Download - (SEC326) Security Science Using Big Data
![Page 1: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scott C. Kennedy, Security Scientist, Intuit
Erik Naugle, Director Cloud Security, Intuit
October 2015
SEC326
Security Science via Big Data
![Page 2: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/2.jpg)
What to Expect from the Session
• Get introduced to DevSecOps
• Learn about security science
• See how Intuit is using security science & big data
![Page 3: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/3.jpg)
Our Mission at Work…
The Cloud Security Team (CST) will deliver transparent security
oversight and monitoring that enables safe use of cloud
resources without friction for our online business, by:
• Becoming the team to follow by establishing a DevSecOps
function that solves for secure use of cloud services.
• Automating our processes and solutions to ensure scaled
global delivery.
• Partnering across Intuit to ensure speed & ease for our
innovation.
![Page 4: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/4.jpg)
Compliance Engineering
OperationsScience
Why is DevSecOps Needed ?
![Page 5: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/5.jpg)
What is DevSecOps
• Agile discipline
• Best of each security specialty in one framework
• Value provided as security services
• Make it easy for business to take the right risks
• Reduce friction and disruptions
• Continuous improvement mindset
… Requires profiling, testing, and an ability to put
security in perspective
![Page 6: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/6.jpg)
Drivers for DevSecOps
Embedding into DevOps was a disaster…
• Compliance checklists didn’t take us far before we
stopped scaling…
• We couldn’t keep up with deployments without
automation…
• Traditional security operations did not work…
• And we needed far more data than we expected to help
the business make decisions…
![Page 7: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/7.jpg)
The Tenets of DevSecOps
1. Customer-focused mindset
2. Scale, scale, scale
3. Objective criteria
4. Proactive hunting
5. Continuous detection & response
![Page 8: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/8.jpg)
The Art of DevSecOps
DevSecOps
Security Engineering
Experiment, Automate, Test
Security Operations
Hunt, Detect, Contain
Compliance Operations
Respond, Manage, Train
Security Science
Learn, Measure, Forecast
![Page 9: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/9.jpg)
Security Science?
• Need to change the conversation from F.U.D. to facts
• Science is a fact-based examination
• Theories established
• Testable against real data
• Revised and retested as the landscape changes…
• Question -> Hypotheses -> Experiment -> Analyze -> Repeat
• Answers simple questions
![Page 10: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/10.jpg)
Examples of Security Science
• What is your password policy?
• Why?
• How frequently should you restack your hosts?
• Can you make choices beforehand to improve this?
![Page 11: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/11.jpg)
Ways Intuit is using Security Science
• Advocacy
• Education
• Threat reduction
![Page 12: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/12.jpg)
Enhance Ability to “Detect & Contain”
Use big data analytics to improve detection methods
• Looking for the slow & steady attacker
• Find the one-packet-only attacks
• Find coordinated spread spectrum scans
• Detect AWS misuse cases before incidents occur
Use data visualization to uncover unseen existing issues
• Hunt the wumpus
![Page 13: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/13.jpg)
It’s Log! It’s Big! It’s Heavy! It’s Wood!
• As of 9/2015, we have 990+ separate AWS accounts
• We use Splunk™ as our logging platform
• Partner with 3rd party to add value
• Operate a 24/7 SOC to trigger on AWS incidents
• Compliance
• Security
• Ingest CloudTrail/S3/ELB/etc. into unified logs
• Send all logs into TAP for further aggregation and alerts
• Looking to migrate to Hunk/EMR as future directions?
![Page 14: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/14.jpg)
Using Logs to Profile Drift from Standards
Insights
Security
scienceSecurity
tools & data
AWS
accounts
Amazon S3Amazon
Glacier
Amazon
EC2
AWS
CloudTrail
Ingestion
Threat intel
![Page 15: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/15.jpg)
Benefits of Unified Logs
• Single pane of glass to see everything
• Allows complex queries and lookups
![Page 16: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/16.jpg)
Egress Monitoring + Threat Intel to Detect Misuse
EC2
Subnet
VPC
Account
Ingestion
![Page 17: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/17.jpg)
Incident Handling Triggered on Events?
• Use triggers/reports on AWS usage patterns
• Detect misuse early
![Page 18: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/18.jpg)
Diving Through the Unified Views
Using combined views of data to find underlying patterns
![Page 19: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/19.jpg)
Steer PD to “Ensure Apps are Secure”
• Develop insights to illustrate the rationale behind CST
• Win over the PD teams to use the CST model
• Increase overall security posture by illuminating security gaps
• Help PD teams overcome friction on security issues
• Create tooling to allow PD teams to self educate
• Guide them to right decisions via scoring
• Allow them to model scoring impacts before implementation
![Page 20: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/20.jpg)
Portal – Gateway to Success in Cloud Adoption
• Displays account details
• Education access
• Tools to help scale
![Page 21: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/21.jpg)
Why Focus on This?
21
![Page 22: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/22.jpg)
Why is Scoring Important?
• Grades are powerful motivators
• Allows the PD leader to drill down
• Why am I failing?
• Where am I using that?
• But, then what?
![Page 23: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/23.jpg)
CVSS modeling
• How to the decisions I make affect my grading scores?
• How frequently do I have to restack?
• What is the impact of package choices?
• Ruby or Python?
• MySQL or Postgres?
• Apache or Nginx?
![Page 24: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/24.jpg)
Future directions
• Continue to create tooling for PD teams
• Encryption methods vs. cracking costs
• Key rotation tempo vs. re-encryption speed/costs
• Deep dive on DNS queries
• Find misuse without blocking
• Redirection for laptops, cloud, & Datacenter for intel
gathering
![Page 25: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/25.jpg)
Wrap up
• Join DevSecOps Community via LinkedIn, GitHub, and Twitter
• DevSecOps.org
• linkedin.com/grp/home?gid=6817408
• github.com/devsecops
• twitter.com/devsecops
• Assess your org's cloud adoption strategy, security requirements
and work backwards
• Bring science into your security decisions.
![Page 26: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/26.jpg)
Related Sessions
• BDT205 - Your First Big Data Application on AWS
• SEC308 - Wrangling Security Events in the Cloud
• SEC320 - AWS Security Beyond the Host: Leveraging
the Power of AWS to Automate Security and Compliance
• SEC402 - Enterprise Cloud Security via DevSecOps 2.0
![Page 27: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/27.jpg)
Remember to complete
your evaluations!
![Page 28: (SEC326) Security Science Using Big Data](https://reader034.vdocuments.us/reader034/viewer/2022042907/588195511a28ab0d358b6631/html5/thumbnails/28.jpg)
Thank you!