Upload
trinhkhanh
View
219
Download
5
Embed Size (px)
Citation preview
2
First Part: lessons 1-6; the risks of cloud applications and the theory behind it
Second part: lessons 7-12; how to mitigate the risk using a CASB solution
WORKSHOP STRUCTURE
4
MIGRATION TO THE CLOUD OFFICE
This shift of workloads into the cloud is rapidly
redefining enterprise IT, and offers significant
opportunities to enterprises.
6
MIGRATION TO THE CLOUD OFFICE
• Collaboration
• Agility
• Economics
• Choices
New RisksWhat else does it
bring?
7
INFORMATION SECURITY IS CHANGING
Internet
Visibility
Control
Firewall
Perimeter
No Visibility
No Control30%What % of our
data is already in
the cloud?
10
MIGRATION TO THE CLOUD OFFICE
Cloud Application
Cross-site scripting, SQL Injection, etc Provider
Access visibility
Access control
Data loss prevention
You
User
11
MIGRATION TO THE CLOUD OFFICE
• Collaboration
• Agility
• Economics
• Choices
Security and GovernanceWhat are the main
problems we need to
worry about?
12
RETHINKING THE SECURITY STACK FOR THE CLOUD
Next-Gen firewalls
IDS/IPS
Vulnerability Scanning
Network forensics
SIEM
DLP
Not designed to protect corporate data uploaded to third-
party solutions hosted outside the enterprise
13
CLOUD ACCESS SECURITY BROKERS (CASB)
A new Solution for Cloud App Security
1) Identify and evaluate all
the cloud apps in use (Shadow IT)
2) Enforce granular policies to govern
handling of sensitive information, including
compliance-related content
3) Enforce cloud application management
policies in existing web proxies and firewalls
4) Encrypt or tokenize sensitive content
to enforce privacy and security
5) Detect and block unusual account
behavior indicative of malicious activity
6) Integrate cloud visibility and controls
with your existing security solutions
14
WHAT IS SHADOW IT AND SHADOW DATA?
Shadow IT:
Third-party IT solutions, including cloud apps and
services, without oversight from the IT organizationWhat is Shadow IT?
Shadow IT and Shadow Data demo
Shadow Data:
Data you do not know is being shared by your organizationWhat is Shadow Data?
15
CLOUD ACCESS SECURITY BROKERS (CASB)
A new Solution for Cloud App Security
APIs
Gateways
Log data
Agents
16
FUNDAMENTALS OF AN EFFECTIVE CASB SOLUTION
1) Cloud app discovery an analysis
2) Data governance and protection
3) Threat protection and incident response
4) Compliance and data privacy
18
THE PROBLEM OF SHADOW IT
1. Business-ready cloud apps are a strategic part of a company’s IT infrastructure
2. Some employees are adopting cloud services without IT sanction or oversight
3. This movement toward employee-adopted cloud apps is known as Shadow IT
19
1. Do the Shadow IT applications have appropriate security controls?
2. Do they align with compliance requirements?
3. Can they operate as conduits for data exfiltration?
THE PROBLEM OF SHADOW IT
Shadow IT exposes an organization to risk
by creating blind spots
20
• First priority: visibility
• Only way of obtaining visiblity into Shadow IT: a CASB solution
THE PROBLEM OF SHADOW IT
21
WHY DO ORGANIZATIONS REQUIRE
VISIBILITY AND ANALYSIS OF THEIR CLOUD APPS?
Discover Shadow IT
Ensure compliance
Identify riskyapps
Block riskyapps
Identify inefficiencies
Sanction apps
22
WHY DO ORGANIZATIONS REQUIRE
VISIBILITY AND ANALYSIS OF THEIR CLOUD APPS?
Discover Shadow IT
Ensure compliance
Identify risky apps
Block risky apps
Identify inefficiencies
Sanction apps
Shadow IT
Risk Assessment
23
DISCOVERING CLOUD APPS
• Average organization has 800 cloud apps
• Perform Shadow IT risk assessment using firewall or proxy logs
• Determine the business readiness of discovered apps
How many cloud apps are there in an organization?
24
CLOUD APPS ANALYSIS
• Who is accessing the riskiest apps?
• How often are employees accessing these apps?
• How much bandwidth is being consumed by these apps?
• Which departments are driving this usage?
• Which locations are involved?
• Which browsers and platforms are employees using?
What questions should we ask about cloud
applications?
33
MITIGATE RISK FROM SHADOW IT
• Make smart app choices
• Review contracts with cloud providers
• Coach users
• Identify cost savings
• Block risky apps
• Monitor continuously
35
WHY DO ORGANIZATIONS NEED TO MANAGE SENSITIVE CONTENT?
1. Oversharing of sensitive content
2. Cloud-to-cloud sharing
3. Administrative oversight
4. Compliance regulated data
5. Data sovereignty
36
HOW CAN WE MANAGE SENSITIVE CONTENT?
1. Oversharing of sensitive content
2. Cloud-to-cloud sharing
3. Administrative oversight
4. Compliance regulated data
5. Data sovereignty
1) Cloud-based DLP
2) Data Classification
3) Policy Enforcement
4) Encryption and Tokenization
37
CLOUD-BASED DLP
• Email is being supplanted by link sharing on the cloud
• A new type of Data Loss Prevention (DLP) is needed
• Cloud apps facilitate sharing large volumes of data
• The scalability and accuracy of data governance and control have to be more robust
Network DLPs do not have visibility
into cloud applications
Why can’t we use our network DLP
to solve these problems?
38
DATA CLASSIFICATION
• Many approaches focus solely on keyword and regular expresions
• More advanced techniques such as natural language processing enables a broader
range of content classification
• Advanced solutions can dynamically identify categories of documents
• Create custom classification profiles
40
POLICY ENFORCEMENT
• Rich content classification allows us to define and enforce granular policies
• Rather than block apps, block bad behavior within cloud apps
• Policy criteria:
• Policy actions:
Users
User groups
Applications
Device properties
Locations
User actions
File propertiesUnsharing links
Blocking uploading and unloading of files
Blocking the sharing of files via email
Encrypting and tokenizing information
Messaging users to coach them in proper behavior
Alerting security operations personnel
42
ENCRYPTION AND TOKENIZATION
• Some compliance requirements force companies not to put personally identifiable
information (PII) and other senstive data on the cloud
• Certain types of data need to remain within a geographic border
• Encryption and tokenization can be used to provide an additional layer of protection
44
DATA LOSS AND EXPOSURE MITIGATION PROCESS
Identify and remediate risky
exposures
Define a data protection strategy
Enforce policies for
sensitive data
Coach users on appropriate
behavior
Enforce compliance regulations
46
USER RISK IN CLOUD APPLICATIONS
1. Proliferation of usernames and passwords increase risk
2. Malicious attackers are more likely to compromise user credentials
3. Attackers can also use cloud apps to disseminate malware
4. Deep visibility into transactional events is required
5. These capabilities are integral to an effective CASB solution
47
THE EVOLVING ROLE OF IDS/IPS
1. Traditional IDS/IPS solutions are covering decreasing amount of risk
2. Cloud apps require deeper visibility
3. CASB solutions focus on monitoring and controlling data regardless the point of entry
4. CASB solutions normalize data across all cloud apps
48
DEEP VISIBILITY OF CLOUD ACTIVITY
CASB solutions gain visibility into cloud apps viaGateways
APIs
49
CLOUD THREAT AND ANOMALY DETECTION
• CASB solutions can identify unusual patterns or anomalies in user behavior
• These patterns can be based on thresholds
• More sophisticated solutions apply data science to user behavior
• A baseline behavioral pattern can be established for each user
50
MALWARE DETECTION
• The cloud can be an effective conduit for malware distribution through SSL connections
• CASB solutions provide early detection of malware within the cloud environment
• Suspicious content can be quarantined
51
• Filtering on attributes
• Time-scale analysis
• Free-form search
CONTINUOUS MONITORING AND INCIDENT ANALYSIS
52
CLOUD ATTACK MITIGATION PROCESS
Manage identities and credentials
Continuously monitor cloud
activity for threats
Identify and prevent malware
Implement strong incident
analysis
54
WHAT COMPLIANCE ISSUES SHOULD ORGANIZATIONS CONSIDER?
• Personally Identifiable Information (PII)
• Payment Card Details or Personal Financial Data
• Personal Health Information (PHI)
• Family Educational Rights and Privacy Act (FERPA)
• International Traffic in Arms Regulations (ITAR)
• Criminal Justice Information Service (CJIS)
Name compliance frameworks
55
THREE AREAS WHERE CASB PLAYS A CRITICAL ROLE
1) Cloud apps and services have the appropriate security certifications
2) Certain cloud applications are blocked from receiving specific types of regulated data
3) Regulated data, that does legitimately need to be placed in the cloud,
is secured per compliance guidelines
56
SECURE AND MONITOR REGULATED DATA
• Customer support applications
• Medical collaboration portals
• Consumer lending applications
• Human resources applications
• Financial analytics applications
57
SECURE AND MONITOR REGULATED DATA
• Customer support applications
• Medical collaboration portals
• Consumer lending applications
• Human resources applications
• Financial analytics applications
1. Secure all regulated data with additional protection
techniques
2. Limit access to all regulated data types
3. Monitor and log all interactions with regulated data
58
MONITOR AND LOG INTERACTIONS WITH REGULATED DATA
• Audit and log application transactions that contain regulated data
• Most SaaS services do not have an inherent notion of a log
• Organizations need to create independent transaction logs
• CASB solutions can be used to implement these logs
59
CLOUD COMPLIANCE AND DATA PRIVACY PROCESS
Ensure cloud apps have necessary certifications and
functionality
Understand if regulated data is
being placed in the cloud
Make sure the right policies are in
place
60
LESSON 6: THE CLOUD ACCESS SECURITY MATURITY MODEL
1. Cloud Access Security Maturity Model
2. Cloud Access Security Plan Template
3. CASB Solution Selector
Email me to get the files: [email protected]
63
63
SIMILITUDES BETWEEN CLOUDSOC AND
NETWORK SECURITY SYSTEMS
Audit
Detect
Protect
Investigate
Risk Assessment
IDS/IPS
DLP & Firewall
SIEM
67
67
CloudSOC
Cloud
AppGateway
API
API and gateway
Content inspection
=
Data exposure policies
File transfers
File sharing
Access enforcement
Threat Score
Browser
69
69
AUDIT USE CASES
1) Detect cloud applications being used in our company
2) Determine the level of risk of each cloud application
3) Determine what users are using those applications
4) Select risky cloud applications to block
5) Consolidate redundant cloud applications
Audit Demo
71
71
DETECT USE CASES
1) Detect anomalous user actions based on thresholds
2) Detect anomalous user actions based on behavior
3) Detect anomalous user actions based on event sequences
Detect Demo
73
73
PROTECT USE CASES
1) Create policies to prevent data exposure
2) Create policies to apply access enforcement
3) Create policies to block file sharing
4) Create policies to prevent file transfer
5) Create policies to block users based on Threat Score level
Protect Demo
75
75
INVESTIGATE USE CASES
1) Monitor activity based on:
a. Service
b. User
c. Object
d. Activity
e. Severity
f. Location
g. Browser
h. Device
Investigate Demo
77
77
SECURLET USE CASES
1) Detect exposed files
2) Detect exposed users
3) Detect files with sensitive information
4) Detect third party apps that have read/write access to our cloud apps
5) Monitor activity in specific cloud apps
Securlet Demo