View
268
Download
2
Category
Preview:
Citation preview
PROTECTING CLOUD ENVIRONMENTS FROM BEING BREACHED
Anthony Bettini
FlawCheck
ANTHONY BETTINIFOUNDER & CEO
Working in cybersecurity since 1996 (Netect, Bindview Team RAZOR, Guardent, Foundstone Labs, McAfee Avert Labs, Intel, Appthority, FlawCheck)
Original vulnerabilities discovered in PGP, ISS, Symantec, Microsoft, Apple, etc.
Founded Appthority, which did static & dynamic analysis of mobile apps and was named the Most Innovative Company of the Year at RSA Conference 2012
Most recently, founded FlawCheck, the only scalable malware & vulnerability inspection platform for containers
12+ cybersecurity patents (additional in progress)
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 2
WHAT IS HYBRID CLOUD?Putting some workloads in an organization’s datacenter (private cloud)
Putting some other workloads in a public cloud (AWS, Azure, etc.)
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 3
WHY HYBRID CLOUD?Top 3 enterprise reasons
1. Cost
2. Cost
3. Cost
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 4
ENTERPRISE PUBLIC CLOUD
Typically hosts an enterprises least sensitive data & workloads
Strong risk aversion on the enterprise side, due to lack of trust in the cloud service provider’s operational security controls
Concerns about regulatory compliance & audit
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 5
PUBLIC CLOUD EXPECTATIONS
Enterprise
Lower cost
Increased trust (more security, better regulatory compliance assurances)
Cloud Service Providers
More revenue
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 6
CLOUD SERVICE PROVIDERS
Easiest path to more revenue is giving customers what they want (lower cost & increased security)
One way to potentially lower cost? Containers
One way to potentially increase security? Containers
Huge push in the Cloud Service Provider space to examine migrating to containers
But from a security perspective, containers only provide isolation …
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 7
PREDICTIONS FROM HEDVIG
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 8
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 9
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 10
ENTERPRISE TOP CONCERN
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 11
42%
21%
16%
11% 11%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
RECENT ENTERPRISE SURVEY BY FLAWCHECKVulnerabilities & Malware Policy Enforcement Isolation Auditability Network Perimeter Security
METAPHOR
Vulnerabilities Malware
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 12
WHY ARE VULNERABILITIES A CONCERN?
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 13
WHY IS MALWARE A CONCERN?
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 14
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 15
CONTAINERS ARE EPHEMERAL
ELASTICSEARCH
CVE-2014-3120 is a RCE bug in ElasticSearch (prior to 1.2.0)
Ben Hall @ Ocelot Uproar was running ElasticSearch in a Docker container and it was breached via CVE-2014-3120 (first publicly-admitted breach of a Docker container environment in-the-wild (ITW)?)
CVE-2014-3120 actively exploited in the wild and MetaSploit plugin available (works against dockerized ElasticSearch):
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/elasticsearch/script_mvel_rce.rb
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 16
CVE-2014-3120
FLAWCHECK
Automated solution for detecting vulnerabilities & malware in containers
Takes seconds per container (supports parallelization & concurrent analysis for limitless scale)
Runs on-premise or in the cloud
Supports Docker on OpenStack
Checks containers before they reach production environments
Provides continuous monitoring solution
Checkpoint inserted into the data pipeline to layer policy on top of containers
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 17
TEARING APART CONTAINERS What did we find?
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 18
BEGIN TO TRUST IMAGES
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 19
MODERN ANALOGY
Launched in 2008 Launched in 2014
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 20
ANDROID MALWARE
Started without doing security inspection of Android apps
Today, performs static & dynamic analysis of Android apps, via Google Bouncer, with the hopes of finding malware
Long list of Android malware:
http://forensics.spreitzenbarth.de/android-malware/
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 21
DOCKER HUB
Docker Hub Overall
>15,000 pre-built containers
>500 million downloads
>30% of containers have vulnerabilities
No security inspection by Docker
Docker Hub Official Images
~100 official images (tag: latest)
Blue-ribbon from Docker
>90% of official images have vulnerabilities
No security inspection by Docker
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 22
HYBRID CLOUD PROTECTION
Isolation: Find a solution with strong isolation (e.g. Docker with Intel Clear Containers)
Vulnerability Inspection: Ensure application workloads don’t have vulnerabilities that could lead to data exfiltration (e.g. FlawCheck)
Malware Inspection & Integrity Checking: Ensure workloads are malware-free (e.g. FlawCheck)
Policy Compliance: Ensure your orchestration system enforces & logs what is happening to production, when it happens, and if it meets enterprise policy
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 23
THANK YOU
Anthony Bettini
Founder & CEO
spadidar@flawcheck.com
@AnthonyBettini
Are you using Docker in development environments but concerned about the security of running it in production?
Register today for FlawCheck Private Registry’s free plan, which includes vulnerability & malware inspection services for 1 private repository:
https://console.flawcheck.com/register
Thursday, January 14, 2016 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2016 © FLAWCHECK INC. ALL RIGHTS RESERVED 24
Recommended