Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

08:00 PM
Connect Directly

Cloud Intelligence Throwdown: Amazon vs. Google vs. Microsoft

A closer look at native threat intelligence capabilities built into major cloud platforms and discussion of their strengths and shortcomings.

BLACK HAT USA 2018 – Las Vegas – Amazon Web Services, Google Cloud Platform, and Microsoft Azure have all recently doubled down on threat intelligence to help users identify and respond to malicious activity in the public cloud. But where do these platforms differ, and how do those differences help or harm cloud security?

Brad Geesaman, an independent cloud infrastructure security consultant, aimed to clarify the strengths and shortcomings of each platform during his Black Hat session "Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform Capabilities." He set the stage for his side-by-side comparison with a broader look at how security is different in the cloud.

For starters, competition is ramping up in the space. As it does, companies are prioritizing shipping features and outsourcing non-core capabilities – including security. The cloud explosion has demolished the traditional perimeter, a rise in new infrastructure has shifted the attack surface, and a dearth of cloud security experts is amplified amid a wave of new features and services.

Cloud environments change fundamental assumptions about security, Geesaman explained. "When everything is an API, the traditional approaches don't fit," he said. The scalability of the cloud grants an opportunity to amplify good behavior. It also amplifies human error. 

Direct compromise may not be needed to affect cloud security, he continued. Credential theft can happen via phishing, malware, backdoor libraries or tools, or password guessing. Malicious outsiders abuse employees' failure to rotate, disable, or delete credentials after someone leaves the company. Credential leaks, another common vector, happen more often than one might think. 

"You'd be surprised – or maybe not – where these keys can show up," Geesaman added. "People give them away by accident all the time."

When shopping among major cloud services, it's important to bear in mind that none of them have been around very long. They're still growing, changing, and gaining new features, and they all still have work to do. "Don't expect something that's been in service for 10 years," he said.

Geesaman asked several of the same questions when evaluating the intelligence tools in each cloud platform: which data sources they use, how they operate on data, how much visibility the data provides, what is not covered in the service, and what is needed for onboarding, cost structure, partner integration, customization, and validating detection.

And with that, he dove into the research. First up ...

Microsoft Azure
The Azure Security Center was first released in fall 2015, became generally available in spring/summer 2016, and added threat detection in summer 2017. Its idea is to provide security management and threat detection and apply security policies across hybrid cloud workloads. Microsoft charges $15 per system per month for the tool.

Its dashboard is one of the key features, Geesaman pointed out. If you're comfortable managing Windows on-prem, much of your knowledge will carry over. 

He also highlighted its security recommendation engine, which prioritizes issues to tackle, as well as custom alert rules, file integrity monitoring, REST API, and third-party tool integration – which he said is helpful for managing choice endpoint tools. The value-add comes from its hybrid-first approach, Microsoft-supported Windows/Linux Agent, and Azure Log Analytics Service, in which all agent logs are searchable.

Amazon Web Services
Amazon GuardDuty was released as CloudTrail in spring 2013, AWS VPC Flow Logs in summer 2015, and GuardDuty in winter 2017. GuardDuty offers threat detection so users can continuously monitor AWS accounts and workloads. It's offered as a 30-day free trial and, in North America, is priced at $0.25 to $1 per GB of VPC/DNS and $4 per 1 million Cloudtrail Events.

What's key: GuardDuty monitors data streams from CloudTrail Events, VPC Flow Logs, and DNS Logs. It integrated threat intel feeds with known malicious IP addresses and domains; users can supply their own IP lists for "good" and "bad" hosts, he added. Further, GuardDuty can be set so users have centralized AWS accounts and don't have to be involved in dev or operations teams to have those events sent to them.

The platform detects backdoors, malicious behavior, cryptocurrency mining, persistence, Trojans, recon, and attacks conducted with pen-testing tools, among other threats. Its value-add comes from a "zero-impact" setup, clear detection listing, broad partner ecosystem, and seeing multiple types of API abuse.

"One of the things I liked about GuardDuty is they do a lot of detections, and they tell you what those detections are," Geesaman said. It's "very transparent" about what it's looking for and does the best and clearest job of reporting the misuse of API keys, he added. 

Google Cloud Platform
The Google Cloud Platform (GCP) is still in its early stages, he continued. It detects botnets, cryptocurrency mining, anomalous reboots, and suspicious network traffic, and feeds them into a user interface that he anticipates will undergo changes as it's still early in development. 

GCP's value-add comes from a zero-impact setup that doesn't affect any running workflows, as well as an API and interface that feature partner solutions and integrate their output into a single interface. It's also framework-oriented and designed to handle security events across multiple services.

Cloudy Forecast
There is room for improvement across all the major platforms, Geesaman pointed out. On the detection side, visibility is dependent on implementation. "If you're defending your organization and you don't know what you're detecting, how do you know what gaps you have?" he noted.

Detection capability listings could be better, he added, as well as customization and tuning of the data. From an integration perspective, he said he foresees a lot of movement and improvement in how security events are collected, analyzed, processed, and forwarded. 

"Cloud providers are known for moving very quickly with their services," Geesaman concluded, adding that change is in the future. He advised attendees to check providers' next major events for updates.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.