Cloud Sentry Blog https://cloudsentry.evident.io Powered by Evident.io Fri, 24 Feb 2017 21:31:36 +0000 en-US hourly 1 https://wordpress.org/?v=4.6.3 ../wp-content/uploads/2016/08/cropped-evident-shield-512-32x32.png Cloud Sentry Blog https://cloudsentry.evident.io 32 32 Fear & Loathing In The Cloud ../fear-and-loathing-in-the-cloud/ ../fear-and-loathing-in-the-cloud/#respond Fri, 24 Feb 2017 21:21:34 +0000 ../?p=1398 Whether you’ve already bought your ticket for the cloud or still have some issues to sort through, fine-tune your security practices to make sure your ride is a smooth one. For those of us who started our careers amid the structure and disciplined rigor of old-school, waterfall, data center-centric application development, the cloud seems like... Read more »

The post Fear & Loathing In The Cloud appeared first on Cloud Sentry Blog.

]]>

Whether you’ve already bought your ticket for the cloud or still have some issues to sort through, fine-tune your security practices to make sure your ride is a smooth one.

For those of us who started our careers amid the structure and disciplined rigor of old-school, waterfall, data center-centric application development, the cloud seems like a psychedelic trip straight out of a Hunter S. Thompson book. Code is being deployed in nearly continuous fashion. Servers are history. Penetration tests are so out of date by the time they’re done, you might as well have not even tried. It can be overwhelming, and there are days you probably want to jump in a red Chevrolet Impala and hit the road.

Each week, I talk to folks in enterprises who are either beginning or accelerating their to move from traditional on-premises infrastructure to the cloud. They anticipate they will realize benefits including increased agility, reduced costs, flexibility, and ease of use. But along with this transition there are new security concerns, fear, and, yes, sometimes a little bit of loathing. They’ve heard cloud stories from their friends, after all.

However, almost all organizations recognize that they need to adapt and modernize their security policies and posture so they can continue to achieve corporate goals while taking advantage of everything the cloud offers. Security can be the ultimate accelerator or the biggest blocker in cloud adoption and technical innovation. Many security and development professionals are struggling to find the right cloud security approach to fit their modern IT practices. They worry most about the lack of control and visibility but also don’t want to see their organizations fall behind competitors because they’ve slowed or blocked cloud adoption.

When it comes to cloud security today, there are many issues that organizations are trying to sort through, but here are a few I hear the most.

  1. Organizations viewing the cloud as just another product: You can’t make an assessment of your security today and assume it holds true tomorrow. Heck, it probably won’t hold true an hour from now. The cloud is living, breathing, and rapidly changing. Security within this constantly changing environment has to be continuous, or it won’t be effective. Traditional security solutions weren’t created to fit the rapidly changing elastic infrastructure of the cloud. While attacks become increasingly automated, you need to adopt new security tools and techniques to work effectively in this new ecosystem.
  2. Traditional scanning won’t do: Traditional data center solutions rely on being in the path of traffic, being deployed within an application or operating system, or on traditional network-based IP scanning techniques. That approach doesn’t work in the cloud. Users run application stacks on abstracted services and platform-as-a-service layers or leverage API-driven services that render conventional security solutions ineffective. Cloud environments are so fundamentally different from their static on-premises counterparts that they require an entirely new way of administering security practices, and this means adopting new cloud security technologies that provide extreme visibility.
  3. Differentiating real security issues from “noise”: Teams working in the cloud benefit from speed and acceleration, but it’s important to recognize how their approach to security must be vastly different. Discerning real vulnerabilities from solely infrastructure noise is a major challenge. All this change and noise make a manual inspection of the infrastructure too slow to be effective. The API-centric cloud world requires a new way for defenders to protect their environments, but not all cloud and IT teams really understand these security nuances. Security automation is one way to overcome the knowledge and skills shortfall that exists in every development and IT shop.
  4. Lack of compliance with API-driven cloud security: The emergence of API-driven cloud service suites has changed the way security must be architected, implemented, and managed. While the API is a completely new threat surface that we need to defend, it also provides the ability to automate detection and remediation. As new compliance benchmarks such as the CIS AWS Foundations Benchmark are released, we will have a means to assess our security posture against industry-defined best practices and ensure that we’re taking the right steps to keep our customers, employees, infrastructure, and intellectual property secure. Cloud migration is happening quickly, and compliance with rapidly evolving security requirements is an ever-increasing challenge that must be resolved through automation. 

Whether your organization was born in the cloud, is migrating to the public cloud, is building out a private cloud, or has a crazy complex hallucination-inducing hybrid cloud strategy, the cloud is happening, and it’s an absolute necessity that we adapt our security practices. No longer is security left to the security guys: we all have a part in creating a holistic, continuous, and rapid security program fit to support the cloud. As Hunter S. Thompson wrote, “Buy the ticket, take the ride.”

Originally published on Dark Reading

The post Fear & Loathing In The Cloud appeared first on Cloud Sentry Blog.

]]>
../fear-and-loathing-in-the-cloud/feed/ 0
The Time Has Come to Fully Embrace Security Automation ../the-time-has-come-to-fully-embrace-security-automation/ ../the-time-has-come-to-fully-embrace-security-automation/#respond Wed, 22 Feb 2017 12:52:26 +0000 ../?p=1387 Last week the security industry put another RSA Conference in the record books. This year certainly was an interesting conference, at least for me. In addition to all of the great meetings, content, keynotes, and hallway discussions that always makes RSA so worthwhile, some associates and I had the bonus journey of learning we would... Read more »

The post The Time Has Come to Fully Embrace Security Automation appeared first on Cloud Sentry Blog.

]]>

Last week the security industry put another RSA Conference in the record books. This year certainly was an interesting conference, at least for me. In addition to all of the great meetings, content, keynotes, and hallway discussions that always makes RSA so worthwhile, some associates and I had the bonus journey of learning we would not be allowed back into our Airbnb rental. All of our clothes, toiletries, and much of our work gear were under lockdown.

Fortunately, we were eventually able to convince the very courteous San Francisco police to escort us to the rental to retrieve our stuff so that we could relocate to a hotel.

Before all of that excitement, during a panel discussion following Monday’s pre-RSA DevOps Connect: DevSecOps Edition, we discussed just how difficult companies have it when it comes to integrating DevOps processes and adapting to cloud apps. This is especially true when it comes to building software and using cloud infrastructure that is secure and resilient. Many of the challenges enterprises face when moving to the cloud and integrating DevOps is learning how to bring security along for the ride, or, in many cases, how to build them in the first place.

What’s interesting is that larger companies are better at integrating security and DevOps than smaller enterprises are. Well, at least for now. In DevOps.com’s inaugural Security @ the Speed of DevOps annual survey, they surveyed 255 security IT decision makers within organizations currently practicing DevOps. As one might expect, the degree of security and compliance automation/controls varied greatly between enterprises of various sizes.

When it comes to organizational size, DevOps is not evenly distributed. More than 90% of enterprises with more than 5,000 employees have either adopted or started to embrace DevOps methodologies. Of enterprises with fewer than 501 employees, only 38% have embraced DevOps. That’s still a good number, but it clearly shows a significant opportunity for smaller businesses to improve their processes, which is absolutely necessary to remain competitive.

Another gap is security automation. Only 6.5% of organizations with less than 100 employees have incorporated automated security testing on a significant portion of their applications. The good news is that these smaller organizations are at least starting to use security automation, with about 30% saying they have automated some of their testing. Again, here we see a stark contrast between smaller and larger organizations. At least 40% of organizations with 5,000 to 10,000 employees have automated large parts of their security testing.

My prediction is that by next year’s RSA Conference, we’re going to see a significant increase in security automation investment across companies of all sizes. Those companies that haven’t started yet are going to have to start, and those who are already well down this path are going to continue to shed as many manual application and cloud security processes as they can.

Consider a report from cloud access security broker Skyhigh Networks and the Cloud Security Alliance (CSA) titled, Custom Applications and IaaS Report 2017. This report found that custom application use in the cloud has hit an all-time high, yet information security teams are aware of less than 40% of those apps. That’s not a sustainable structure. The Custom Applications and IaaS Report 2017 also found that companies are continuing to consume ever more cloud services with no sign of slowing down. Astonishingly, among those surveyed, infrastructure-as-a-service clouds hold more custom applications today than currently reside in corporate datacenters.

Indeed, in the years ahead, all organizations are going to have to embrace security automation with both arms just to survive in the cloud.

The post The Time Has Come to Fully Embrace Security Automation appeared first on Cloud Sentry Blog.

]]>
../the-time-has-come-to-fully-embrace-security-automation/feed/ 0
Time for CISOs to Empower DevOps ../time-for-cisos-to-empower-devops-webinar03092017/ ../time-for-cisos-to-empower-devops-webinar03092017/#respond Tue, 21 Feb 2017 19:11:35 +0000 ../?p=1375 Webinar on Thursday, March 09, 2017 at 10:00 am PST As DevOps is adopted at more organizations, it is becoming recognized as a means to enhance security efforts. Security tests should always be an integral part of the DevOps workflow, however it isn’t the reality for many organizations. There is a growing need for new... Read more »

The post Time for CISOs to Empower DevOps appeared first on Cloud Sentry Blog.

]]>

Webinar on Thursday, March 09, 2017 at 10:00 am PST

As DevOps is adopted at more organizations, it is becoming recognized as a means to enhance security efforts. Security tests should always be an integral part of the DevOps workflow, however it isn’t the reality for many organizations.

There is a growing need for new cloud security tools built to enforce security and compliance measures at the speed of scale, while allowing applications to be developed faster and more securely. As new cloud security platforms and automation tools fill the gaps to overcome key security challenges, organizations turn to DevOps to enable continuous compliance.

Join guest speakers, Steve McAtee, CIO at Vibrant Credit Union and Adrian Sanabria, Senior Analyst at 451 Research Group, to understand the drivers for Continuous Compliance and Security in the Cloud, including:

  • Trends in cloud adoption and development
  • Rising demand and costs of cybersecurity
  • Continuous compliance vs. emergency compliance
  • Compliance automation tools for DevOps

Join the webinar – REGISTER NOW

SPEAKERS:
Steve McAteeSteve McAtee – CIO at Vibrant Credit Union

As Vibrant’s chief information officer, Steve McAtee is the man with the plan when it comes to any of the high-tech gadgetry around the office. A lifelong Quad Cities resident, Steve bookends his days at work with tug-of-war matches with his dog. He hopes he’ll win one of these days.

 

 

 

Adrian Sanabria 451Adrian Sanabria – Senior Analyst at 451 Research Group, Information Security

Adrian is a senior industry analyst at 451 Research, where he does his best to make sense of the security industry for clients. After over 15 years as a hacker, security professional, PCI QSA and incident responder he still sees the glass as half full. Follow Adrian on Twitter @sawaba.

The post Time for CISOs to Empower DevOps appeared first on Cloud Sentry Blog.

]]>
../time-for-cisos-to-empower-devops-webinar03092017/feed/ 0
Proud to Join the GV Portfolio ../proud-to-join-the-gv-portfolio/ ../proud-to-join-the-gv-portfolio/#respond Thu, 09 Feb 2017 12:00:49 +0000 ../?p=1362 We are pleased to announce that Evident.io was recently infused with $22M in fresh capital. This Series C funding round was led by GV (formerly Google Ventures) with participation from our existing partners at Bain Capital, Venrock and True Ventures. This investment strengthens Evident.io for the foreseeable future and allows us to continue operating in... Read more »

The post Proud to Join the GV Portfolio appeared first on Cloud Sentry Blog.

]]>

We are pleased to announce that Evident.io was recently infused with $22M in fresh capital. This Series C funding round was led by GV (formerly Google Ventures) with participation from our existing partners at Bain Capital, Venrock and True Ventures. This investment strengthens Evident.io for the foreseeable future and allows us to continue operating in beast mode, accelerating to fully realize our vision.

Evident.io was founded in 2013, born out of the void of and desperate need for a cloud infrastructure security solution. My co-founder and CTO, Justin Lundy and I experienced, first hand, the entire gamut of how the cloud exposed the weakness of traditional security while working together to reinvent and secure Adobe’s Creative Suite in the Cloud. This is when the lightbulb moment hit — Traditional security best practices do not translate to the Cloud, and we had the opportunity to affect change. As a result, Evident.io was born with a mission.

Since our beginning, we have been working at breakneck speed to create a cloud security capabilities that are as easy to install and use as they are rock solid. The Evident Security Platform (ESP) is a SaaS-based platform that provides complete visibility across an organization’s public cloud infrastructure and enables consistent enforcement of policy requirements in line with industry compliance standards. ESP was designed specifically to help modern IT and DevOps teams automate and maintain security within the shared responsibility model that has become commonplace in today’s services economy. We approach security less like a transaction and more like a partnership. Working together, we’ll secure the cloud, defend your fortress, and increase your security awareness 24x7x365.

Today, with over 200 customers, we automate over 750 Cloud Security Best Practices and analyze more than 360 Million risks per day. ESP’s powerful transparency has thwarted countless attacks and has helped to remediate and secure thousands of vulnerabilities.

This infusion of capital will enable us to deliver our vision faster. We plan to accelerate company growth to address the market demand by enabling support of public cloud platforms beyond AWS to Microsoft Azure and Google Cloud Platform. We plan to accelerate the innovation and development of new features and capabilities of ESP to extend functionality beyond infrastructure security and compliance automation offering. Our new automated Compliance Views for PCI, NIST 800-53, SOC2, ISO-27001 and BCBS 239 remain our focus in the near term.

To support these efforts, we also growing the sales and marketing teams to target new geographies and vertical markets. The team will grow its commercial and government sales teams in the US, Europe, Asia and Australia.

We are excited to work with GV and look forward to learning from their expert team and gaining insights from their impressive network of portfolio companies.

Join our mission –  evident.io/jobs/

View official press release

The post Proud to Join the GV Portfolio appeared first on Cloud Sentry Blog.

]]>
../proud-to-join-the-gv-portfolio/feed/ 0
What Cool Cybersecurity Job is Right for You? ../what-cool-cybersecurity-job-is-right-for-you/ ../what-cool-cybersecurity-job-is-right-for-you/#respond Mon, 06 Feb 2017 17:22:40 +0000 ../?p=1345 Information security is one of the hottest, most-desired careers. When I, however, talk with college students and recent graduates, and even experienced professionals looking for a career change to cybersecurity, there is often a lot of confusion about where and how to begin. Interestingly, this conversation came up during a recent dinner with CSOs. The... Read more »

The post What Cool Cybersecurity Job is Right for You? appeared first on Cloud Sentry Blog.

]]>

Information security is one of the hottest, most-desired careers. When I, however, talk with college students and recent graduates, and even experienced professionals looking for a career change to cybersecurity, there is often a lot of confusion about where and how to begin. Interestingly, this conversation came up during a recent dinner with CSOs. The subject proved to be divisive even among this group who regularly hires cybersecurity professionals.

During the dinner, some CSOs advised that those interested in a cybersecurity career should focus on cybersecurity-specific education, while others argued that it is better to focus one’s formal education in other areas, such as computer science or even business to better understand the nature of the business and the vertical market in which a security professional may work. The student would then minor in security. Perhaps the answers to these questions vary depending on the career path one chooses.

In addition to education and training, there’s the question of where the best jobs are in the field. While “best” is certainly subjective, it is important to give considerable thought to which specialty within the broad field of cybersecurity one wants to specialize. In fact, while many people speak of cybersecurity or information security as a career in itself, it’s actually a diverse field with many specialties ranging from enterprise risk management roles such as application security, forensics, and investigations, infrastructure, malware, to many other disciplines.

In fact, there are so many positions and disciplines in cybersecurity for newcomers that choosing one may not be easy for some. Fortunately, SANs has help for future (and current) cybersecurity professionals who seek an area of focus: The Top 20 Coolest Cybersecurity Career list.

It’s both an interesting and a helpful list. For each career category, there are recommended courses. Here’s what they have to say about the CISO career, for instance:

#10 – CISO/ISO or Director of Security
“Seems like I can get a lot done with little to no push back”

Job Description

Today’s Chief Information Security Officers are no longer defined the way they used to be. While still technologists, today’s CISO/ISO’s must have business acumen, communication skills, and process-oriented thinking. They need to connect legal, regulatory, and local organizational requirements with risk taking, financial constraints, and technological adoption.

SANS Courses Recommended

Why It’s Cool

  •    “Authority always wins.”
  •    “These people get to decide where to build the “watch towers,” how many rangers are stationed in the park, where fires can be safely built, and the rules of engagement.”

How It Makes a Difference

  •    “You have the creative direction to influence and directly contribute to the overall security of an organization. You are the senior security player, the only one whom the CEO will trust.”
  •    “This position usually reports at a very high level, and gets to see and influence the big picture. You work with physical security, IT, the businesses, even the FBI and other law enforcement agencies.”
  •    “You are da Boss. You can pick and choose who does what, what gets done, and motivate and then share the credit with your people. You make a real impact on a daily basis.”

How to Be Successful

Organizations succeed by taking risks. But they frequently fail because they don’t manage the risk-taking very well. The risks are business risks, and the security team needs to see business constituencies as “customers.” The “this is how it’s always worked” approach must be thrown out. Data-driven decisions, devolving perimeter, any-device thinking, collaboration technologies, virtualization, and mobile data are diametrically opposed to prior thinking. Today’s solutions are tomorrow’s threat, and global and geopolitical landscape shifts are tightly coupled to intellectual and informational threats.

Experience is often the training ground; diverse thought and scenario planning are requirements for a good outcome. Focus on the business goals: Never forget that this is the basis for security thinking.

You should take the time to look at the other 19 job write-ups. As you’ll see, there are many paths in the enterprise to a cybersecurity career, so there’s no need for newcomers to feel they are getting themselves locked into something. After writing about cybersecurity for more than 20 years now, I can assure everyone that this field is indeed dynamic and anyone who picks an area of interest today and carves themselves a niche will always be able to shift their focus to another area if they wish with training and additional experience.

The reality is that many cybersecurity jobs either didn’t exist or were very sparse, 20 years ago. And the day-to-day duties from as little as 10 years ago certainly don’t resemble what they are today. No one knows what this field will look like in 10 or 20 years. So if a cybersecurity career is something that is of interest, it’s best to pick an area and run with it. You just don’t know where the path will lead over time.

The post What Cool Cybersecurity Job is Right for You? appeared first on Cloud Sentry Blog.

]]>
../what-cool-cybersecurity-job-is-right-for-you/feed/ 0
How to “Shadow” Shadow IT ../how-to-shadow-shadow-it/ ../how-to-shadow-shadow-it/#respond Wed, 01 Feb 2017 18:21:43 +0000 ../?p=1327 Most CIOs know that employees within their organization have snuck a few applications past the IT department, but a new report from ESG indicates that they are greatly underestimating the extent that Shadow IT has infiltrated their environments. This new brief reveals that “65% of enterprise IT professionals report being aware of a significant or... Read more »

The post How to “Shadow” Shadow IT appeared first on Cloud Sentry Blog.

]]>

Most CIOs know that employees within their organization have snuck a few applications past the IT department, but a new report from ESG indicates that they are greatly underestimating the extent that Shadow IT has infiltrated their environments.

This new brief reveals that “65% of enterprise IT professionals report being aware of a significant or moderate number of non-IT-sanctioned cloud applications being used at their organization.” This level of widespread Shadow IT can create significant security threats and introduce considerable waste, as employees in different business lines purchase similar unauthorized apps and services for common processes like storage and collaboration.

How can CIOs and CISOs manage, support and protect what is in their cloud effectively without having a true understanding of what might be dwelling in there? If they can’t see what cloud services are being consumed, they can’t see the risk that’s being incurred.

In order to be truly vigilant against security threats, being held for ransom or having data compromised, CIOs and CISOs need to “Shadow” Shadow IT.

As the comic book goes, “Who knows what evil lurks in the hearts of men? The Shadow knows.” We are not saying that the people who are skirting IT protocol to enable their teams with the apps and services they need for success are evil, just that the unknown consequence of Shadow IT may very well turn out to be.

To become the “Shadow” CIOs and CISOs will need to leverage continuous monitoring and automation.

Continuous monitoring is the ability to maintain ongoing awareness of information security, vulnerabilities and threats. Setting up continuous security monitoring and policy controls is no easy task for organizations with a large cloud infrastructure, especially if there are so many services lurking in the shadows. Start by prioritizing what information would be the most valuable to potential attackers and investigate ways to continuously surveil and assess these systems.

Embrace automation wherever possible. Automation tools enable complete visibility into cloud infrastructure while fortifying what has been configured in the cloud with security best practices. As a bonus, automating security controls and risk remediation can free up time for your team to educate the rest of the company on the importance of IT protocol and the dangers of Shadow IT.

To find out more about how our technology can empower you to solve this problem visit our website. ESP provides a single pane of glass view of all of your AWS accounts, regions and services in one easy to customize dashboard. By consuming all of Amazon’s APIs, ESP can detect and reveal accounts that may have been lurking in the shadows and alert security teams of configuration changes and policy violation and provide a path to remediation.

The post How to “Shadow” Shadow IT appeared first on Cloud Sentry Blog.

]]>
../how-to-shadow-shadow-it/feed/ 0
Six security essentials to jumpstarting a cloud security program ../six-security-essentials-to-jumpstarting-a-cloud-security-program/ ../six-security-essentials-to-jumpstarting-a-cloud-security-program/#respond Fri, 27 Jan 2017 17:36:01 +0000 ../?p=1318 When you are securing traditional on-premises systems, you own the responsibility for securing everything from the physical premises to the hardware, operating system, network, and applications. In cloud deployments, it doesn’t work that way. Depending on the nature of the cloud service, there is always part of the technology stack that the cloud provider is... Read more »

The post Six security essentials to jumpstarting a cloud security program appeared first on Cloud Sentry Blog.

]]>

When you are securing traditional on-premises systems, you own the responsibility for securing everything from the physical premises to the hardware, operating system, network, and applications.

In cloud deployments, it doesn’t work that way. Depending on the nature of the cloud service, there is always part of the technology stack that the cloud provider is responsible for keeping secure, and parts that customers are responsible for managing the security on their own. Essentially, this concept is what Amazon calls the Shared Responsibility Model. This model is true whether one is speaking about any flavor of outsourced cloud (of course in on-premises private cloud you own it all).

In public cloud, infrastructure as a service, and platform-as-a-service the provider owns the security of the physical layer, and infrastructure aspects of the cloud as well as the aspects of the Compute, Storage, Database, and Network and application services they offer. You, the customer, own the security configuration of your own operating systems, network traffic, firewall settings, and all of the security on your own systems that are used to connect to the cloud. We will dive more into the Shared Responsibility Model in future posts, but that’s essentially it. And to be secure, it’s imperative that you understand the security you own.

Before we do dive more into the Shared Responsibility Model in the future, it’s important to take a look at some security essentials that need to be taken care of always:

Security Essential One: Classify apps and data

Where do you start your focus on the security you own? Ask yourself what applications and data you have that are critical to running your business. What apps and data would cause executive leadership, stockholders, or customers to abandon ship if breached? What data, if leaked, could cripple the ability to conduct business or to effectively compete? What data would cause regulators to get into a whirr and possibly result in fines or sanctions?

All of these are the type of highly-coveted business data, or government regulated data, that you have to classify as critical and protect it as such. This is the data, applications, servers, and systems that decide where you start your security efforts first, and likely always keep the highest level of focus.

Security Essential Two: Keep an eye on application security

At times your attackers are going to target vulnerabilities in your web applications. And you do have attackers targeting your assets. Whether you believe you do, or not, doesn’t matter: They’re still targeting you. To make sure your applications are as free of software vulnerabilities as you can make them you have to actively look for vulnerabilities that create security risks. If the applications are open source or off-the-shelf applications, make sure to patch regularly and be sure to patch critical security flaws immediately. When building your applications, it’s important that developers be trained and use secure coding practices and that applications continuously be examined for potential flaws. A good place to look for guidance on how to start an application security program is the Open Web Application Security Project (OWASP).

Security Essential Three: Get user identities and access under control

Put the processes in place to manage your user identities. This entails knowing who your users are, what job roles they have, and from that what applications and resources they should be able to access. It means limiting access to only those who have a reasonable need for those resources. And when the roles of these people change, change their access. When they leave for whatever reason, have their access revoked. This is one of the most important things one can do to keep a good security posture – and yet it’s one of the areas so many organizations skimp.

Security Essential Four: Policy and Configuration Management

It’s crucial to establish policies for security checks, settings, and configuration levels for all of your systems, workloads, and apps. And just like vulnerability scans are important to find systems that out of date, it’s important to check and to ensure systems are configured and running to policy.

Security Essential Five: If it can be automated, automate it

If there is a security task that can be automated through scripts or cost-effectively offloaded to a security services provider – it should be done. Good reads on continuous security and continuous policy monitoring can be found here and here. If you are a smaller organization, scale the advice down to your size – but the precepts remain similar.

Security Essential Six:  Be ready to respond

Of course, being on the steady lookout for security deficiencies in the organization is important but many organizations, unfortunately, don’t bother to think about what comes next: remediation. When you start looking for security vulnerabilities, what will the organization do to remedy them? When you find violence’s to policy compliance – how will the gap be closed quickly? Be sure to think this through and plan ahead of time.

These essentials are just the beginning, and they aren’t meant to be comprehensive. They are meant to get the gears turning toward putting in place a cloud security program. There’s many more posts coming, and in the next post on this subject we’ll take a closer look at what the Shared Responsibility Model means for securing cloud services.

 

The post Six security essentials to jumpstarting a cloud security program appeared first on Cloud Sentry Blog.

]]>
../six-security-essentials-to-jumpstarting-a-cloud-security-program/feed/ 0
Hadoop, CouchDB Users Latest Attack Targets ../hadoop-couchdb-users-latest-attack-targets/ ../hadoop-couchdb-users-latest-attack-targets/#respond Thu, 26 Jan 2017 13:42:54 +0000 ../?p=1307 The attacks on databases just keep coming. First, it was the MongoDB attack, then as Evident.io’s John Martinez wrote last week in Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets, the Elasticsearch search and analytics engine came under assault. Now, most recently, poorly configured Hadoop and CouchDB databases were the targets... Read more »

The post Hadoop, CouchDB Users Latest Attack Targets appeared first on Cloud Sentry Blog.

]]>

The attacks on databases just keep coming.

First, it was the MongoDB attack, then as Evident.io’s John Martinez wrote last week in Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets, the Elasticsearch search and analytics engine came under assault. Now, most recently, poorly configured Hadoop and CouchDB databases were the targets of similar vicious attacks.

This time, at least for the Hadoop attacks, instead of attempting to extract a ransom from users, the attackers are simply infiltrating the targets and deleting whatever data they can. If that’s not a wake-up call for maintaining a good security posture, then I don’t know what would possibly do the job.

In this blog post, Fidelis Threat Research Team pegged the potential number of exposed Hadoop installations ranging from 8,000-10,000 HDFS installations worldwide. “A core issue is similar to MongoDB, namely the default configuration can allow “access without authentication.” This means an attacker with basic proficiency in HDFS can start deleting files,” they wrote.

It’s interesting that the Hadoop attackers did start to destroy data, unlike each of the other attacks which involved a ransom note demanding payment. And that’s exactly the pattern the CouchDB attacks followed.

When these attacks hit, they scale rapidly. For instance, according to accounts, the MongoDB attacks spiked from 12,000 to more than 27,000 in a day. And if you don’t want to get a message like the one that MongoDB users received, you need to continuously keep track of your configuration settings:

“Your database has been pwned because it is publically accessible at port 27017 with no authentication (wtf were you thinking?). Your data has been dumped (with data types preserved), and is easily restoreable [sic].

“To get your data back, email the supplied email after sending 0.15BTC to the supplied Bitcoin wallet, do this quickly as after 72 hours your data will be erased (if an email is not sent by then). We will get back to you within 2 days. All of your data will be restored to you upon payment.”

Access policies often have a big role in attacks of this nature. When it came to attacks on users of AWS Elasticsearch, in his post Martinez noted the following on securing resource-based policies:

AWS recommends that you don’t use an open access policy on your Elasticsearch domain, except for when testing with non-production data. We would go as far as to say that testing with an open access policy shouldn’t ever be practiced period. Our experience shows that development and pre-production environments are ripe for exploitation due to the lower security hygiene and less/lack of monitoring placed on them. What’s even worse is we sometimes think it’s easy to test in pre-production with real customer data (please DO NOT do that! or if you must, always make sure you anonymize).

If you have been fortunate enough not to have been victimized by any of these attacks, that’s great news: but now is a good time to check the security settings of your servers, workloads and cloud systems. Because attacks like this on cloud-based systems are quickly becoming the new normal.

The post Hadoop, CouchDB Users Latest Attack Targets appeared first on Cloud Sentry Blog.

]]>
../hadoop-couchdb-users-latest-attack-targets/feed/ 0
Today’s D’oh! Moment Could Be Tomorrow’s Front Page News ../todays-doh-moment-could-be-tomorrows-front-page-news/ ../todays-doh-moment-could-be-tomorrows-front-page-news/#respond Wed, 18 Jan 2017 23:47:58 +0000 ../?p=1263 Keys left in the front door when I was focused on getting inside safely. Garage door left open all day because I was wondering if I shut off the iron. Credit card left at the Starbucks as I made sure I had all my belongings. Yes, I’ve done all those things. Perhaps I was just... Read more »

The post Today’s D’oh! Moment Could Be Tomorrow’s Front Page News appeared first on Cloud Sentry Blog.

]]>

  • Keys left in the front door when I was focused on getting inside safely.
  • Garage door left open all day because I was wondering if I shut off the iron.
  • Credit card left at the Starbucks as I made sure I had all my belongings.

Yes, I’ve done all those things. Perhaps I was just channelling my inner Homer Simpson.

Let’s face it — we’ve all made silly mistakes in our day-to-day lives that create security risks and privacy risks for our families and jobs. Thankfully, none of my mistakes have led to anything disastrous, at least that I know of, yet.

No matter how careful we are, or how well-versed we are in security best practices, it’s a safe bet that we all are making silly, absent-minded security mistakes daily that lead to security vulnerabilities in our cloud environments.   

We know we shouldn’t keep root API access keys but don’t have time to create the other IAM users. We know that we shouldn’t use customer PII in test environments, but we’re in a rush, under pressure and don’t have time to anonymize. We know that there should never be open ports, but it will be easier to run the tests, and it will just be 10 minutes. We know that Welcome123 is a horrible password, but we’re drawing a complete blank at the moment, and plan to change it really soon. But, then stuff happens. You get distracted by your cube mate’s cat videos. You start thinking about something you need to do when you get home. Your mind moves on to the next task, and BOOM — you forget to fix the security mistake despite all your good intentions just moments ago.

The recent rash of MongoDB and Elasticsearch attacks have had me wondering how many of those open access policies and vulnerable clusters were caused by absent mindedness rather than blatant incompetence. How many times did developers think “I’ll fix that other problem as soon as I get this thing working” and the next thing they know the code has been deployed and their to-do list of fixes has been forgotten?

As security professionals (and these days we all need to be security professionals), we need to focus, quickly remediating risks and the identifying ways to ensure that the mistakes don’t happen next time. However, keeping staff trained, and tracking of all the changes that takes place in our dev, test and prod environments is impossible.

With continuous security and compliance monitoring, seamless integration into SIEMs, and real-time alerts that get issued out to the right team at the right time, we can use cloud security automation to our advantage and limit the liability that our mistakes can have on our business. So, while checklists on the cubicle wall and continuous training are great for reminders of security best practices, there is nothing better than building security policies and checks directly into the workflow.

After all, we all get lost in our thoughts now and then and forget to…

The post Today’s D’oh! Moment Could Be Tomorrow’s Front Page News appeared first on Cloud Sentry Blog.

]]>
../todays-doh-moment-could-be-tomorrows-front-page-news/feed/ 0
Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets ../elasticsearch-now-in-the-crosshairs-mongodb-ransom-attackers-have-new-targets/ ../elasticsearch-now-in-the-crosshairs-mongodb-ransom-attackers-have-new-targets/#respond Tue, 17 Jan 2017 17:16:37 +0000 ../?p=1249 As if the MongoDB sacking fiasco wasn’t enough, bored attackers have added ransacking of open AWS Elasticsearch clusters to their list. Late last week (and who knows how long before that), they began attacking Elasticsearch domains with open access policies. Access and permissions to AWS Elasticsearch domains is controlled via resource-based policies. AWS recommends that... Read more »

The post Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets appeared first on Cloud Sentry Blog.

]]>

As if the MongoDB sacking fiasco wasn’t enough, bored attackers have added ransacking of open AWS Elasticsearch clusters to their list. Late last week (and who knows how long before that), they began attacking Elasticsearch domains with open access policies. Access and permissions to AWS Elasticsearch domains is controlled via resource-based policies.

AWS recommends that you don’t use an open access policy on your Elasticsearch domain, except for when testing with non-production data. We would go as far as to say that testing with an open access policy shouldn’t ever be practiced period. Our experience shows that development and pre-production environments are ripe for exploitation due to the lower security hygiene and less/lack of monitoring placed on them. What’s even worse is we sometimes think it’s easy to test in pre-production with real customer data (please DO NOT do that! or if you must, always make sure you anonymize).

Evident.io takes these types of exploits in the wild very seriously. In order for our customers to identify, remediate and monitor for Elasticsearch domains with open access policies, we have released an Evident Security Platform (ESP) custom signature in our open-source repo: https://github.com/EvidentSecurity/custom_signatures/blob/master/elastic_search_open_access_policy.rb

We recommend that everyone that uses AWS Elasticsearch install and activate this ESP custom signature immediately. Instructions for creating a custom signature are here: http://docs.evident.io/#custom-signatures.

If you have any questions installing this custom signature, please email support@evident.io.

—The Evident.io Team

PS – Not yet an Evident.io customer? You can try ESP free for 14 days  and start securing your cloud infrastructure within minutes. Get started now to see if you have any high priority risks in your AWS environment.

The post Elasticsearch Now In the Crosshairs – MongoDB Ransom Attackers Have New Targets appeared first on Cloud Sentry Blog.

]]>
../elasticsearch-now-in-the-crosshairs-mongodb-ransom-attackers-have-new-targets/feed/ 0