Scribd
Upload
22 views37 pages

Webcast 119165

Uploaded by

Juan Agudelo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views37 pages

Webcast 119165

Uploaded by

Juan Agudelo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

The Paradox of Securing Cloud

Workloads

John Pescatore, SANS


Netta Schmeidler, Morphisec

1
Today’s Speakers

John Pescatore Netta Schmeidler


SANS Morphisec

2
Q&A
• We love questions – ask us
anything!

• Send to “Organizers”
and tell us if it’s for
a specific speaker.

33
Multiple Cloud Services Widely in Use

4
How Many is “Multiple”?

5
Or Is It Really… ?

Source: Netskope 2021

6
More Cloud: The Rush to Support Work from Home

• 40% have started using more cloud services in the


past year (2020 2021), while 49% have not, with 12%
not sure.
• For those using more cloud services, 29% were using
business collaboration services, 22% used more cloud
storage, and 15% used more remote VPN
replacement.
• Informal and “rogue” use of many cloud services to
try to mitigate the loss of face-to-face collaboration

7
Cloud Threats and Concerns

Source: SANS 2021

8
Causes of Cloud Incidents

Source: SANS 2021

9
Best Practices in Security Sensitive Sectors

✓ Basic Security Hygiene (especially visibility/CM/patching) extended to cloud


✓ “Cloud Native” security protection/detection/response
✓ 3rd party trust processes updated (or created…) to deal with SaaS and IaaS
✓ When Dev/Test tries IaaS, security architecture adapted to cover hybrid cloud
✓ Start to think about data security…

10
The Server Defense Paradox

They hold our most valuable assets, admin creds, and


offer a means of persistence
Many organizations still use the same client-grade
controls across servers and clients, despite server
protection having different requirements than endpoint
protection.
Servers
(on prem, cloud, or
hybrid) are often • Result
the primary target Insufficient protection on most valuable assets.
of an APT • Over-reliance on detection.
• Dialed back protections due to overhead.
• Focus on the point of entry instead of the
endgame.
© Morphisec Ltd., 2021 | CONFIDENTIAL
A NEW SENSE OF URGENCY

Digital Transformation and Cloud Migration


▪ Digital transformation is disrupting
server and workload protection
▪ Over 97% of organizations have begun
or will begin digital transformation
progress in the next two years
▪ Over 41% are allocating more than
50% of their IT budgets to projects that
grow and transform the business.
▪ The digital transformation market is
expected to grow at a CAGR of 22.7%
from 2019 to reach $3,294 billion by
2025.

© Morphisec Ltd., 2021 | CONFIDENTIAL


ATTACK SCENARIO 1

The Fundamentals
▪ Many attacks can be thwarted with proper
security hygiene
▪ Configuration
▪ Open ports
▪ Access
▪ Different than on prem
▪ However, these measures alone will not
stop modern threats

© Morphisec Ltd., 2021 | CONFIDENTIAL


ATTACK SCENARIO 2
Browser and Supply Chain Attacks

Adversaries attempt to
infect servers directly
using two techniques
The detection
1 Admins using servers tools designed to
as PCs detect this
• Browser attacks activity are
intrusive and can
• Document attack
be bypassed
2 Supply chain attacks

In each scenario,
! that target servers
• New apps
adversaries can skip persistence, privilege • Updates
escalation, and lateral movement

© Morphisec Ltd., 2021 | CONFIDENTIAL


ATTACK SCENARIO 3
Lateral Movement
Servers are often the Detection tools
target of APTs because focus on
stopping or
▪ They host the most
valuable assets detecting initial
IP, credentials, credit card access
information, etc.
▪ They miss
▪ Anyone who takes them persistence
hostage owns you
Ransomware, reinfection ▪ They miss lateral
movement
Most adversaries ▪ Parasites consume them for
land on personal free CPU ▪ They give the
computers, so they Cryptojacking and miners endgame to the
attacker
have to move laterally
to the servers.

© Morphisec Ltd., 2021 | CONFIDENTIAL


ATTACK SCENARIO 4

The Problem with Virtual Applications


▪ Virtual applications are increasing in adoption
▪ They’re one of the few instances where end-
users interact directly with server applications.
▪ As a result, adversaries are building more and
more exploits to target virtual applications.

© Morphisec Ltd., 2021 | CONFIDENTIAL


ATTACK SCENARIO 5

Unpatched Systems
▪ Perfection is impossible
▪ After the fact by definition
▪ People make judgments and mistakes
▪ In many cases it is undesirable
▪ Bad timing
▪ Potential for disruption

© Morphisec Ltd., 2021 | CONFIDENTIAL


COMMON APPROACHES

Adapting Endpoint Tools To Protect Servers


Security Technology Bypass Techniques
▪ Packing and reflectively load self modifying code only
Behavior Analysis during run-time
▪ Introducing noise that can decrease the confidence of
many security ML based detection

▪ “Living off the land" – If there is no file on disk there


Static Analysis is nothing to scan
▪ Regenerating file signatures and indicators (function
names, section names, characteristics, etc.) within
seconds; overflowing signature-based static analysis

▪ Utilizing legitimate applications that have the


Whitelisting functionality to execute additional code
▪ Replacing the memory of legitimate applications after
loadtime
© Morphisec Ltd., 2021 | CONFIDENTIAL 18
EPP VS CWPP
Common Goals | Divergent Solutions

© Morphisec Ltd., 2021 | CONFIDENTIAL


Lateral Movement
The Technology
Side of the Admin Actions Runtime Process
Memory is the
Problem Supply Chain Attacks
Battleground`
Virtual Apps
The static nature of computer
networks and systems makes them Unpatched
easy to attack…and therefore Systems
difficult to defend.
Data Theft
Ransomware
The Next Generation
Cyber Infrastructure
Crypto jacking
(NGCI) Apex Program and miners
Compliance

© Morphisec Ltd., 2021 | CONFIDENTIAL


20
▪ IN THE CLOUD
Shared responsibility model
▪ Security shared between cloud providers and the organization, their customer
▪ Several shared models, depending on the cloud provider and the provided services

© Morphisec Ltd., 2021 | CONFIDENTIAL


Cloud Workload Protection Platforms: Application
Execution Configuration

Core Workload Protection layer:


“Use an application control whitelisting model supplemented with memory protection and exploit prevention as
the primary control for server workload protection”
Gartner – CWPP 2020

Server workloads are not dynamic. They are, by


nature, immutable or close to it.
Therefore you must:
▪ Ensure only the workloads you planned to run
on your servers are the ones running there –
by using Allow Listing
▪ Protect their runtime, using memory
protection

© Morphisec Ltd., 2021 | CONFIDENTIAL 22


EXTENDING ZERO TRUST

From Identity to Run-time

Execution

Pre-Execution

Network

Identity
© Morphisec Ltd., 2021 | CONFIDENTIAL
EXTENDING ZERO TRUST

Identity

▪ Will Stop Fraudulent Users


▪ But Not Accepted Users Downloading Malware

Execution

Pre-Execution

Network

Identity
© Morphisec Ltd., 2021 | CONFIDENTIAL
EXTENDING ZERO TRUST

Network

▪ Can Stop untrusted connections from Accepted


Users
▪ But not malware from trusted connections

Known bad IP Trusted IP


Execution

Pre-Execution

Network

Identity
© Morphisec Ltd., 2021 | CONFIDENTIAL
EXTENDING ZERO TRUST

Endpoint (pre-execution)

▪ Can stop malware from trusted users and


connections
▪ But not malware embedded in trusted
applications

Execution

Pre-Execution

Network

Identity
© Morphisec Ltd., 2021 | CONFIDENTIAL
EXTENDING ZERO TRUST

Runtime

▪ No matter the user, no matter the file, attacks


are stopped when they must reveal themselves,
which is ALWAYS when in memory because only
then can they do anything

Execution

Pre-Execution

Network

Identity
© Morphisec Ltd., 2021 | CONFIDENTIAL
Moving Target Defense
Implementation
sihost AutoIt
Prevention
rundll32 regsvr32
Prevents zero-days, targeted
and unknown attacks
!
App Control
Deterministic
No detection, rules, or prior
Memory
knowledge

Simple
No analysis or configuration
Skeleton
Process
Morphed
Processs
Memory
Process
Memory
Memory

Disk

Server

© Morphisec Ltd., 2021 | CONFIDENTIAL


TIME

Exposure Collapses to Zero


Microsoft Exchange (4 CVEs)

Status Quo Window of Exposure Delayed Start of Coverage

Attacks
Moving Target Coverage from Moment Attack Created
Defense

© Morphisec Ltd., 2021 | CONFIDENTIAL 29


MORPHISEC KEEP

On-Prem, Private/Public Cloud Install


▪ 2MB user mode agent
Management Utilize underlying ▪ SCCM / standard dist
Server controls ▪ No reboot
▪ No configuration
▪ No rules / policies

Defender for Endpoint


Enterprise Operate
SIEM
▪ Set and forget
▪ Prevention reports
▪ No updates
Virtual PC/Laptops ▪ Offline protection
Server Server Virtual
Windows Linux App Desktops ▪ No CPU consumption

© Morphisec Ltd., 2021 | CONFIDENTIAL | 30


MAIN DASHBOARD

© Morphisec Ltd., 2021 | CONFIDENTIAL


THREATS

© Morphisec Ltd., 2021 | CONFIDENTIAL


ATTACK TRAJECTORY

© Morphisec Ltd., 2021 | CONFIDENTIAL


Strategic Value of Morphisec

MOVING TARGET DEFENSE


Proactive prevention Rapid time to value Business continuity
Future-proof Simple operations Data protection
Built for Servers Low overhead
CWPP Logic

Risk Reduction Operational Savings Business Enablement

© Morphisec Ltd., 2021 | CONFIDENTIAL 34


35
Resources
• SANS Cloud Security Survey: https://www.sans.org/reading-
room/whitepapers/awareness/paper/40225
• CyberStart America - https://www.cyberstartamerica.org/
• Morphisec: https://www.Morphisec.com/
• Questions: q@sans.org
• jpescatore@sans.org

36
Thanks to our sponsor:

And also to our speakers and to our attendees:


Thank you for joining us today

© 2021 The SANS™ Institute – www.sans.org


37

You might also like