2. What is security?
… protecting your servers, code, data,
network, users from the bad guys
3. What is large scale?
Big infra (apps, servers, routers, firewalls), lots
of stored data, lots of streaming data, partners
… so much that’s humanly impossible to
manage or make sense out of .. and where
traditional technologies fail to be of help
4. What is security @ large scale?
When traditional security techniques fail. Too
many devices to manage. Too much logs. Many
ways of getting attacked. Lots of applications.
Multiple programming stacks. Lots of code
pushed out daily. Acquisitions. Mergers.
Outsourced Service Providers. 3rd party
software.
5. DoS – a novice as well as a
sophisticated attacker’s attack
Monitor, Learn, Adapt
6. The mystery of DDoS
Is it the holiday traffic or a botnet?
Sometimes just being a difficult or
expensive target is a win… also called
raising the bar
7. 0 days attacks @ layer 7
Telnet, FTP, SMTP, DNS, HTTP, RPC, SIP, SSH
Tighten up access. Let the enemy come
between the mountains.
8. For 90%, Internet is HTTP or
World Wild Web
Amazon, Flickr, Tumblr, Gmail, Y!
News, FB, Y! Finance, Twitter, Y!
Weather, G Maps
15. Use technology for it
Hadoop, MapReduce, Data Mining,
CommonCrawler, Nutch, Splunk,
NodeJS, PhantomJS………
16. To win some battles, you need
Avengers
Restrictive ACLs, Continuous Inventory Discovery,
Proactive Vulnerability Detection, Patch
Management beyond at Web layer, Secure
programming stack, Abuse Detection, Static
Analysis, Dynamic Analysis, Red Team, Trainings,
Bug Recognition / Bounty program
Notas do Editor
This is what security at large scale looks like. It doesn’t make sense when you look at things independently. But one could possibly apply some methods to this madness. When you have the ability to place certain things in a certain manner where you are able to correlate and make high level inferences, you start seeing patterns. You start getting important signals. Suddenly data turns information. This information then can be transformed into intelligence when applied carefully. One needs to be an artist. Else this can get real ugly otherwise.
Before we go further let’s just set a baseline between us. What is security? There are many definitions. And better ones at that. To keep things crude and simple, let’s just say we want to protect our users, network, data, server and code from the bad guys.
Now what is scale? I am no expert on big data and scale but when I see things have become humanly impossible to manage and make intelligent sense of, in context of diversity and quantity, with traditional methods, tool set and technologies, it is a large scale problem that I call it.
So with those is mind, let’s call security at large scale a problem when traditional security methods fail to give important insight into our security posture and vulnerabilities. Considering you are big, there is no one vulnerability or exploit you will be compromised with. And with business dynamics in equation. Suddenly you think this problem needs more attention than you originally thought.
Looking back, DoS is one of the 1st things I tried as a novice. I will never be an expert, nor am I sophisticated, neither am I novice anymore, yet I will try DoS if I were to. So what DoS exactly is? Denial of Service (DoS) islike a real world problem when people crowd outside your shop. You think they are customers and happy at first sight. Then you say, ok, there is a problem. They are not letting the real buyers in. Technically speaking these attacks could be as simple as ping of death, SYN flood, tear drop on layer 4 to GET attack on layer 7 HTTP, to as sophisticated as web server specific attacks like Apache and IIS DoS vulnerabilities. How do you protect? There is no one constant answer. First understand your systems. Learn quickly. And adapt even quicker.
It’s Christmas. You are happy. Expecting customer crowd. It all happens. But all petty, worse window shoppers! Turning away the real ones. That’s DDoS. Extremely difficult to detect. Raise the bar there. Be a tough target. Let the bad guys look for weaker targets. Again monitor, learn, adapt.
The layer 7, popularly known as the application layer. A galaxy of protocols. To improve your posture, 1st tighten up a bit. 0 day attacks could target anything. You don’t want to feel sorry if you were compromised on an entry point that didn’t even had to be there. The ones that don’t need to be there, restrict access to them. Fewer the entry points for an attacker, better it is for you. Increase cost of a compromise for an attacker. Now what about 0 days. It’s not an easy one. Sometimes it’s as important to detect and recover from a compromise, as it is to protect against them. Again be a difficult target. We will touch more on other aspects of 0 days in the next slides.
But for 90% users like my son and wife, Internet is web. The unheralded HTTP. The most imperfect and yet most successful protocol amongst its peers. That’s where it leads to for most of us, via browser bugs and related technologies if not through web applications themselves. So it has many angles you see.
And now you have the mobile first move. That complicates it a bit. Suddenly your tools feel out of place and your existing security measures ancient.
Let’s see a few demos now. Worms infect at large scale. Ever heard of Sammy Worm? It was an XSS attack. A browser side exploit that infected at user level than server level. XSS has been around for a decade and still it the #1 vulnerability on Internet. Enough said.
Worms also exist on server side. SQL Injection is one of the techniques behind it. Here is a demo. Once you get control of a system through SQLi, you pivot and compromise others.
Man in the middle is a simple yet extremely effective strategy that’s become more of a concern with wireless technologies and on the move nature of devices where they are connected through untrusted networks. Here is another demo, this time on a mobile application.
There are more ways that you could be compromised with than you think. There are so many kind of vulnerabilities and scenarios. This talk isn’t about those.An important note, before we more forward.Internal traffic is not necessarily internal. Most large and sophisticated compromises that happen compromise rest of the internal systems or even externally visible systems using the internal compromised system as pivot. This mostly works. The internal security for most enterprises seems to be porous. Next level of maturity for industry? Time will tell.
APT is more than a buzz word, if you attempt to look behind the hype. Aurora, Stuxnet or similarly purported sponsored attacks were possibilities even before. Just that you didn’t have to be sophisticated, there wasn’t much awareness and care about security and targeting wasn’t hugely difficult. In current times, it is. Enterprises have fairly good external security, good antiviruses, and continuous patch management. So determined attackers need to try more. And what they do is, they chain small, individually pointless, or unexploitable vulnerabilities together with other similar, sometimes even remotely related vulnerabilities, to produce lethal exploits! 0days play a big part here too. Mostly used as pivot from unexpected places. Software that we many a times don’t watch or are unable to.
More technologies. More attack surface. More complexity. More opportunities and more vulnerabilities for attackers to exploit. In such times the least we could do is use technology for it, of course when and where it makes sense.push your logs to hadoop? Run mapreduce to find your external assets?Use data mining to find patterns?Use science algos to make inferences on security posture, predictions?Find attacks in progress or similar compromises with data correlation / mining?Manage them with splunk?Do large scale distributed programming with NodeJS?Use phantomJS for interesting things like DOM XSS and vulnerabilities that need browser instrumentation?
When you are so big, there is no one way you will be attacked. Or putting it differently, there is no one weak spot you have. The dynamically changing environment with intake of exploding new technologies, moreover makes it a war. You win some battles, you lose some. What really matters is your tally. The less you lose, the better you are. Attackers have a tendency to look for weaker targets, with similar if not equal loot. Some important things to do are, not relying on one thing. Do many things, like a symphony, in a harmonious manner, so it comes out as music and not noise. Not many are born musicians. But practice and experience makes us better. Same goes here:Keep following ancient advise: defense in depth, least privilegeKnow your assets. What you are trying to protect? Do a continuous inventory discoveryAttacks take time to succeed. Sometimes it’s great to even detect them, if not catch them while in progress or during their early stagesHow many of us patch our apps against vulnerable javascript, flash, wordpress plugins? Patch management at every layer, including sub componentsIt is important to make your programming stacks secure. Do you have auto protection against XSS, do you have anti-csrf libraries and other security abstractionsAbuse detection is of immense help in dealing with DoS, malware, automated bots, amongst other thingsYou still need code scanners, dynamic scanners that are quick, low false positives. That are developer centric and fit in their environmentDon’t ask developers. Listen to them. An advise not many will give youHave your internal offensive or red team. Yes I am asking for a lot. But seriously you need that at scale. Idea is to try solve problem from every angle. You will be surprised. Together they cover each other’s weaknesses and provide a good overall postureDevelop smart trainings. Don’t give them owasp. Don’t give them 200 page security standard document. They don’t have time to read those. Remember – less is more. Play smartSo do you have enough confidence now? If yes, think of opening a bug recognition programLast. Take it easy. It won’t happen overnight. Have patience. Prioritize. Prioritize prioritization. Re-prioritize. Be agile. Wow I just used another buzz word! That’s all for today.ß