Cloud Intelligence Throwdown: Amazon vs. Google vs. Microsoft

  /     /     /  
Publicated : 23/11/2024   Category : security


Cloud Intelligence Throwdown: Amazon vs. Google vs. Microsoft


A closer look at native threat intelligence capabilities built into major cloud platforms and discussion of their strengths and shortcomings.



BLACK HAT USA 2018 – Las Vegas – Amazon Web Services, Google Cloud Platform, and Microsoft Azure have all recently doubled down on threat intelligence to help users identify and respond to malicious activity in the public cloud. But where do these platforms differ, and how do those differences help or harm cloud security?
Brad Geesaman, an independent cloud infrastructure security consultant, aimed to clarify the strengths and shortcomings of each platform during his Black Hat session Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform Capabilities. He set the stage for his side-by-side comparison with a broader look at how security is different in the cloud.
For starters, competition is ramping up in the space. As it does, companies are prioritizing shipping features and outsourcing non-core capabilities – including security. The cloud explosion has demolished the traditional perimeter, a rise in new infrastructure has shifted the attack surface, and a dearth of cloud security experts is amplified amid a wave of new features and services.
Cloud environments change fundamental assumptions about security, Geesaman explained. When everything is an API, the traditional approaches dont fit, he said. The scalability of the cloud grants an opportunity to amplify good behavior. It also amplifies human error. 
Direct compromise may not be needed to affect cloud security, he continued. Credential theft can happen via phishing, malware, backdoor libraries or tools, or password guessing. Malicious outsiders abuse employees failure to rotate, disable, or delete credentials after someone leaves the company. Credential leaks, another common vector, happen more often than one might think. 
Youd be surprised – or maybe not – where these keys can show up, Geesaman added. People give them away by accident all the time.
When shopping among major cloud services, its important to bear in mind that none of them have been around very long. Theyre still growing, changing, and gaining new features, and they all still have work to do. Dont expect something thats been in service for 10 years, he said.
Geesaman asked several of the same questions when evaluating the intelligence tools in each cloud platform: which data sources they use, how they operate on data, how much visibility the data provides, what is not covered in the service, and what is needed for onboarding, cost structure, partner integration, customization, and validating detection.
And with that, he dove into the research. First up ...
Microsoft Azure
The Azure Security Center was first released in fall 2015, became generally available in spring/summer 2016, and added threat detection in summer 2017. Its idea is to provide security management and threat detection and apply security policies across hybrid cloud workloads. Microsoft charges $15 per system per month for the tool.
Its dashboard is one of the key features, Geesaman pointed out. If youre comfortable managing Windows on-prem, much of your knowledge will carry over. 
He also highlighted its security recommendation engine, which prioritizes issues to tackle, as well as custom alert rules, file integrity monitoring, REST API, and third-party tool integration – which he said is helpful for managing choice endpoint tools. The value-add comes from its hybrid-first approach, Microsoft-supported Windows/Linux Agent, and Azure Log Analytics Service, in which all agent logs are searchable.
Amazon Web Services
Amazon GuardDuty was released as CloudTrail in spring 2013, AWS VPC Flow Logs in summer 2015, and GuardDuty in winter 2017. GuardDuty offers threat detection so users can continuously monitor AWS accounts and workloads. Its offered as a 30-day free trial and, in North America, is priced at $0.25 to $1 per GB of VPC/DNS and $4 per 1 million Cloudtrail Events.
Whats key: GuardDuty monitors data streams from CloudTrail Events, VPC Flow Logs, and DNS Logs. It integrated threat intel feeds with known malicious IP addresses and domains; users can supply their own IP lists for good and bad hosts, he added. Further, GuardDuty can be set so users have centralized AWS accounts and dont have to be involved in dev or operations teams to have those events sent to them.
The platform detects backdoors, malicious behavior, cryptocurrency mining, persistence, Trojans, recon, and attacks conducted with pen-testing tools, among other threats. Its value-add comes from a zero-impact setup, clear detection listing, broad partner ecosystem, and seeing multiple types of API abuse.
One of the things I liked about GuardDuty is they do a lot of detections, and they tell you what those detections are, Geesaman said. Its very transparent about what its looking for and does the best and clearest job of reporting the misuse of API keys, he added. 
Google Cloud Platform
The Google Cloud Platform (GCP) is still in its early stages, he continued. It detects botnets, cryptocurrency mining, anomalous reboots, and suspicious network traffic, and feeds them into a user interface that he anticipates will undergo changes as its still early in development. 
GCPs value-add comes from a zero-impact setup that doesnt affect any running workflows, as well as an API and interface that feature partner solutions and integrate their output into a single interface. Its also framework-oriented and designed to handle security events across multiple services.
Cloudy Forecast
There is room for improvement across all the major platforms, Geesaman pointed out. On the detection side, visibility is dependent on implementation. If youre defending your organization and you dont know what youre detecting, how do you know what gaps you have? he noted.
Detection capability listings could be better, he added, as well as customization and tuning of the data. From an integration perspective, he said he foresees a lot of movement and improvement in how security events are collected, analyzed, processed, and forwarded. 
Cloud providers are known for moving very quickly with their services, Geesaman concluded, adding that change is in the future. He advised attendees to check providers next major events for updates.
Related Content:
10 Threats Lurking on the Dark Web
Google Engineering Lead on Lessons Learned From Chromes HTTPS Push
Breaking Down the PROPagate Code Injection Attack
Expect API Breaches to Accelerate

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cloud Intelligence Throwdown: Amazon vs. Google vs. Microsoft