Defending your workloads against

the next zero-day vulnerability

Justin Foster

@justin_fosterTrend Micro - Director of Product Management | Cloud & Data Center Security

The Story

More at aws.trendmicro.com

2012 re:Invent

SPR203 : Cloud Security is a Shared Responsibilityhttp://bit.ly/2012-spr203

2013 re:Invent

SEC208: How to Meet Strict Security & Compliance Requirements in the Cloudhttp://bit.ly/2013-sec208

SEC307: How Trend Micro Build their Enterprise Security Offering on AWShttp://bit.ly/2013-sec307

2014 re:Invent

SEC313: Updating Security Operations for the Cloudhttp://bit.ly/2014-sec313

SEC314: Customer Perspectives on Implementing Security Controls with AWShttp://bit.ly/2014-sec314

Traditional Responsibility Model

You

Physical

Infrastructure

Network

Virtualization

Operating System

Applications

Data

Service Configuration

More at aws.amazon.com/security

Shared Responsibility Model

AWS

Physical

Infrastructure

Network

Virtualization

You

Operating System

Applications

Data

Service Configuration

More at aws.amazon.com/security

Shared Responsibility Model

AWS

Physical

Infrastructure

Network

Virtualization

You

Operating System

Applications

Data

Service Configuration

More at aws.amazon.com/security

PCI DSS Level 1

SOC 1/ISAE 3402

SOC 2

SOC 3

ISO 9001

IRAP (.au)

FIPS 140-2

CJIS

CSA

FERPA

HIPAA

FedRAMP (SM)

DoD CSM 1-2, 3-5

DIACAP

ISO 27001

MTCS 3

ITAR

MPAA

G-Cloud

Section 508/VPAT

FISMA

Shared Responsibility Model

More at aws.amazon.com/compliance/

Shared Responsibility Model

AWS

Physical

Infrastructure

Network

Virtualization

You

Operating System

Applications

Data

Service Configuration

More at aws.amazon.com/security

Vulnerability Respond Repair

Vulnerability

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

by Andreas Lindh (@addelindh)

bash is a common command line interpreter

a:() { b; } | attack

10 | 10 vulnerability. Widespread & easy to exploit

1989Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline

1989

By Norlando Pobre

By Gavin Stewart

1989

By VersusLiveQuizShow

1989

"MicroTAC" by Redrum0486 at English Wikipedia

1989

Time Since Last Event Event Action Action Timeline

1989-08-05 8:32 Added to codebase

27 days, 10:20:00 Released to public

9141 days, 21:18:35 Initial report React Clock starts

1 day, 22:19:13 More details React

2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

5 days, 9:16:35 Limited disclosure :: CVE-2014-6271 React

2 days, 4:37:25 More details React

3:44:00 More details React

0:27:51 Public disclosure React

0:36:30 More details React

0:34:39 Public disclosure :: CVE-2014-7169 React

Important Shellshock Events

Time Since Last Event Event Action Action Timeline

1989-08-05 8:32 Added to codebase

27 days, 10:20:00 Released to public

9141 days, 21:18:35 Initial report React Clock starts

2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00

3:15:00 Official patch :: CVE-2014-7186, CVE-2014-7187 Patch 4 days, 17:30:00

1 day, 11:55:00 Official patch :: CVE-2014-6277 Patch 1 day, 11:55:00

2 days, 20:24:00 Official patch :: CVE-2014-6278 Patch 2 days, 20:24:00

24h

48h

72h

Attack Source IP – CVE-2014-6271, 7169, 6277, 6278

Disclosure

24h

48h

72h

Attack Source IP – CVE-2014-6271, 7169, 6277, 6278

Disclosure

24h

48h

72h

Disclosure

Attack Source IP – CVE-2014-6271, 7169, 6277, 6278

Respond

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Day 1

aws.amazon.com/architecture : Web application hosting

aws.amazon.com/architecture : Web application hosting

TCP : 443TCP : 443 TCP : 4433TCP : 4433

Primary workflow for our deployment

IAM Roles

AWS IaM Review

Security groups

AWS Security Group Review

Network segmentation

AWS Network Review

AWS VPC Checklist

Review

IAM roles

Security groups

Network segmentation

Network access control lists (NACL)

More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf

TCP : 443TCP : 443 TCP : 4433TCP : 4433

Primary workflow for our deployment

HTTPSHTTPS

Intrusion prevention can look at each packet and then take action depending on what it finds

aws.amazon.com/architecture : Web application hosting

Intrusion Prevention in Action

Review

All instances covered

Workload appropriate rules

Centrally managed

Security controls must scale out automatically with the deployment

Repair

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Day 2

aws.amazon.com/architecture : Web application hosting

All instances deployment from task-specific AMI

TCP : 443TCP : 443 TCP : 4433TCP : 4433

Workflow should be completely automated

Instantiate DestroyConfigure

AMI Creation Workflow

Bake Instantiate Test

AMI Creation

aws.amazon.com/architecture : Web application hosting

Instances tend to drift from the known good state, monitoring key files & processes is important

AMI Instance

AlertIntegrity Monitoring

Integrity Monitoring

Keys

Respond

Review configuration

Apply intrusion preventionRepair

Patch vulnerability in new AMI

Leverage integrity monitoring

Keys

Visibility Security Time

Build With Confidence

aws.trendmicro.com

NEW YORK