Upload
topdesk
View
69
Download
2
Embed Size (px)
Citation preview
Classification: //SecureWorks/Public Use:
Classification: //SecureWorks/Public Use:
#SEETHECLOUD
Is uw security net zo secure als de cloud zelf?Hans Rattink, Secureworks
#SEETHECLOUD
Hans Rattink
Security Architect, Secureworks
Classification: //SecureWorks/Public Use:
4
About me
• Hans Rattink
• Senior Security Architect @ SecureWorks.com
• Region: Central EU
• Active in IT for over 17 years, Security over 12 years
Classification: //SecureWorks/Public Use:
5
Is the cloud secure?
What are my responsibilities?
What should I do next?
Classification: //SecureWorks/Public Use:
6
State of the art Data Centres
Foundation of Cloud Service Providers
Ref.: https://www.datapipe.com/blog/2017/11/14/touring-equinixs-state-of-the-art-dc12-data-center/
Classification: //SecureWorks/Public Use:
7
Can it get any better?
https://aws.amazon.com/compliance/
Classification: //SecureWorks/Public Use:
8
Through 2020, public cloud infrastructure as a service (IaaS)
workloads will suffer at least 60% fewer security incidents
than those in traditional data centres.
https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/
- Gartner, Inc.
Classification: //SecureWorks/Public Use:
9
Are we good?
Classification: //SecureWorks/Public Use:
10
Are we?
Classification: //SecureWorks/Public Use:
11
By 2020, 95 percent of cloud security failureswill be the customer’s fault
Gartner, Clouds Are Secure: Are You Using Them Securely?, 21 July 2016
- Gartner, Inc.
Classification: //SecureWorks/Public Use:
12
What did we see this year so far?
Classification: //SecureWorks/Public Use:
13
• A third-party vendor working with Verizon left the data of as many as 14 million US customers exposed
• The data was contained on a misconfigured Amazon S3 data repository owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon, according to a July 12 blog post
• “This massive data leak could have been avoided by using specific data-centric security tools, which can ensure appropriate configuration of cloud services, deny unauthorized access, and encrypt sensitive data at rest.”
https://www.scmagazine.com/misconfigured-server-leaves-14-million-verizon-customer-records-exposed/article/674590/
Verizon – July 2017
Classification: //SecureWorks/Public Use:
15
• The perpetrators may have had access to the server back to October or November 2016
• Deloitte acknowledged that an attacker “accessed data from an email platform.”. Which Deloitte used to store also usernames, passwords, IP addresses, architectural diagrams, health information, and sensitive security and design details.
• The adversary accessed the Azure cloud service by compromising an administrator's account with unrestricted access to content. The account did not have “two-step” verification set up.
• To make matters worse, it appears that no one at Deloitte noticed suspicious account activity for months
https://www.scmagazine.com/no-accounting-for-this-deloittes-email-server-reportedly-breached/article/695503/
Deloitte – September 2017
Classification: //SecureWorks/Public Use:
16
• The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties
• On Wednesday (8th Nov.), a BBC correspondent logged in to Huddle to access a shared diary that his team kept on the platform. He was instead logged in to a KPMG account, with a directory of private documents and invoices, and an address book.
• According to Huddle, if two people arrived on the same login server within 20 milliseconds of one another, they would both be issued the same authorisation code.
• Huddle has now changed its system so that every time it is invoked, it generates a new authorisation code. This ensures no two people are ever simultaneously issued the same code.
http://www.bbc.com/news/technology-41969061
Huddle – November 2017
Classification: //SecureWorks/Public Use:
17http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks
Classification: //SecureWorks/Public Use:
18http://breachlevelindex.com/
Classification: //SecureWorks/Public Use:
19
Results from 1 year Data Breach Notification law
• 5,500 notifications of data breaches
• 4,000 notifications investigated
• 100’s of organisations been warned
• 10’s of organisations involved in deeper investigations
Numbers from the Dutch Authority Personal Data (AP)
Source: https://autoriteitpersoonsgegevens.nl/nl/nieuws/overzicht-meldingen-datalekken-eerste-kwartaal-2017#subtopic-5247
GDPR
Fines for data breaches can have a maximum of 4% of the yearly gross turnover or €20 Million
whatever is largest
Classification: //SecureWorks/Public Use:
20
What are my responsibilities?
Classification: //SecureWorks/Public Use:
21
Cloud models
Cloud Consumer Cloud Provider
Infrastructure as a Service
Software as a Service
Platform as a Service
Classification: //SecureWorks/Public Use:
22
Key responsibilities for Cloud models
Classification: //SecureWorks/Public Use:
23
Clarify and document your responsibilities
Vendor management is key
• Know where your responsibilities end and the provider’s begin
• Patching, encryption, software licenses, data retention
• Make sure there is documented responsibility for each layer in the Cloud stack
• Agree the responsibilities with the Cloud provider and ensure contracts are in place reflecting responsibilities
• Ensure as a Cloud Consumer you have the ability to assess/audit the Cloud Provider’s security and privacy controls
Classification: //SecureWorks/Public Use:
24
What should I do?
Classification: //SecureWorks/Public Use:
25
By 2018, the 60% of enterprises that implement
appropriate cloud visibility and control tools
will experience one-third fewer security failures.
https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/
- Gartner, Inc.
Classification: //SecureWorks/Public Use:
26
1 Assess and Plan
• Security Maturity Assessment
• Identify security gaps
• Understand risks to (personal) data
• Develop risk based Security Programme that includes best practices
Increase visibility2
• Implement (threat intel based) Security analytics
• Use a 24x7 SOC for incident analysis
• Apply a Vulnerability Scanning & Management program
• Improve Security Awareness
3 Implement controls
• Implement governance controls
• Add controls for detection and protection
• Create runbooks and incident response plans
Test, operate & manageTarget
• Govern Security Programme• Test security controls, programme and
employees • Evaluate and improve
Security roadmap
Classification: //SecureWorks/Public Use:
27
Build your security program
Cloud Security Strategy
• Holistic view of implications of cloud computing
• Full evaluation of threats and risks
• Identification and implementation of mitigating controls against assets and cloud providers
• Understand their security control framework
• What information do they provide you, what is documented?
• What options do they give you to ensure security?
Check your cloud provider
• Where is your data now and in the future?
• Are you monitoring the security controls in place?
• What happens to your data if your cloud provider ceases service?
• Are you GDPR compliant and prepared for a security breach?
Understand the implications
• What are your responsibilities in keeping the data secure?
• Do you know what services you use and who has access to your critical data in the cloud?
• Can you successfully respond to security incidents?
Assess your existing controls
Classification: //SecureWorks/Public Use:
28
Increase visibility
Security monitoring results
Classification: //SecureWorks/Public Use:
29
Implement controls
Cloud Security Configuration Management
https://cloud.secureworks.com/
Classification: //SecureWorks/Public Use:
30
About SecureWorks
Classification: //SecureWorks/Public Use:
31
Intelligence-driven information security solutions…
2,400+ employees
Recognized as an
industry leader~4,500
clients across
61 countries
18Years of threat
intelligence data
240BSecurity events
processed daily
2B+Threat indicators
300+Expert security
analysts
700+IR engagements
last year
Classification: //SecureWorks/Public Use:
32
Acknowledged leader
Classification: //SecureWorks/Public Use:
33
Secureworks Cloud Portfolio
✓ Security Design and Architecture
✓Cloud Strategy Development and Assessment
✓Managed Vulnerability Scanning
✓Managed Web Application Scanning
✓Monitored Firewall
✓ Vulnerability Assessment
✓ Advanced Penetration Tests
✓Web App Security Assessment
✓ Penetration Tests
✓ Remote Red Team
✓ API Assessments
✓Cloud Vendor Assessment
✓Cloud Strategy Assessment
✓ Security Framework Assessments
✓ Vulnerability Scanning
✓ PCI, HIPAA, GLBA, FISMA, EI3PA
✓ Penetration Testing
✓ Emergency Incident Response ✓ Incident Management Retainer
Strategize and Architect Secure Applications and Data
Test Your Cloud Security
Assess Your Deployment
Meet Compliance
Respond to a Breach
✓Monitored Web Application Firewall
✓Monitored Elastic Server Groups
✓ Advanced Endpoint Threat Detection - Red Cloak
Multiple cloud platforms supported
Amazon Web Services supported
Cloud Security & Risk Consulting
Cloud Managed Security Services & SaaS
Cloud Incident Response
Classification: //SecureWorks/Public Use:
34
Is the cloud secure?
What are my responsibilities
What should I do next?
Classification: //SecureWorks/Public Use:
35
Questions?
• @hrattink
• https://www.linkedin.com/in/hrattink/
Hans Rattink, CISSP CISMSenior Security Architect
SecureWorks | Central EuropePhone: +31 6 250 93 872 [email protected]
Classification: //SecureWorks/Public Use:
Thanks for your time!
#SEETHECLOUD
Classification: //SecureWorks/Public Use:
37
Colophon
Author: Hans RattinkModified: November 2017
Revision history0.4: Initial version for See2017