Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

08:00 PM
Connect Directly

Cloud Intelligence Throwdown: Amazon vs. Google vs. Microsoft

A closer look at native threat intelligence capabilities built into major cloud platforms and discussion of their strengths and shortcomings.

BLACK HAT USA 2018 – Las Vegas – Amazon Web Services, Google Cloud Platform, and Microsoft Azure have all recently doubled down on threat intelligence to help users identify and respond to malicious activity in the public cloud. But where do these platforms differ, and how do those differences help or harm cloud security?

Brad Geesaman, an independent cloud infrastructure security consultant, aimed to clarify the strengths and shortcomings of each platform during his Black Hat session "Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform Capabilities." He set the stage for his side-by-side comparison with a broader look at how security is different in the cloud.

For starters, competition is ramping up in the space. As it does, companies are prioritizing shipping features and outsourcing non-core capabilities – including security. The cloud explosion has demolished the traditional perimeter, a rise in new infrastructure has shifted the attack surface, and a dearth of cloud security experts is amplified amid a wave of new features and services.

Cloud environments change fundamental assumptions about security, Geesaman explained. "When everything is an API, the traditional approaches don't fit," he said. The scalability of the cloud grants an opportunity to amplify good behavior. It also amplifies human error. 

Direct compromise may not be needed to affect cloud security, he continued. Credential theft can happen via phishing, malware, backdoor libraries or tools, or password guessing. Malicious outsiders abuse employees' failure to rotate, disable, or delete credentials after someone leaves the company. Credential leaks, another common vector, happen more often than one might think. 

"You'd be surprised – or maybe not – where these keys can show up," Geesaman added. "People give them away by accident all the time."

When shopping among major cloud services, it's important to bear in mind that none of them have been around very long. They're still growing, changing, and gaining new features, and they all still have work to do. "Don't expect something that's been in service for 10 years," he said.

Geesaman asked several of the same questions when evaluating the intelligence tools in each cloud platform: which data sources they use, how they operate on data, how much visibility the data provides, what is not covered in the service, and what is needed for onboarding, cost structure, partner integration, customization, and validating detection.

And with that, he dove into the research. First up ...

Microsoft Azure
The Azure Security Center was first released in fall 2015, became generally available in spring/summer 2016, and added threat detection in summer 2017. Its idea is to provide security management and threat detection and apply security policies across hybrid cloud workloads. Microsoft charges $15 per system per month for the tool.

Its dashboard is one of the key features, Geesaman pointed out. If you're comfortable managing Windows on-prem, much of your knowledge will carry over. 

He also highlighted its security recommendation engine, which prioritizes issues to tackle, as well as custom alert rules, file integrity monitoring, REST API, and third-party tool integration – which he said is helpful for managing choice endpoint tools. The value-add comes from its hybrid-first approach, Microsoft-supported Windows/Linux Agent, and Azure Log Analytics Service, in which all agent logs are searchable.

Amazon Web Services
Amazon GuardDuty was released as CloudTrail in spring 2013, AWS VPC Flow Logs in summer 2015, and GuardDuty in winter 2017. GuardDuty offers threat detection so users can continuously monitor AWS accounts and workloads. It's offered as a 30-day free trial and, in North America, is priced at $0.25 to $1 per GB of VPC/DNS and $4 per 1 million Cloudtrail Events.

What's key: GuardDuty monitors data streams from CloudTrail Events, VPC Flow Logs, and DNS Logs. It integrated threat intel feeds with known malicious IP addresses and domains; users can supply their own IP lists for "good" and "bad" hosts, he added. Further, GuardDuty can be set so users have centralized AWS accounts and don't have to be involved in dev or operations teams to have those events sent to them.

The platform detects backdoors, malicious behavior, cryptocurrency mining, persistence, Trojans, recon, and attacks conducted with pen-testing tools, among other threats. Its value-add comes from a "zero-impact" setup, clear detection listing, broad partner ecosystem, and seeing multiple types of API abuse.

"One of the things I liked about GuardDuty is they do a lot of detections, and they tell you what those detections are," Geesaman said. It's "very transparent" about what it's looking for and does the best and clearest job of reporting the misuse of API keys, he added. 

Google Cloud Platform
The Google Cloud Platform (GCP) is still in its early stages, he continued. It detects botnets, cryptocurrency mining, anomalous reboots, and suspicious network traffic, and feeds them into a user interface that he anticipates will undergo changes as it's still early in development. 

GCP's value-add comes from a zero-impact setup that doesn't affect any running workflows, as well as an API and interface that feature partner solutions and integrate their output into a single interface. It's also framework-oriented and designed to handle security events across multiple services.

Cloudy Forecast
There is room for improvement across all the major platforms, Geesaman pointed out. On the detection side, visibility is dependent on implementation. "If you're defending your organization and you don't know what you're detecting, how do you know what gaps you have?" he noted.

Detection capability listings could be better, he added, as well as customization and tuning of the data. From an integration perspective, he said he foresees a lot of movement and improvement in how security events are collected, analyzed, processed, and forwarded. 

"Cloud providers are known for moving very quickly with their services," Geesaman concluded, adding that change is in the future. He advised attendees to check providers' next major events for updates.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.