Intelligence gathering is an oft overlooked aspect of system and data defense in depth. On the 7/12 Virtualization Security podcast we discussed new and old sources of such intelligence. We were joined by Urvish Vashi, VP of marketing, Alert Logic. Alert Logic has updated their report on cloud based security attacks. Add to this the yearly Verizon Breach and other reports, and we start to have a good handle on intelligence of past and possibly future attacks.The following reports are worth reading if you work within the cloud or virtualization security arena. Some of these seem geared more towards service providers but all are worth a read:
- Alert Logic’s State of the Cloud Security Report
- Verizon Breach Report
- SANS Top 20 Security Controls
- Australian Government DSD Top Mitigation Strategies
- Cloud Security Alliance Top Threats
- tool repositories such as Metasploit
- hacker repositories of information (do not go to these unless you have a machine to burn, use TOR, etc.)
These bits of intelligence change every year (some change every day), but more importantly give you information about various risks that abound on the internet, specifically targeting virtual and cloud environments. While some intelligence seems more like a list of security controls, you should note from year to year what actually has changed. This knowledge could assist in making the necessary changes within your environment. If for example there is a new set of controls mentioned in these intelligence locations, I would seriously consider implementing it.
Outside of reports security intelligence starts with assessments of your own environment, as well as ongoing analysis of various forms of data within your environments. Such data could consist of log files, network logs, IDS/IPS reports, OS scans, etc. Alert Logic, Qualys, and others automate some of this analysis for you. Some Security as a Service companies provide hands-on penetration testing as well. As you enter the cloud and expand to more than a few systems, tools to perform security analysis are required. As are big enough systems to automatically perform security analysis. Perhaps this type of analysis is more a Big Data problem than many realize and due to this, specialized organizations and companies are solutions in this space. How does one analyze terabytes of log files, scan outputs, and automated assessments?
Defense in Depth
We need to go past reports that anti-virus, anti-malware tools produce but look at the real data, understand the attack surfaces, but before we can do this, we need to understand the attacks themselves. Intelligence gathering is a crucial part of our defense in depth and will allow us to plan appropriately for current and future attacks. In addition, if we understand the attack surfaces available within our environment we can better understand the risks involved, and determine what security measures to implement. Intelligence gathering is stepping back to do the analysis and plan for the future (or the now) without being reactive but instead proactive.
Attacks are becoming more intelligent. We should gather up intelligence on the attacks, understand what is in the reports, look at new attacks so that as cloud and virtualization security professionals we can be more proactive than reactive.