1. Detection, Response and the
Azazel Rootkit
Continuous Monitoring for Elastic
Infrastructure
!
Wednesday, March 19th, 2014
!
2. Topics
‣ Defining Purpose Built for the Cloud
‣ The Cloud Threat Landscape
‣ Cloud Security is a Shared Responsibility
‣ Introducing Cloud Sight
‣ Detecting the Azazel rootkit with Continuous
Monitoring
‣ Q & A
3. Agility Driving Cloud Adoption But
Security Concerns Remain
As reported by Right Scale: http://www.rightscale.com/pdf/rightscale-state-of-the-cloud-report-2013.pdf
4. Purpose Built Security Solutions are
Required
‣ No customer controlled egres point
‣ Resource intensive agents drive CPU/Hour $
‣ Lack of elasticity
‣ Servers launched with no protection
‣ On-prem designed backend lack scale
‣ Need persistence of forensics data for transient
instances
‣ Manual agent deployment
5. Cloud Ready, by Design
‣ Easy to deploy within DevOps processes
‣ True Elasticity
‣ Native Elastic Beanstalk support
‣ Big data backend enables scale, analytics, and IR
forensics
‣ Linux sensors, not agents
‣ Continuous v. real-time monitoring
‣ Resource friendly
!
6. The Cloud Threat Landscape
• Publicly Accessible
!
• You don’t control the hardware
!
• Linux / Open Source Software
7. Cloud Security is a Shared Responsibility
• It’s not the cloud providers responsibility to protect your
data.
!
• It’s not all bad - some providers offer some security features.
!
• Continuous monitoring is no longer a luxury but a necessity.
8. Introducing Cloud Sight
Continuous Monitoring for Elastic
Infrastructure
• Cloud Ready By Design.
!
• Continuos Monitoring for Cloud Assets, Automated
Behavioral Profiling.
!
• Server activity does not change as drastically as
desktop endpoints.
!
• Reconstructing the TTY session and gathering
context on all asset behavior is a must.