How automation can contribute to cloud security [Q&A]
Attacks on cloud systems often take advantage of misconfigurations, something which can easily go undetected.
Can today's security operations teams use automation and leverage advanced analytics to adapt to the current, cloud-based threat landscape and maintain organizational safety?
Rob Fry, chief technology officer at security operations center company JASK -- and former senior security architect at Netflix -- thinks they can. We spoke to him to find out more.
BN: What are the most common types of cloud misconfigurations and how do they leave organizations exposed to data loss?
RF: The truth is, the majority of cloud misconfigurations that lead to data breaches are similar to the type of misconfigurations we see in datacenter environments which also lead to breaches. These breaches are not always due to 'cloud' misconfiguration, but rather to web servers or the same software you see running in a datacenter. Cloud breaches are not solely a cloud problem, they are a new type of challenge to customers who need to gain knowledge and understanding about how this new paradigm works.
That challenge and one primary reason for misconfigurations is a lack of experience in configuring for cloud infrastructure to ensure data is properly secured. There are distinct methodology changes from how to secure cloud versus the datacenter and most organizations are still behind that learning curve.
Logging is a great example. Whether by logline or API, cloud providers provide a much easier way to log what is happening in your environment compared to a datacenter. No matter the environment, data won’t be secure unless logging is properly configured to get visibility in what you're trying to protect.
Additionally, we commonly see an overprovisioning of access as another poor configuration in cloud environments. One of the great things about cloud providers is IAM (identity and access management) which is a fantastic tool for role-based administration and a more secure environment. However, time and again we see a web server will get popped and a service running on that server has more access than it needs, and then bad things are going to happen. This comes down to understanding privileged access of your systems and users, but also of IAM so as to not provide more than what’s absolutely necessary.
And finally, one of the most common services we see this happening to is data storage services, such as Amazon S3 buckets, being improperly configured and unsecured. This is usually due to a lack of experience in logging, to detect when the configuration is too wide open, or the operational understanding of proper access rights which get massively over-provisioned and then an S3 bucket and its contents are left wide open to the internet.
BN: Why do cloud misconfigurations so often go unnoticed and what steps can be taken to enhance visibility and improve security?
RF: First, it's important to understand and debunk the common misconception that cloud environments are less secure than datacenters. While the cloud attack surface is indeed larger, the ability to secure that surface in the cloud is also much better. The challenge again comes back to a failure of understanding of cloud, and the education and experience which is needed to do so. The cloud provider’s services are typically secure. Your operational usage of the service from the provider is your responsibility, so the assumption that a company's data was compromised because of the provider is usually an improper narrative.
A key reason misconfiguration goes unnoticed is that customers don’t know to turn on logging, which logging to turn on (there are several), or what to configure in logging. Therefore, it goes unnoticed because it's not being recorded. One of the strengths and reasons you can secure a cloud environment faster and easier, and detect misconfigurations, is the cloud is just an abstraction layer full of APIs gathering information with a datacenter underneath. By making simple calls and clicking a few buttons here and there, the ability to secure, maintain visibility and detect misconfigurations in the cloud can be down to seconds in certain cases.
One easy way to enhance visibility and improve security is turning to continuous scanning and monitoring of security groups. When I was at Netflix we created something called Security Monkey that went across our entire AWS footprint, which was substantial, but with APIs it was fairly easy to do. For security groups we had a standard profile for how it should be configured and specific configurations would get flagged immediately (any-any-all for instance). Especially if it was in certain parts of the network, it would get removed right away. Today you don’t even need to build it yourself as there are both open source and commercial solutions as well as solutions provided by the provider that can help protect you in this way.
BN: What malicious tactics are attackers using to take advantage of cloud misconfigurations?
RF: Just like customers should do continuous scanning of their infrastructure, malicious attackers likewise are continuously scanning cloud providers looking for misconfigurations. So, if you are not doing continuous scanning for yourself, don’t worry, someone other than your organization is doing it for you except it will have less than desirable results.
Most companies are also not keeping a close eye on CPU utilization inside the cloud. Of late, a popular way for attackers to make money is by installing malicious software for bitcoin mining. Because of the costs and observations around costs in the cloud, this is a very common occurrence and has created an extremely lucrative business for malicious hackers mining bitcoin.
Another common tactic is to mine something like a GitHub or coding site for a developer that will accidentally put an API key inside code. If an attacker is able to get access to an API key, they can use that against the service. If the key has more rights and access than it should have, then the bad guy has more rights and access than they should have.
BN: How has the role of the SOC analyst changed in securing cloud-infrastructure versus on-premise environments of the past?
RF: The role has changed considerably, and security analysts need help in adjusting from protecting data center environments to now additionally securing cloud infrastructure. The datacenter is where many of them learned to apply security methodologies and they better understand that environment. In order to make up for a lack of experience, analysts are increasingly relying on services and software to augment their understanding of cloud to help close the gap. Finding SaaS-type solutions that were 'born in the cloud' and have a deep understanding of both cloud and datacenter that can abstract away the underlying difference to present both cloud and datacenter security-based information uniformly is currently underway.
And because the cloud operates differently, security analysts need to learn the attacks against it are different too and how the dynamics of those attacks work in the cloud. In reality, it’s the same components -- file execution, network protocols -- but how they operate in the cloud and how an attacker would take advantage of them is different. Having a third party that understands cloud infrastructure and can help connect the dots for those who don’t is incredibly beneficial.
Additionally, because of the heavy use of APIs whether in cloud or datacenter, the need for the ability to script or write code for security analysts increases every year. This use case is not what I would call full-on programming but having the ability to interface with an API to retrieve and parse data and apply that information is very important. The amount of manual work and effort it can alleviate is substantial.
BN: What role does security automation play in defending against cloud-native attacks and breaches?
RF: It's not the only thing, but it can be everything if applied correctly. Since most modern products have APIs, everyone is trying to integrate services with everyone else. This presents both great challenges and opportunities. With the cloud being an abstraction of the datacenter run on APIs which all interact with each other in a seamless way, the ability to automate and defend against an attack is very high.
Autonomous scanning, automating inventory, getting instantaneous context from data correlation when events occur all done via automation are real possibilities with many proven results from both the security community building it themselves and vendors that are building solutions to have the same effect except across a larger segment of potential users.