWS for hosting.

3M+ endpoints under management by customers.

1 TB of log and external data per day.

70+ Analytical “LogicCards” provided by algorithms examining the customer data.

OUR ALGORITHIMS


Data Science team creates algorithms for a variety of insights, not just security needs.

Data Science team and Dev Ops Team working together

Protect customer instances & the platform

Vital ground is authentication of users for customer instances

Vital ground is infrastructure network heuristics and behavior for platform

Protection of customer data & customer instances is vital!

PROTECTING THE CUSTOMER

A good relationship has trust on both sides.

KILL CHAIN ANALYSIS



MITIGATIONMATRIX

Email

Pro

tecti

on, W

eb

Prote

ction

, Fire

wall,

Defini

tion

(san

dbox

) Ant

i-

Virus,

User A

waren

ess

Train

ing Attack

Sur

face

Red

uctio

n,

Patch

Man

agem

ent,

Behav

ior

Based

AV,

Use

r Awar

enes

s

Trai

ning Har

den

Syste

ms

(GPOs)

,

Remov

e Adm

in, B

ehav

ior-

base

d AV

, Use

r Awar

enes

s

Trai

ning Fire

Wall

Rule

s/Cap

abilit

y,

Networ

k Seg

men

tatio

n, W

eb

Prote

ction

, NID

S, SIE

M,

Open

DNS

Anti-V

irus,

HIDS, B

acku

p &

Recov

ery,

Heuris

tic A

V

WAN to LAN End Point End Point LAN to WAN End Point


BETA

BETA

PROTECTING THE PLATFORM

It’s the data being sent out

from the system that is

important

PREVENTION & DETECTION


Daily External Vulnerability Scan – Evolving into an external web application vulnerability scanner or an external open port based scanner this provides the an external “attacker” view of the the infrastructure.

Daily External IP(s) Black List Check* – Leverages the work being done to secure our SaaS infrastructure comparing customer IP’s to a black list threat intel feed would yield Indications of Compromise in customer networks and SaaS IoC at the load balancers.

REACTIVE


Brute Force Attacks – Ban Hammer the offending IP address, or send the attack into a honey pot network, accounts for most SaaS attacks; password re-use is a problem.

Reconnaissance – Look for IP’s attempting to gain access to multiple accounts, as part of a wider scale breach attempt.

SQL Injection – Easy to spot with modern tools to detect attacks in the data flow; usually not a single attack.

DDOS – Hard to crush the cloud using SaaS hosted services such as AWS and Rackspace, CloudFlare & others.

RESOURCES


https://www.logicnow.com/ctg-ian

THE CYBER THREAT GUIDENine types of internet threats and how to stop them

CONCLUSIONS

Soon, the Internet of Things will hold all things hostage, except love.

CIA - LAYERED SECURITY


Security Best Practices + Security Services= Robust Layered Defence (12+)

Proactive Security Services

Reactive Security Services

Detective Security Services

Managed from one console

Hosted Services

Scalable Services

MOVE TO AN ANTI–CYBER CRIME ARCHITECTURE


Servers192.168.2.XSAN/NAS File Sharing Over HttpsEvent LoggingHIDS/HIPS

Firewall192.168.1.XCommunicationRules, Detective RulesWAP in DMZ

Admins192.168.3.XNo admin emailEvent LoggingHIDS/HIPS

Users192.168.4.XGPO: No Coms192.168.4.XLocal Admin forMAX & Mgt

Printers192.168.5.X

EGRESS FIREWALL RULES TO STOP CYBER CRIME


• Deny rules for Workstation Subnet: No external DNS, IRC, NTP, FTP, ICMP, SMTP, SNMP, RDP

• Deny rules for Admins (open as required) No external DNS, IRC, NTP, FTP, ICMP, SMTP, SNMP, RDP

• Deny rules for Printer Subnet: Everything. No printers on the Internet!

• Servers: Deny everything. Only DNS, NTP to specific IPs, HTTPS.

• Network segmentation, event logs are key to prevent and detect hostile movement in the network and C&C activity.

HACK ALL THE IOT


PLAGUE

That is the virus. Leonardo da Vinci. The problem is we have twenty six ships at sea and we don't know which ones are infected.

DUKE ELLINGSON

Well then, put the ships' ballasts under manual control.

PLAGUE

There's no such thing anymore, Duke. These ships are totally computerized. They rely on satellite navigation, which links them to our network, and the virus, wherever they are in the world.

THANK YOU & QA


One of the few quirks of my military career was to convince the recruiter and command to partially fund a liberal arts degree in History, specifically Eastern European and Religious Studies, specifically Apocalyptic Studies of the non-zombie related kind. One could argue that knowing a little about the countries we may be fighting in/for and who the crazy-nut-bar-going-to-die-for-the-cause groups were may prove to be militarily useful.

– Ian Trump 2014