Continuous

Security
Monitoring for
DevOps
EBOOK

1
@UPGUARD
 Introduction 04
Understand Current Trends in Intrusions and Attacks 08

CONTENTS Identify Existing Vulnerabilities

Assess Current Defense Mechanisms
Implement CM and Continuous Security Testing
13
16
19
Conclusion 22

2 3
@UPGUARD
 Recent articles and books discussing IT security invariably begin
by painting a dismal landscape rife with rising cyber threats
increasing in both sophistication and volume. Interestingly, this is
no different than sentiments echoed by literature from a decade
ago; a decade from now, security will also still be a pressing issue, if
not the focal point of enterprise concern. Fending off cyber attacks
and maintaining security may be business as usual for enterprise
IT, but vigilant organizations in recent years have been boosting
their security measures in response to both increasing cyber crime
and heightened control requirements from regulatory bodies For
enterprises content with yesterdays or even todays security
mechanisms, tomorrows intrusion methods will likely arrive
unannounced and sooner than expected.

01 MORE
INTRODUCTION THAN EVER
DEPENDENT
ON DIGITIZED
ASSETS
4 5
@UPGUARD
 Todays IT infrastructures can simply no longer be designed with an
on premise mindset. Enterprise security measures must transcend
the notion of securing just the perimeter, as the perimeter is fast
disappearing. For instance, hybrid technologies allow data centers
to burst to the cloud when needed, effectively giving enterprises
infinite scalability for their applications and systems. The security
THE EXPANDING ATTACK SURFACE
cost to these benefits are manifest in the unique challenges of
Transformational technologies such as the cloud and mobilewhile securing data across multiple cloud service providers, protecting
enabling enterprises to be highly agile and efficient have given cloud-based systems and physical/virtual network endpoints, and
rise to IT infrastructures of unprecedented complexity and variance. securing mobile devices that access cloud resources.
Firms standing to benefit from the clouds horizontal scalability and
pay-per-use consumption model often neglect to gauge the impact Ultimately, the combined negative impact of these transformational
these technologies have on existing systems. This is especially technologies is a rapidly expanding potential attack surface: the sum
typical of enterprise workplace cloud applications: employees of all known and unknown vulnerabilities that could lead to an
are quick to adopt new SaaS offerings, leaving IT staff trailing behind intrusion or compromise. New vulnerabilities and intrusion methods
in their efforts to secure them. Furthermore, the predominance that render existing security measures ineffective comprise part of
of enterprise SaaS applications and resulting decentralized data the attack surface. Enterprise adoption of the cloud, mobile devices/
requires IT to completely rethink its data security strategy. BYOD, and IoT (as well as other technologies on the horizon) also
RESTful cloud applications and web services make integration increase a firms security risk exposure by potentially enlarging its
and extensibility trivial through safe, standardized methods of attack surface. New mechanisms for mitigating risk are therefore
communication and data exchange; however, if not built carefully continuously needed as the attack surface organically expands
they can easily fall victim to unique REST API security issues like over time. Unfortunately, adapting enterprise security mechanisms
mashup-related vulnerabilities, among others in addition to the accordingly to reduce the chances of a security compromise is an
traditional security flaws of standard web applications. arduous and complicated affair for many enterprises.

So how does one position their enterprise against a rapidly

expanding attack surface? Implementing processes for continuous
security monitoring is an effective and sustainable approach to
combating security threats on an ongoing basis. To this end,
the following 4 steps may provide enterprises some guidance in
preparation for continuous security monitoring.

6 7
@UPGUARD
 Analysis of patterns and trends in recently documented intrusions
and attacks is instrumental to improving ones security posture
against known and unknown threats This information in turn

02
can provide guidance on how to bolster the firms security
mechanisms in anticipation of future threats. Luckily, there is
no shortage of data for these purposesthe volume and
frequency of attacks in recent years allows for a degree of
predictive analysis in combatting future intrusion methods and
attempts. A comprehensive enterprise security framework

UNDERSTAND
should include continual, detailed tracking of threat statistics to
assess an organizations security strengths/weaknesses against
the direction attack trends are heading. As an example, the
following is a cursory overview of attack patterns and trends that
shed some light on areas of concern.

CURRENT
TRENDS IN COMBATTING
INTRUSIONS FUTURE
AND ATTACKS INTRUSION
METHODS
8 9
@UPGUARD
 DISTRIBUTION OF TARGETS

20%
Government
28%
Industry

In 2012, industry firms were the main target of security

41% 46%
Others Others
compromises, accounting for 19% of attacks. Attacks on government 19%
systems came in second with 11% of attacks. In 2015, industries Industry
accounted for 28.1% of attacks, while government attacks accounted
for 14.6%. Industry enterprises in particular should therefore be on 15%
Government
hyper-alert for attacks and intrusion attempts.

11% 9% 11%
DDoS attacks comprised 23.5% of attacks for January 2012, with Education Online Eductaion
another 23.5% of attacks using unknown techniques. In January Service
2015, however, SQLi attacks made up the majority of attacks.
Taking advantage of SQLibased vulnerabilities is a popular web
application intrusion method; the rise in its popularity among cyber January 2012 January 2015
criminals can be correlated to the general increase in popularity
of SaaS applications and ubiquitous open source CMS packages
like Drupal and WordPressthe latter of which powers 23.7% of
all websites. In fact, both of these CMS offerings have fallen victim
to SQLi exploits in recent years. Enterprises deploying database-
DISTRIBUTION OF ATTACK TECHNIQUES
driven web/cloud applications should therefore take heed: hackers
are now increasingly targeting the application stack for low-hanging
intrusions, along with the typical intrusion methods focusing on
underlying systems and network layers. 17%
24% Others
DDoS
31% 34%
Others
SQLi

12%
Account
Hijacking

24%
Unknown
17%
41% 20% Unknown
Defacement
SQLi

January 2012 January 2015

10 11
@UPGUARD
 The vast majority of attacks are for criminal purposes like credit
card, identity, and intellectual property theft. Enterprises should
determine the extent to which their systems store sensitive data
(e.g., customer/ employee information, credit card data) and to what
extent those systems are vulnerable. The facts stemming from the
previous data can be interpreted as follows: (a) web application
exploits are on the rise, and (b) are primarily targeting industry
enterprises (c) for criminal purposes like theft and fraud. While this
may not be especially enlightening, the example serves to illustrate

03
how enterprises can build and assess their security profiles
using current trends in intrusions and attacks. More granular attack
data and trends are readily available for firms wishing to further
refine their security posture against existing and unknown threats/
vulnerabilities.

IDENTIFY
EXISTING
MOTIVATIONS BEHIND ATTACKS

3% 2%

VULNERABILITIES
Others Others

30%
Hacktivism
43%
Hacktivism
54%
Cyber
Crime
68%
Cyber
Crime

January 2012 January 2015

12 13
@UPGUARD
Equipped with insight into the range of threats the enterprise is THE OPEN VULNERABILITY AND ASSESSMENT
potentially facing, one can assess which critical vulnerabilities are LANGUAGE (OVAL)
present in the firms infrastructure. Though methods for going about A popular reference point for current vulnerability data is Mitres
this vary (a myriad tools and solutions exist for achieving this end), a Open Vulnerability and Assessment Language (OVAL). Though the
database or repository containing the latest threats and intrusions acronym refers to Mitres XML-based language for creating security
is required for testing systems against current attack patterns and tests, the eponymously-named open source project and standard
identifying potentially vulnerable configurations. serves as a preeminent resource for security and vulnerability data.
Integral to OVAL is its comprehensive open source repository of
OVAL definitions: machine-readable tests that enable standardized
testing procedures to check for software vulnerabilities,
configuration issues, programs, and patches. With OVAL definitions,
one can determine which systems are prone to or possess a given
vulnerability.

RESPOSITORY UPGUARD AND OVAL

UpGuard has integrated OVAL into its platform to provide full
vulnerability scanning and assessment. Augmented by OVALs up-

CONTAINING
to-date repository of vulnerability definitions, UpGuard enables
users to easily test systems for the presence of critical exposures
and misconfigurations. Furthermore, once vulnerabilities are
detected, users can automate the proper course of action towards
remediation with features such as alerts, task assignments based
on event triggers, and more. By combining the latest data regarding

LATEST
current vulnerabilities and threat patterns with powerful discovery,
configuration management (CM) and monitoring capabilities,
UpGuard delivers a comprehensive solution that ensures enterprise
systems are protected against present and future threats.

THREATS

14 15
@UPGUARD
 The mechanisms implemented for enterprise security are just as
prone to vulnerabilities as the resources and systems they are
protecting. Typically, firewalls and IDS/IDPS solutions stand as the
first and second line of defense against external breaches. But what
of threats originating internally? Acts of a disgruntled employee
or the effects of a Trojan can be difficult to trace and remediate,
especially if security controls are designed to protect against
threats from external environments. IDS/IDPS solutions using both
signature and anomalybased threat detection can be effective in

04
identifying internal threats, but carry the negative side effect of
generating many false positives. To make matters worse, resulting
exposures often go undetected for some time when these types of
security devices have been compromised. Potential systemic security
failures can ensue, wreaking havoc throughout the entire enterprise

ASSESS CURRENT
environment.

DEFENSE GENERATING
MECHANISMS MANY FALSE
POSITIVES

16 17
@UPGUARD
FIREWALLS AND DIMINISHING RETURNS
Firewalls for years have provided effective perimeter-based
security, but as mentioned previouslythe concept of the perimeter
05
IMPLEMENT
network is slowly dissipating with the growing preponderance of
virtual servers and cloud infrastructures. Clearly, an on premise
network firewall provides very little if any protection for IaaS
and PaaS enterprise customers. According to Gartners estimates,
roughly 75% of all servers in 2014 are virtual, with a steady increase

CM AND
in adoption expected over the next several years. The current
popularity of hybrid cloud deployment models is indicative of the
steady adoption of cloud technologies for mission-critical, highly
secure applicationsa transition that just a few years ago was cause
for great security concern among enterprises.

To address this increasing presence of new infrastructure

paradigms like the hybrid cloud, vendors are providing their own
configurable firewall solutions for securing servers and applications
within the service offerings cloud. For example, AWS offers EC2
CONTINUOUS
SECURITY
security groups as a virtual firewall to protect server instances
and applications hosted in Amazons cloud. These virtual firewalls
essentially function the same as their on premise counterparts and
are subject to the same limitations. For example, customers are left
with little recourse in the event that an unauthorized virtual firewall
port is openedeither accidentally or by an intruder or bot.

TESTING

18 19
@UPGUARD
In the same sense that rising demand and increased consumption
of widely accessible, scalable IT resources gave rise to the cloud,
rapidly expanding and ever-evolving threats have given rise to
continuous security testing. With this approach, the challenges of
IT security can managed like contemporary software: with agility,
continuously tested/monitored, and responsive to constant changes.
Because the threat of the unknown casts such a looming shadow
Using CM tools like UpGuard to establish a proper, secure starting
over enterprise security solutions, its important that firms employ
point for maintaining confidence in enterprise system integrity is
solutions that are agile, scalable, and highly responsive to new and
critical for ongoing security testing and monitoring. Such tools can
evolving attack methods.
provide crucial verification and risk assessment of proposed
changes to a system. For example, configuration items (CI) can be
tested against approved secure configuration baselines to ensure
that they are up to par. Resulting information can then in turn

HIGHLY
provide the requisite information for identifying breaches in policies
and procedures, as well as intrusions and security compromises.

RESPONSIVE
TO NEW AND
EVOLVING
ATTACKS
20 21
@UPGUARD
 Enterprise IT security initiatives must take a multitiered approach
these days to provide effective, comprehensive protection. Different
lines of defense are necessary to protect today and tomorrows
enterprise networks, with various solutions interacting and
complementing each othereven discovering vulnerabilities/
openings in the other solutions respective line of defense. The 4
steps outlined previously provide pragmatic initial steps towards
gearing up ones enterprise for continuous security monitoring:

1. Understand Current Trends in Intrusions and Attacks

2. Identify Existing Vulnerabilities
3. Assess Current Defense Mechanisms
4. Implement CM and Continuous Security Testing

06
CONCLUSION MUST TAKE
MULTI-TIERED
APPROACH

22 23
@UPGUARD
 REFERENCES
http://blogs.gartner.com/adam-hils/2015-8-network-security-
trends-that-wont-gain-t-raction/

In short, the sheer evolution and advancement of recent http://www.forbes.com/sites/sungardas/2015/01/02/cyber-security-

technologies makes it necessary to constantly test, assess, and re- professionals-predict-their-biggestconcerns-for-2015/
evaluate tools currently being used for combating cyber attacks.
Moores Law is intent-agnostic and applies to technological advances http://people.cis.ksu.edu/~xou/publications/tr_homer_0809.pdf
created for both noble and nefarious purposes. Without the
latest security tools and methodologies, enterprises fall victim to http://www.infoworld.com/article/2616316/security/the-5-cyber-
technology in the truest sense: at the mercy of hackers, intruders, or attacks-you-re-most-likely-to-face.html
anyone with the technological wherewithal to gain access to their
systems. As the goal of attaining effective enterprise security is a http://computernetworkingnotes.com/network-security-access-
moving target, firms must adopt a multitiered approach to protecting lists-standards-and-extended/types-ofattack.html
their infrastructures to include continuous security monitoring. This
involves both addressing new malware, vulnerabilities, and intrusion http://www.cio.com/article/2908134/cloud-computing-brings-
methods as they surface, as well as securing systems against future changes-for-it-security-workers.html
unknown threats.
https://technet.microsoft.com/en-us/library/cc959354.aspx

24 25
@UPGUARD
REFERENCES (CONTINUED)
http://www.personal.psu.edu/users/j/m/jms6423/Engproj/Types%20
of%20Attacks.xhtml

http://searchsecurity.techtarget.com/video/Rethink-network-
design-with-next-gen-network-securityarchitecture Businesses depend on trust, but breaches and outages
erode that trust. UpGuard is the worlds first cyber
http://www.sanog.org/resources/sanog14/sanog14-apnic- resilience platform, designed to proactively assess and
Security-21072009.pdf manage the business risks posed by technology.

http://www.symantec.com/connect/articles/security-11-part-3-
UpGuard gathers complete information across every digital
various-types-network-attacks
surface, stores it in a single, searchable repository, and
provides continuous validation and insightful visualizations
so companies can make informed decisions.
http://www.networkworld.com/article/2163059/cloud-computing/
hybrid-clouds-pose-new-securitychallenges.html

http://www.csoonline.com/article/2124905/identity-management/
why-rest-security-doesn-t-exist--andwhat-to-do-about-it-.html

https://securityledger.com/2013/10/gartner_traditional_it-security_
dead_by_end_of_decade/

http://hackmageddon.com/2015/02/05/january-2015-cyber-
attacks-statistics/

*All charts are from hackmageddon.com

2017 UpGuard, Inc. All rights reserved. UpGuard and the 909 San Rafael Ave.
UpGuard logo are registered trademarks of UpGuard, Inc. All
other products or services mentioned herein are trademarks Mountain View, CA 94043
of their respective companies. Information subject to change +1 888 882 3223
without notice.
www.UpGuard.com

26 27
@UPGUARD
EB_0010 / 02.17.2017