Upload File

improving threat intelligence, detection, and response for ... · open s3 buckets overly permissive...

  • Home
  • Documents
  • Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code
18
Improving Threat Intelligence, Detection, and Response for Cloud Workloads Dan Constantino Director, Security Operations Cox Automotive

Upload: others

Post on 23-May-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

Improving Threat Intelligence, Detection, and Response for Cloud

WorkloadsDan Constantino

Director, Security Operations

Cox Automotive

Page 2: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

Improving Threat Intelligence, Detection, and Response for Cloud Workloads

Dan Constantino Director, Security Operations

Page 3: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

No exceptions

Threat actors don’t break in, they log in or exploit old

vulnerabilities/misconfigurations

Cloud environments can widen the scope of

a company’s risk

Here’s the brutal truth:

Page 4: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

FINANCIAL SOLUTIONS

INTERNATIONAL

INVENTORY SOLUTIONS

RETAILSOLUTIONS

MOBILITYSOLUTIONS

Page 5: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

IN THE CLOUD

Corporate Applications(SaaS)

Customer-Facing Systems (IaaS/SaaS/PaaS)

Page 6: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

CLOUD RISKSOverly Permissive Security Groups

Open S3 Buckets

Overly Permissive IAM Roles

Exposed API Keys

CI/CD Pipeline Misconfigurations (Jenkins)

Remote Code Execution – Vulnerabilities

DBAQA/ RELEASE

ENGINEER

Page 7: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

PII

Page 8: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

Threat INTELLIGENCE

Threat DETECTION

Threat RESPONSE

Page 9: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code
Page 10: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

Threat Intelligence, Detection, and Response for Cloud Workloads

How We Built Our:

Page 11: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

Built a threat intel ecosystem to better understand our threats

1

• Create your own threat intel

• Integrate on-prem and cloud threat intelligence within a single platform

• Age out/expire threat intel

• Use your IR artifacts/findings

• Automate 2-way integration of threat intel

• Leverage your threat intel to prioritize vulnerability remediation

THREAT INTELLIGENCE

Threat INTELLIGENCE

TIP

S

Page 12: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

Updated our detection capabilities to identify cloud threats and established self-service model for low-level threat alerts2

THREAT DETECTIONThreat

DETECTION

Anomalous Events

& Activities

Excessive Privileges

CompromisedAccount

or System

Resource Misuse

Page 13: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

Scaled threat response through automated alerts and actions

3THREAT RESPONSE

Threat RESPONSE

Any/Any Security Group

Page 14: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

INCIDENTS BY MONTH

Phishing

Crypto mining

Acct Compromise

Create a playbook and runbook for use cases

Build IR investigation dashboards Create logical

process diagrams

Track metrics

OPERATIONALIZE

Page 15: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

KEY TAKEAWAYS

• Fully understand your cloud risks and threats

• Create your own threat intel ecosystem

• Set up accurate and actionable alerting

• Automate response for commodity-based threats

• Build a playbook with your use cases

Page 16: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

THANK YOU

Dan Constantino Director, Security Operations

Page 17: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code
Page 18: Improving Threat Intelligence, Detection, and Response for ... · Open S3 Buckets Overly Permissive IAM Roles Exposed API Keys CI/CD Pipeline Misconfigurations (Jenkins) Remote Code

Vulnerability Management:Q&A Panel Discussion

Jason CatheyCISO

Bank OZK

Dan ConstantinoDirector,

Security OperationsCox Automotive

Todd TherrienInterim CISO

City of Phoenix

Moderator: Bob Bragdon, Publisher, CSO


Assistive Technology Manual · How to Use Assistive Technology with Permissive Mode y Using Permissive Mode with Assistive Technology Permissive Mode is a TDS accommodation that allows

Permissive Exemption Application Questionnaire

Department of Computer Science PERMISSIVE CONTROLLER

Baaz Finding Misconfigurations in Access Control Tathagata Das, Ranjita Bhagwan, Prasad Naldurg

Permissive DocketFees

Effects of Permissive Hypercapnia on Laparoscopic …downloads.hindawi.com/journals/grp/2019/3903451.pdfResearch Article Effects of Permissive Hypercapnia on Laparoscopic Surgery for

F5 BIG-IP Misconfigurations

Large Scale Analysisof CORS Misconfigurations · Jens Müller | Large Scale Analysis of CORS Misconfigurations 25 Popular vulnerable sites 25 nystax.gov flipboard.com nike.net moneymonk.nl

Investigation into differences between HCV permissive and non-permissive cell lines using proteomic approaches Sam Cooper Oxford University

Top SharePoint 2013 Misconfigurations Serge Tremblay

PERMISSIVE HYPOTENSION IN HYPOVOLEMIC SHOCK RESUSCITATION

Top SharePoint 2013 Misconfigurations

Baaz Finding Misconfigurations in Access Control

Internet Safety. Sexual Predators Sexual Predators Harmful images – disturbing, overly graphic, explicit Harmful images – disturbing, overly graphic,

Buffering a Permissive Hypercapnia The Evidence

Assistive Technology Manual - osasportal.org · Overview of Testing with Assistive Technology Using Permissive Mode with Assistive Technology Permissive Mode is a TDS accommodation

7 Deadly Hadoop Misconfigurations Kathleen Ting - ApacheCon

Discovering Access-Control Misconfigurations - Department of

Assistive Technology Manual - oh.portal.cambiumast.com · Assistive Technology Manual. Using Permissive Mode with Assistive Technology . Permissive Mode is a TDS accommodation that

Vulnerability & Security Assessment Report Election ... · 269 misconfigurations on the server and 303 misconfigurations on the client standalone and the ERM workstations, as well

PNL: Permissive-nominal logic - Gabbay · Permissive-nominal logic Permissive-nominal logic (PNL) is designed to cleanly express speci cations like those of the last slide. It has

Interventions For the Overly Connected

Permissive Referendum for site 6140 Route 209townofrochester.ny.gov/files/2018/01/ToRSolarInformation... · 2018-01-22 · Permissive Referendum for site Off Airport Road Proposition

Flood Mitigation Project on Overly Drive

NetPrints Diagnosing Home Network Misconfigurations using ...€¦ · Misconfigurations using Shared Knowledge Venkat Padmanabhan Joint work with: Bhavish Aggarwal, Ranjita Bhagwan,

PERFORMANCE COMPARISON OF A PERMISSIVE OVERREACH …

Permissive Joinder of Claims and Parties

PERMISSIVE UPDATES - Daniel Rothschild

Engineering Permissive Insertion Sites in the

7 Deadly Hadoop Misconfigurations - ApacheCon

Security Top 5 Endpoint · endpoint misconfigurations • Of the most common areas of endpoint misconfigurations, the most errors are found in the Internet Settings category, with

CHAPTER 21 COUNTY PERMISSIVE LODGING TAX

Assistive Technology Manual - DeSSA Portal€¦ · How to Use Assistive Technology with Permissive Mode y Using Permissive Mode with Assistive Technology Permissive Mode is a TDS

CAUSATIVE, PERMISSIVE, AND YIELDING: THE MANDARIN …€¦ · Serial verb construction (SVC), causative, passive, permissive (control), and a special construction taking a measure

Assistive Technology Manual - ct.portal.airast.org€¦ · • Testing with Assistive Technology for Braille Tests . Using Permissive Mode with Assistive Technology Permissive Mode