AskAnAlien

One way is to look at it form a user level. i.e. "Why is my new helpdesk employee cloning databases and creating new users??"

By checking the monthly usage bills... :)

as Javvad said - usage bills.

Although some provides are better at alerting than others.

It's not a consistent experience.

@J4vv4D You're right - Usage is actually a great indicator of compromise. Hijacked machines are usually used for high volume/quick return attacks (bitcoin mining, hosting 2nd stage malware, etc)

push it down to the business heads. But then I work for a tech company...also work with finance to monitor the billls

unusual admin access at unusual times of the day - but its identifying that : "what does unusual look like"

Yep - Rich Mogul wrote a good piece on his experience when he accidentally left AWS access keys on github https://securosis.co...

@maxsec A fortunate position indeed!

@SPCoulson Baselining behvaiour has never been easy. But a good way to find statistical outliers

@SPCoulson Which leaves a lot of folks scratching their heads. While they may be security pros, they aren't necessarily cloud experts.

@J4vv4D but how many orgs have the tech to do this 'right' ?

@garretthgross exactly - masters of none.

@SPCoulson If they have tech, they lack skills or resources... unfortunately.

@SPCoulson I think the number is irrelevant. Percentage-wise? Thats the operative figure IMO

@J4vv4D very true - ISO27 - resources ?

tech isn;t the be-all and end-all, Just a tool that helps

@maxsec And a fool with a tool ... is still a fool!

yes jav-mate, but policy ;-)

software using unstructured data is huge; Spark in memory has implications here

@J4vv4D I thought I told you to not call me that in public? ;)

@maxsec haha - please don't undo my years of therapy! :)

@J4vv4D Is that a Mr T quote ? A fool with a tool is still a fool ?!

IMHO, to make sure your resource needs are met without sacrificing visibility into the environment

A2 @alienvault Confidentiality, Integrity and Availability of your data (ISO27001) plus speed of access.

it depends the type of business trying to evaluate cloud. E.g. Regulated business is looking to consider control framework, online retail business will look at resilience and capacity etc

Understood - regulation aside, are there min req's you'd recommend?

A2 @alienvault compliance to your data standards, location of data (UK, US, DE), resilience of solution, uptime

Law firms will look at security, resilience and cost.. It varies depending on industry sector. One constant is Cost :-)

Another vote for, 27001 helps. AS does up front and available privacy policies etc

Cost versus Risk - the best balancing act in the world.

haha can't avoid costs for sure. Do you think security is in top considerations?

The issue with compliance is that it isnt security and security isnt secure.

regulation aside - Cost, Resilience, Flexible costing model, Security, Elasticity etc

You can also ask yourself "does managing my cloud environment get in the way of managing my environment?"

@J4vv4D no, but it is in there. Cost, ROI, Speed, Resilience, Security. and possibly in that order

If a cloud provider offers standard certification and follows industry best practice, it's a bonus and an important consideration

They may have the certifcates but how well implemented are they and to what scope. Some ISPs exclude their DCs.

@SPCoulson @jee2uu ah the dreaded scope - indeed an important oversight.

One important consideration is how quickly I can get my environment and data back if things go wrong... Because it will go wrong

@SPCoulson Certification scope is always an important factor if you want to consider it as a selection criteria. Too much oversight need negates clouds business case. Requirement define relevance of consideration factors

The vendor can get crafty with their scope too - have experienced it.

This is especially tricky since you arent really supposed to be vuln testing in the cloud. Example - from AWS http://amzn.to/1eJfW...

A4 I'd love to say "using @alienvault " of course, but that would be cheesy (and untrue).

I'd ask secondary q, are cloud vulns different from on-prem vulns?

it is a tricky question!!!

@J4vv4D nope a hole is a hole irrelevant of where it is.

@SPCoulson Cheesy, like Titanic - untrue... no :)

@J4vv4D No cloud vulnerabilities are not different from on premise. It's about control around fixing them. You can do a lot at application stack level but not a lot at Infra level on a cost effective cloud model. You get what you paid for ;-)

A way around that, though, is intelligent parsing of the logs (cloudtrail, ELB, S3, etc). You can detect loads of activity without getting the internet police on you. Only problem with doing that yourself is - have you SEEN cloud logs??

ps. wrong hashtag !

@garretthgross I once saw cloud logs... I was legally blind for 3 days after that!

Cool - so original q then - how do you find vulns in your cloud? :D

@garretthgross how are cloud logs different from regular log files?

@J4vv4D Good conversation folks. It's time to get back to the day job. Have fun

@J4vv4D Great question actually - some clouds have shared infrastructure so comes with it's own set of problems.

Thanks for your contributions @jee2uu

@J4vv4D divining rods and good luck ! plus whatever tin the vendor is reselling and hope it's at the right price !

In the cloud infrastructure or the stuff we're running on top of it?

or even with the SaaS type apps we use??? all diff as to how we can test, and have time to!