Showing posts tagged with: Cloud Security
03Dec
ShieldX Partners with AWS
Business

New Amazon VPC Ingress Routing—What Does it Mean for Security?

We welcome the introduction of Amazon Virtual Private Cloud (Amazon VPC) Ingress Routing, a new solution from Amazon Web Services (AWS) designed to allow companies like ShieldX to simplify the integration of security appliances designed to monitor and block network traffic without the need to apply special routes or forego details such as public IP address routing between subnets. (For more, Amazon’s blog is here).

One of the biggest questions facing every senior security professional is figuring out how to secure enterprise networks as they fundamentally change over time. This requires a level of flexibility and scale heretofore unknown in the security industry. Traditional appliance-based solutions were built monolithically and are not well suited to cloud architectures. And new cloud friendly products do not provide the depth of security required to protect environments from the variety of attacks typically deployed.

As noted recently in CSO Online:

Contrary to what many might think, the main responsibility for protecting corporate data in the cloud lies not with the service provider but with the cloud customer. “We are in a cloud security transition period in which focus is shifting from the provider to the customer,” Heiser says. “Enterprises are learning that huge amounts of time spent trying to figure out if any particular cloud service provider is ‘secure’ or not has virtually no payback.”

Eventually, security professionals will find themselves asking:

  • How did we become totally marginalized as the businesses just went around us and built whatever they wanted directly in the cloud?
  • What does security entail in this new cloud architecture and can I secure critical assets as they move to the cloud?
  • Can I achieve the agility promised by the cloud, while ensuring proper visibility and control over the digital assets?
  • How do you automate enforcement of security policy as apps change without human intervention?
  • Do any of my traditional security tools provide value in the new cloud environment?
  • How can I enforce scalable and flexible access control in virtualized and cloud deployments (microsegmentation)?

Amazon VPC Ingress Routing:  What does it mean?
With AWS’s new announcement, the CISO’s job just got a whole lot easier. Moving to the cloud means you can easily cover the two major traffic concerns that inhibit public cloud adoption for data centers. How?

Amazon VPC Ingress Routing is a service that helps customers simplify the integration of network and security appliances within their network topology. With Amazon VPC Ingress Routing, customers can define routing rules at the Internet Gateway (IGW) and Virtual Private Gateway (VGW) to redirect ingress traffic to third-party appliances, before it reaches the final destination. This makes it easier for customers to deploy production-grade applications with the networking and security services they require within their Amazon VPC.

With ShieldX, enterprises can protect East/West traffic flows.  Most enterprise traffic, as you move to the cloud, has become East/West traffic. Analysts report East/West traffic (traffic within the data center and traffic between data centers) represents nearly 85 percent of total traffic in flow. This represents a gigantic blind spot in which basic visibility, compliance and enforcement become impossible.

With ShieldX, users can overcome significant management and security challenges, by adopting a full range of security controls to provide users the ability to view traffic, identify anomalies and block attacks traversing both north/south and east/west all from a single management console.

Here’s a video overview illustrating how ShieldX works to secure AWS.

So, today’s news from AWS should be widely welcomed by the broad security community.  We can finally embrace cloud security and economics at once.

 

 

Read More
07Nov
Cathay Pacific: Get Off of My Cloud
Business

Just today, government authorities in Hong Kong launched a formal investigation into the breach to understand if privacy laws were violated. While privacy laws are extremely important, the investigation should also focus on HOW this happened. While post-mortems for any breach is useful, I think this attack highlights a new category of cloud attacks we haven’t seen much before—but will with increasing frequency.

First, a little about Cathay Pacific and their cloud deployment.  Like many, they’ve adopted a multicloud strategy:

“In the past three years, Cathay Pacific has been making a shift away from legacy systems to the cloud,” says Aloysius Cheang, executive vice president for Asia Pacific at the Center for Strategic Cyberspace + Security Science, a U.K. think tank for cyber centric leadership. “It now employs a hybrid cloud as part of its strategy to replace their legacy systems,” he says.

The airline is using software from Redhat to build the underlying open platform infrastructure, and it is using Amazon Web Services to hold customer-facing applications, such as online check-in system, flight schedule, fares and web hosting, as was described during AWS Summit Hong Kong in 2017, Cheang points out. “As a result of these front-end apps, I presume that the customer data will be accessible from these apps which are hosted on AWS,” he says.

Last April, we wrote about the new attack surface that comes with cloud migration. One of the attacks, X-Cloud, seems to have been the attack method deployed against Cathay Pacific. By all measures, it was pretty successful as hackers took, according the headlines, 860,000 passport numbers, about 245,000 Hong Kong identity card numbers, accessed 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).

What is a X-Cloud attack?  From our April blog:

Many enterprises are under the impression that they can go easy on security if they don’t host ‘critical workload’ or ‘sensitive data’ resources in the cloud, but they couldn’t be more wrong. Attackers commonly use public clouds to gain entry into on-premise data centers.

Once your organization makes the decision to migrate any workloads into the public cloud, the perimeter of your on-premise data center also extends into that public cloud environment.

So the appropriate defenses are needed but, the security controls used to protect your on-premise data center cannot easily extend into your public cloud environment.

This forces many organizations to adopt a fragmented security posture that is complex to maintain and leaves the door open for attackers. Public cloud workloads can become infected with malware. As the malware replicates and spreads, the attack can easily jump from the public to the private cloud using standard protocols—if there are no lateral defenses in place.

Cathay Pacific style attack patterns

Cathay Pacific moved application front-ends to the public cloud—extending their perimeter into the great beyond.  Many companies discover quickly that you can’t easily keep your old security tools in front of those migrated workloads as it would require them to migrate into the public clouds as well. Congratulations, you have a new attack surface.

In the past, the infrastructure was all on premise and shielded by comprehensive security controls.  With the onset of cloud computing, now if the web tier is extended—how do you protect assets in this contorted, new architecture?

Attackers understand this very well. One typical trick is to breach the web server in AWS and drop a backdoor accessible from the outside.  Then they tell the backdoor to copy all the data from the database, which needs to be accessible to fulfill the web application’s purpose. However, data is typically served in parts dependent on the authenticated user. With that backdoor, the authentication is bypassed, and the web server has access to the whole data set.

What is really important to note here is that even micro segmentation alone (!) wouldn’t protect against such an attack — the web server needs access to the data that it serves.

So Willkommen (I’m Austrian) to the new realities of cloud security. In this new era, we have to break old habits and old ways of thinking rooted in yesterday’s security approach and we have to admit to ourselves that the chokepoint approach won’t work anymore. For the CISO in today’s IT world, the security game has, in many ways, become a whole new model to work with.  In years past, the name of game was “containment – with chokepoints”. It was a tightly controlled world – and CISO’s had the ability to lock it down and only allow dataflows through a select set of avenues.

What is the right way?  Let’s start with some inspiration from Mick:  https://www.youtube.com/watch?v=z8HHqUwKdP8

Read More
05Nov
PortSmash attack exploits Intel’s Hyper-Threading architecture to steal your data
Threat Intelligence

On Friday, a new attack called PortSmash was announced.  This attack exploits Intel’s Hyper-Threading architecture to steal your data.
Details here: https://www.digitaltrends.com/computing/new-portsmash-attack-allow-attackers-to-steal-encrypted-data/

What do we know so far?

Researchers have uncovered yet another side-channel attack name PortSmash in Intel and AMD CPUs.  All CPUs that have simultaneous multithreading (SMT) architecture and Intel’s Hyper-Threading (HT) technology are affected by the attack.  A PoC code has been published by the researchers to prove this is possible and not just a theory.

For the attack to be successful the malicious code must run on the same CPU core as the legitimate code.  Due to SMT and HT, the code running on one thread can also observe what is happening on other thread, and an attacker could use this behavior to inject malicious code in tandem with legitimate code in order to eavesdrop.  The malicious code will then leak encrypted data in bits and pieces that can be later reconstructed by the attacker.  Intel has released the patch for the same.

What is the Delivery Mechanism?

We are not aware of any delivery mechanism for the malicious code but, from the report it can delivered using regular phishing attack and other mechanisms.

Are Datacenter affected?

Yes, datacenters are affected due to this attack.  The shared model of public datacenter makes this attack quite dangerous: attackers simply rent VMs and run malicious code that run on the same CPU core as the legitimate code to eavesdrop.  Technically, they don’t have to build a delivery mechanism. However, to exploit private datacenter they have to build a delivery mechanism.

 

Read More
17Apr
Status Report: SX Research Team Reveals New Cloud Security Threats
Stratus Report

In 2005, Gary McGraw and Brian Chess published a taxonomy of code vulnerabilities exploited by attackers.  Today, the “Seven Pernicious Kingdoms” continue to be used by MITRE to classify vulnerabilities. With the onset of cloud computing, it is time to begin a new taxonomy that accounts for attacks on cloud infrastructure.

Read More
20Mar
Hot off the Press – ShieldX Networks Selected as Finalist for RSA Conference 2018 Innovation Sandbox Contest!
Company News

 

We at ShieldX Networks are very thrilled to confirm that we have been selected as a finalist in the highly coveted RSA Sandbox Contest. The Innovation Sandbox Contest is an opportunity to spotlight new approaches to information security technology, provides advice and counsel for entrepreneurs, and exposes the RSA Conference community to venture capitalists, industry experts, senior level business practitioners, and thought leaders. Please read RSA’s announcement here:  https://www.businesswire.com/news/home/20180320005165/en/RSA-Conference-Announces-Finalists-2018-Innovation-Sandbox

Read More
10Oct
Why You Need Advanced Micro-Segmentation to Combat Advanced Attacks
Technology

Just as we learned thirty years ago, access control alone is not a sufficient defense, by itself. Or, to put it another way, it’s déjà vu all over again! Just as the access control provided by those first firewalls in the 1980s was not enough to secure the perimeter, micro-segmentation based on access control alone does not adequately solve the problem of lateral movement inside the multi-cloud.

Read More
16Jun
The Strategy Behind the Startup Madness
Business

Welcome to ShieldX and our Blog. This inaugural post provides insight into ShieldX, the company, its mission and how ShieldX is able to offer, within only 18 months, a validated, market-changing innovation with market-renowned recognition as a Gartner 2017 Cool Vendor in Cloud Security.

Read More

About Author

Ratinder Ahuja

Ratinder Ahuja

Founder & CEORatinder leads ShieldX and its mission as its central pivot point, drawing from a career as a successful serial entrepreneur and corporate leader, bringing with him his unique blend of business acumen, industry network and deep technical knowledge.
+ READ FULL BIO