BLACK HAT USA 2018 – Las Vegas – Amazon Web Services, Google Cloud Platform, and Microsoft Azure have all recently doubled down on threat intelligence to help users identify and respond to malicious activity in the public cloud. But where do these platforms differ, and how do those differences help or harm cloud security?
Brad Geesaman, an independent cloud infrastructure security consultant, aimed to clarify the strengths and shortcomings of each platform during his Black Hat session "Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform Capabilities." He set the stage for his side-by-side comparison with a broader look at how security is different in the cloud.
For starters, competition is ramping up in the space. As it does, companies are prioritizing shipping features and outsourcing non-core capabilities – including security. The cloud explosion has demolished the traditional perimeter, a rise in new infrastructure has shifted the attack surface, and a dearth of cloud security experts is amplified amid a wave of new features and services.
Cloud environments change fundamental assumptions about security, Geesaman explained. "When everything is an API, the traditional approaches don't fit," he said. The scalability of the cloud grants an opportunity to amplify good behavior. It also amplifies human error.
Direct compromise may not be needed to affect cloud security, he continued. Credential theft can happen via phishing, malware, backdoor libraries or tools, or password guessing. Malicious outsiders abuse employees' failure to rotate, disable, or delete credentials after someone leaves the company. Credential leaks, another common vector, happen more often than one might think.
"You'd be surprised – or maybe not – where these keys can show up," Geesaman added. "People give them away by accident all the time."
When shopping among major cloud services, it's important to bear in mind that none of them have been around very long. They're still growing, changing, and gaining new features, and they all still have work to do. "Don't expect something that's been in service for 10 years," he said.
Geesaman asked several of the same questions when evaluating the intelligence tools in each cloud platform: which data sources they use, how they operate on data, how much visibility the data provides, what is not covered in the service, and what is needed for onboarding, cost structure, partner integration, customization, and validating detection.
And with that, he dove into the research. First up ...
The Azure Security Center was first released in fall 2015, became generally available in spring/summer 2016, and added threat detection in summer 2017. Its idea is to provide security management and threat detection and apply security policies across hybrid cloud workloads. Microsoft charges $15 per system per month for the tool.
Its dashboard is one of the key features, Geesaman pointed out. If you're comfortable managing Windows on-prem, much of your knowledge will carry over.
He also highlighted its security recommendation engine, which prioritizes issues to tackle, as well as custom alert rules, file integrity monitoring, REST API, and third-party tool integration – which he said is helpful for managing choice endpoint tools. The value-add comes from its hybrid-first approach, Microsoft-supported Windows/Linux Agent, and Azure Log Analytics Service, in which all agent logs are searchable.
Amazon Web Services
Amazon GuardDuty was released as CloudTrail in spring 2013, AWS VPC Flow Logs in summer 2015, and GuardDuty in winter 2017. GuardDuty offers threat detection so users can continuously monitor AWS accounts and workloads. It's offered as a 30-day free trial and, in North America, is priced at $0.25 to $1 per GB of VPC/DNS and $4 per 1 million Cloudtrail Events.
What's key: GuardDuty monitors data streams from CloudTrail Events, VPC Flow Logs, and DNS Logs. It integrated threat intel feeds with known malicious IP addresses and domains; users can supply their own IP lists for "good" and "bad" hosts, he added. Further, GuardDuty can be set so users have centralized AWS accounts and don't have to be involved in dev or operations teams to have those events sent to them.
The platform detects backdoors, malicious behavior, cryptocurrency mining, persistence, Trojans, recon, and attacks conducted with pen-testing tools, among other threats. Its value-add comes from a "zero-impact" setup, clear detection listing, broad partner ecosystem, and seeing multiple types of API abuse.
"One of the things I liked about GuardDuty is they do a lot of detections, and they tell you what those detections are," Geesaman said. It's "very transparent" about what it's looking for and does the best and clearest job of reporting the misuse of API keys, he added.
Google Cloud Platform
The Google Cloud Platform (GCP) is still in its early stages, he continued. It detects botnets, cryptocurrency mining, anomalous reboots, and suspicious network traffic, and feeds them into a user interface that he anticipates will undergo changes as it's still early in development.
GCP's value-add comes from a zero-impact setup that doesn't affect any running workflows, as well as an API and interface that feature partner solutions and integrate their output into a single interface. It's also framework-oriented and designed to handle security events across multiple services.
There is room for improvement across all the major platforms, Geesaman pointed out. On the detection side, visibility is dependent on implementation. "If you're defending your organization and you don't know what you're detecting, how do you know what gaps you have?" he noted.
Detection capability listings could be better, he added, as well as customization and tuning of the data. From an integration perspective, he said he foresees a lot of movement and improvement in how security events are collected, analyzed, processed, and forwarded.
"Cloud providers are known for moving very quickly with their services," Geesaman concluded, adding that change is in the future. He advised attendees to check providers' next major events for updates.