Threat Stack Announces New and Enhanced CloudTrail Rules

As AWS continues to expand its services landscape, Threat Stack has made a commitment to keeping in step by crafting additional coverage that keeps your cloud environment secure. The latest additions we’ve made to Threat Stack’s CloudTrail rules are focused on giving more granular alerting and context to your interactions with the AWS control plane.

Threat Stack has significantly expanded the CloudTrail Base Ruleset in its Cloud Security Platform®. Not only have we increased the number of rules from 26 to 87 — we have also provided rules for five AWS Services that were not covered previously (DynamoDB, Elastic Container Service, Elastic Kubernetes Service, Security Token Service, and AWS Support). And don’t forget — the Cloud Security Platform still gives you the flexibility to create custom rules based on CloudTrail event data.

While we’re not going to comment on all 87 rules in this post, we are going to focus on important highlights, including:

  • New rules to cover five additional AWS Services
  • Expanded rules for Identity and Access Management (IAM)
  • Expanded rules for Virtual Public Cloud (VPC)

The new rules for five additional AWS Services are discussed in Part 1 below, while Part 2 gives an overview of the expanded rules for AWS Services that we already support. Read more “Threat Stack Announces New and Enhanced CloudTrail Rules”

Detecting Unsafe Data Deserialization With Threat Stack

UPDATED — January 22, 2019
The Threat Stack SOC is aware of the recent disclosure of a breach of the PHP Extension and Application Repository (PEAR). Details of the breach have not been disclosed publicly, and we have no special knowledge of the breach. However, attacks against code repositories and injection of malicious code into third-party application dependencies help to underscore the importance of behavioral detection methods to identify and mitigate the exploitation of insecure PHP deployments. We will update this blog as appropriate pending additional public information on the PEAR breach.

UPDATED — February 1, 2019
Several weeks after the original publication of this blog, the PHP Extension and Application Repository (PEAR) disclosed a breach of its website, which led to the compromise of go-pear.phar. While Threat Stack has no inside or special knowledge of the breach at PEAR, based on publicly available information, we have confirmed that the Threat Stack Cloud Security Platform and Cloud SecOps Program can detect and mitigate an attack leveraging this injected PHP code.

It appears the attackers in this incident leveraged the research Sam Thomas presented at Black Hat 2018, which we discussed in this blog post. Based on publicly available information, the attackers appeared to be performing the first step in the attack chain by attempting to deliver injected phar files into a target environment. It is possible this attack was part of a poison well tactic targeting a specific or multiple organizations known to use PEAR and this file.

Insecure data deserialization first made its way into OWASP’s 2017 Top 10 list by way of community feedback. In the history of application security, that makes it a relatively new vulnerability that can be harder to detect due to the way it uses popular code libraries that are commonly used in web development.

The Threat Stack Cloud SecOps Program℠ exists not only to monitor customer environments and investigate alerts, but also to work with customers to help them improve their security postures. Occasionally, here in the SecOps Program’s security operations center (SOC), we get questions about the detection capability of the Threat Stack Cloud Security Platform®, and whether it is capable of detecting new and advanced attack vectors. (Our system uses behavioral detection, which is an extremely robust methodology for detecting new and old attack techniques.)

In this post, I’ll walk through how my colleagues and I in the SOC addressed an inquiry regarding a specific insecure deserialization exploit seen in the wild. Read more “Detecting Unsafe Data Deserialization With Threat Stack”

AWS re:Invent 2018 Recap: Security, DevOps, ML, & Hybrid Cloud Take Center Stage

Another year at AWS re:Invent has come and gone. As usual it was a jam packed show full of exciting announcements, great keynotes, sessions, and interesting conversations. In case you couldn’t make it to Vegas this year or could use a summary of what you missed while you were running between sessions, here are some of the highlights from our week in the desert. Read more “AWS re:Invent 2018 Recap: Security, DevOps, ML, & Hybrid Cloud Take Center Stage”

Three Old-School Network Security Tips That (Still!) Work for Modern Infrastructure

The adage “Everything old is new again,” rings true in the cybersecurity industry as much as anywhere else. Some of the best practices from old-school network security still apply to modern virtual server or containerized environments.

Even though hackers are becoming increasingly sophisticated with their attacks, applying some of these oldies but goodies to your arsenal could help reduce the risk of a security incident or breach.

Here are a few security best practices that stand the test of time. Read more “Three Old-School Network Security Tips That (Still!) Work for Modern Infrastructure”

AWS EC2 Tagging — An Overview

Just this morning I received my weekly AWS announcements email, and as I usually do, took a peek to see if there was anything useful or interesting. There were yet more features on their intimidating laundry list of 109 offerings, some outdated and maintained for legacy reasons like Simple Workflow, and some hot off the press like MariaDB RDS support. It’s easy to get lost in the sea of AWS services and be tricked into thinking there’s a feature that will solve your problem. But one feature, in particular, that should be a staple for organizations in their efforts to organize and manage their infrastructure, is tags, which we will discuss in this post.
Read more “AWS EC2 Tagging — An Overview”

How to Create a Threat Model for Cloud Infrastructure Security

Our Motto is: Threat Modeling: The sooner the better, but never too late. — OWASP

The practice of creating a threat model can help teams proactively understand and develop a strategy for managing the possible vulnerabilities their organization faces, instead of waiting until after an incident occurs. OWASP defines threat modeling as “a procedure for optimizing security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system.”

SecOps teams can benefit from creating a threat model for cloud infrastructure, and defining an approach to operationalizing, hardening, and automating security throughout the software development lifecycle. While it’s best to build security into the design of your systems at the outset, remember the motto: “Threat Modeling: The sooner the better, but never too late.”

Let’s walk through how to get started. Read more “How to Create a Threat Model for Cloud Infrastructure Security”

3 Questions to Ask When You’re Ready to Operationalize Your Security

New global data from Checkmarx reveals that 92 percent of organizations struggle to implement security into DevOps — even though they say they want to. The heart of this issue is the common misconception that security slows things down, which leads to the common practice of skipping security measures in an effort to get things done.

While this approach may seem to create a payoff in terms of productivity, any gains are short term at best and are always offset by the fact that the company is at greater risk for a breach.

But the truth is, speed and security are not mutually exclusive, and you can effectively integrate security into operations throughout your organization if you follow SecOps best practices.

With that in mind, we’ll use this post to walk through the three major questions your organization must ask as it moves toward operationalized security.

Before diving into the post, however, take a look at details on our upcoming webinar — “How to Spend Your Security Budget in a DevOps World.” Read more “3 Questions to Ask When You’re Ready to Operationalize Your Security”

Security Budgeting Considerations for Containers

When it comes to managing SecOps, you must consider all the risks at hand, as well as how you can address them. Many of today’s SecOps teams are using containers for development, but this also opens organizations up to a variety of new risk factors.

To mitigate these risk factors, organizations need to ramp up their security budgets. After all, it’s expensive to hire the best SecOps professionals and purchase best-in-class tools to manage cybersecurity.

We recently published The State of Security Budgeting in 2018, which details the results from a survey of 300 technical, operations, compliance, and security professionals in North America, across a variety of industries. Of the organizations that responded, 37% had cloud infrastructure workloads that were container-based. The survey results point to many important budgetary considerations, particularly when it comes to containers. Here’s what you need to know. Read more “Security Budgeting Considerations for Containers”