Reasoning About Enterprise Application Security in a Cloudy World

@Zulfikar_Ramzan / CTO / www.elastica.net

THREAT LIFECYCLE

Firewalls, NGFW IDS/IPS, AV, AMPForensics, IR Tools

Rethinking Security: Being Threat Centric

BEFOREControlsBEFOREControls

DURINGIdentificati

on

DURINGIdentificati

on

AFTERResponse

AFTERResponse

Key Cybersecurity Hurdles

Proliferation of New

Technologies

Evolution of Threat

Landscape

Increase of

Complexity

GRC: What Matters?

Compliance: Highly complex, one-size fits all, dynamic.

What do you ultimately care about: Visibility. Have to understand risks we are trying to

mitigate.

Traditional Security Operation Center (SOC)

Outside the Visibility of Existing SOC

Unmonitoredactivities

Outside SOC reach

Key Enterprise SaaS Security Challenges

Make it work vs. Approval

No Visibility

App / Action

No Events

for SEIM to

Consume

Application Security Over Time

OWASP Top 10 – 2010 (old) OWASP Top 10 – 2013 (New)

2010-A1 – Injection 2013-A1 – Injection

2010-A2 – Cross Site Scripting (XSS)2013-A2 – Broken Authentication and Session Management

2010-A3 – Broken Authentication and Session Management

2013-A3 – Cross Site Scripting (XSS)

2010-A4 – Insecure Direct Object References 2013-A4 – Insecure Direct Object References

2010-A5 – Cross Site Request Forgery (CSRF) 2013-A5 – Security Misconfiguration

2010-A6 – Security Misconfiguration 2013-A6 – Sensitive Data Exposure

2010-A7 – Insecure Cryptographic Storage 2013-A7 – Missing Function Level Access Control

2010-A8 – Failure to Restrict URL Access 2013-A8 – Cross-Site Request Forgery (CSRF)

2010-A9 – Insufficient Transport Layer Protection2013-A9 – Using Known Vulnerable Components (NEW)

2010-A10 – Unvalidated Redirects and Forwards (NEW) 2013-A10 – Unvalidated Redirects and Forwards

3 Primary Changes: Merged: 2010-A7 and 2010-A9 -> 2013-A6

Added New 2013-A9: Using Known Vulnerable Components

2010-A8 broadened to 2013-A7

Where Controls are Lost

9

Layer On Prem IaaS PaaS SaaS

App/Data

Middleware

OS

Virtual

Physical

ESTABLISH SECURITY BASELINEESTABLISH SECURITY BASELINE CHOOSE AND APPLY COMPENSTATING CONTROLS

CHOOSE AND APPLY COMPENSTATING CONTROLS

Gartner Public Cloud Management Lifecycle

INCIDENT DETECTIONINCIDENT DETECTION INCIDENT RESPONSE MANAGEMENT

INCIDENT RESPONSE MANAGEMENT

Establish a Security Baseline

Baseline: Need to understand where you are right nowBasic Discovery: Table stakes (any Firewall / NGFW can do it)Interesting challenge: Audit (what’s enterprise ready for you specifically?)

ADMINISTRATIVE

ADMINISTRATIVE

INFORMATIONAL

INFORMATIONAL

BUSINESSBUSINESS

ACCESSACCESS

DATADATA

SERVICESERVICE

COMPLIANCECOMPLIANCE

Choose and Apply Compensating Controls

12

VISIBILITY

ACTION

UserUser Service

Service ObjectObjectActionAction

ACTIONACTION

VISIBILITYVISIBILITY

Incident Detection

13

Policies and controls identify specific tangible behaviors. But what about sophisticated threats that

fall outside their scope?

SIGNATURES

SIGNATURES HEURISTICSHEURISTICS

BEHAVIOR-BASED

ANALYSIS

BEHAVIOR-BASED

ANALYSIS

ANOMALY DETECTIONANOMALY

DETECTION

Incident Response Management

14

Attackers are constantly evolving and adapting. Threats will eventually get through. The question is

no longer “What if?”, but “What now?”

INFORMATION

ASYMMETRY FAVORS

ATTACKERS

INFORMATION

ASYMMETRY FAVORS

ATTACKERS

PRE-THINK RESPONSE;

HARD TO DO AFTER THE

FACT

PRE-THINK RESPONSE;

HARD TO DO AFTER THE

FACT

INTEGRATE; DON’T BOLT

ON

INTEGRATE; DON’T BOLT

ON

The SaaS Security Landscape

ENCRYPTIONENCRYPTION

SINGLE SIGN ON SINGLE SIGN ON

SAAS APPLICATION MONITORING AND CONTROLSAAS APPLICATION MONITORING AND CONTROL

ENCRYPTION: PROBLEM OR PANACEA?

ENCRYPTION

ENCRYPT IN TRANSITENCRYPT

IN TRANSITENCRYPT AT REST

ENCRYPT AT REST

ENCRYPT IN USE (?)ENCRYPT IN USE (?)

We don’t leverage SaaS Apps only for STORAGE

Crypto is a GREAT TOOL; but great

tools can be greatly MISUSED

SINGLE SIGN-ON: PANACEA?

PHISHINGPHISHING

MALWAREMALWARE

DATA BREACH

DATA BREACH

MALICIOUS INSIDERMALICIOUS INSIDER

WELL MEANING INSIDER

WELL MEANING INSIDER

EASE OF MANAGEMENT

EASE OF MANAGEMENT

CONTROL THE

FRONT DOOR

CONTROL THE

FRONT DOOR

Cloud Services Security Problem

18

Visibility SecurityComplian

ceRisk

Governance

Thank you

TAKEAWAYS

SaaS Security and GRC Problem Multifaceted

Consider full threat lifecycle: Before, During, After

Visibility and Action are Key Pillars

@zulfikar_ramzan @ElasticaInc