look who’s hiring! - meetupfiles.meetup.com/12853682/security-in-plain-english-part 1.pdf · aws...
TRANSCRIPT
Look Who’s Hiring!
• AWS Solution Architect• https://www.amazon.jobs/en/jobs/362237
• AWS Cloud TAM• https://www.amazon.jobs/en/jobs/347275
• AWS Principal Cloud Architect (Professional Services)• http://www.reqcloud.com/jobs/701617/?k=wXB6E7kM32j+Es2yp0jy3IkRsEXr
VGaOWIhaklSw9idiTA8gCkJ2cKsaJL40SLqgBI/yqgZ6WtJiObPVOM6A6g==&utm_source=linkedin&utm_campaign=reqCloud_JobPost
AWS & Alert LogicMinoo Duraipandy, Solution Architect, AWS
David Hillock, Territory Manager, Alert Logic
• Grab beer and food
• Introduction to AWS Security –
• AWS Shared Security Model – AWS & Alert Logic
• Top 13 must-do security hardening measures
• Show & Tell sessions (hopefully it will work!)
• AWS Network Security (will we have time to get here?)
• Leave you with reference docs and videos
Job Zero
Network
SecurityPhysical
Security
Platform
SecurityPeople &
Procedures
constantly improving
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
AWS is
responsible for
the security OF
the Cloud
GxP
ISO 13485
AS9100
ISO/TS 16949
SHARED
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentC
ust
om
ers
shared responsibility
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
ALERT LOGICMANAGED SECURITY AS A SERVICE
David Hillock – Territory Manager
Leading Provider of Security & Compliance for the Cloud
• Revenue: $91M+/year
• Growth rate: 42%
• Customers: 3,600+
• Founded: 2002
• Employees: 650+
• Headquarters: Houston, Texas
INDUSTRY RECOGNITION and CERTIFICATIONS
Providing fully managed and monitored security and compliance for cloud, hybrid,
and on-premises infrastructure, with the benefits of deep insight, continuous protection,
and lower costs
ContinuousProtection
Lower Total Costs
Deep Security Insight
Over 3,500 Organizations Worldwide Trust Alert Logic
CYBER SECURITY LANDSCAPE
Security Risks are Escalating Rapidly
AT A GLANCE: CYBERCRIME TODAY
$1.3
MILLIONAVERAGE YEARLY
COST OF BREACHES
PER ORGANIZATION(1)
205
DAYSON AVERAGE BEFORE
DETECTION OF
COMPROMISE(2)
185
MAJORSECURITY INCIDENTS
COMPANIES DEAL WITH
EACH YEAR(1)
$158
MILLIONDIRECT LOSSES
FROM BREACH FOR
TARGET
Sources:
1) IDC – “Cybercrime – The Credentials Connection.” 2014.
2) mTrends Threat Report 2015.
Today’s Attacks are Becoming More Complex
• Attacks are multi-stage using multiple threat vectors
• Takes organizations months to identify they have been compromised• 205 days on average before detection of compromise1
• Over two-thirds of organizations find out from a 3rd party they have been compromised2
Initial
Attack
Identify &
Recon
Command
& Control
Discover &
Spread
Extract &
Exfiltrate
The Impact
• Financial loss
• Harm brand and
reputation
• Scrutiny from
regulators
1 – IDC Worldwide Security and Vulnerability Management 2014–2018 Forecast
2 – M-Trends 2015: A View from the Front Lines
Customer
Responsibility
Foundation
Services
Hosts
• Logical network segmentation
• Perimeter security services
• External DDoS, spoofing, and scanning prevented
• Hardened hypervisor
• System image library
• Root access for customer
• Access management
• Patch management
• Configuration hardening
• Security monitoring
• Log analysis
Apps
• Secure coding and best practices
• Software and virtual patching
• Configuration management
• Access management
• Application level attack monitoring
• Network threat
detection
• Security monitoring
Networks
Cloud
Service
Provider
Responsibility
Compute Storage DB Network
Security in the Cloud is a Shared Responsibility
ALERT LOGIC:
SECURITY PARTNER
Closing the Gap for Cloud Security
Real-time Security Monitoring of
Network, Log, and Web App Traffic
Analytics Engine to find potential
threats
Review and Escalation by our Security Analysts
Alert Logic
Cloud
Defender
Visibility of the AWS Environment
AWS Best Practices
Vulnerabilities on the Instances
Alert Logic
Cloud
Insight
AWS ConfigAWS
CloudTrail
Research into known and emerging,
as well as AWS-specific, threats
Audit and Compliance reporting
How Cloud Defender Works
A L E R T L O G I C C L O U D D E F E N D E R
Identify
Attacks
& Protect
Customers
Big Data
Analytics
Platform
Threat
Intelligence
& Security
Content
24 x 7
Monitoring &
Escalation
Alert Logic
ActiveAnalyticsAlert Logic
ActiveIntelligence
Alert Logic
ActiveWatch
Cloud, Hybrid
On-Premises
Customer IT
Environment
Network
incidents
Vulnerability
Scans
Web
application
events
OS/App
log data
AWS Log data
ActiveAnalytics: Security Analytics
Big Data Grid Optimized for
Large Scale Storage &
Processing
• Collects, stores, and parses
all data collected
• Optimized for scale – more
than 1000 processing cores
• Supports multiple workloads
on shared infrastructure
Real-time Processing
& Analytics Platform
• Automated incident creation
with actionable intelligence
• Removes false positives
• 3-tiered analysis:
• Real-time Monitoring
• Pre-cursor
• Deep Forensics
Multi-Tier Security Content
Identifies Hard to Detect
Incidents
• Correlation rules
• Anomaly detection
• Threat intelligence
• Reputation-based
• Signature-based
• Vulnerability context
ActiveIntelligence: Threat Intelligence & Content
Customer
Security Operations
Center 24/7
INCIDENTS
Honey Pot Network
Flow based Forensic Analysis
Malware Forensic Sandboxing
Intelligence Harvesting Grid
Alert Logic Threat Manager Data
Alert Logic Log Manager Data
Alert Logic Web Security Manager Data
Alert Logic ScanWatch Data
Asset Model Data
Customer Business Data
Security Content
Applied Analytics
Threat Intelligence
Research
INPUTS
Data Sources
ActiveWatch: 24x7 Security Monitoring
24x7 Security and Availability
Coverage
• Expert review, investigation,
and analysis by certified
security experts
• Incident response,
escalation, and
recommendations for
resolution
• NOC monitors all security
infrastructure for availability
Ongoing tuning delivers
protection and application
availability
• Tuning in response to
changing attacks and
customer application
changes
• Identification of new
attack patterns and
creation of new security
content
Expert Certification
Compliance without Complexity
Alert Logic
Solution
PCI DSS SOX HIPAA & HITECH
Alert Logic
Web Security
Manager™
• 6.5.d Have processes in place to protect applications
from common vulnerabilities such as injection flaws,
buffer overflows and others
• 6.6 Address new threats and vulnerabilities on an
ongoing basis by installing a web application firewall in
front of public-facing web applications.
• DS 5.10 Network Security
• AI 3.2 Infrastructure resource
protection and availability
• 164.308(a)(1) Security
Management Process
• 164.308(a)(6) Security Incident
Procedures
Alert Logic
Log
Manager™
• 10.2 Automated audit trails
• 10.3 Capture audit trails
• 10.5 Secure logs
• 10.6 Review logs at least daily
• 10.7 Maintain logs online for three months
• 10.7 Retain audit trail for at least one year
• DS 5.5 Security Testing,
Surveillance and Monitoring
• 164.308 (a)(1)(ii)(D) Information
System Activity Review
• 164.308 (a)(6)(i) Login Monitoring
• 164.312 (b) Audit Controls
Alert Logic
Threat
Manager™
• 5.1.1 Monitor zero day attacks not covered by anti-virus
• 6.2 Identify newly discovered security vulnerabilities
• 11.2 Perform network vulnerability scans quarterly by
an ASV or after any significant network change
• 11.4 Maintain IDS/IPS to monitor and alert personnel;
keep engines up to date
• DS5.9 Malicious Software
Prevention, Detection and
Correction
• DS 5.6 Security Incident
Definition
• DS 5.10 Network Security
• 164.308 (a)(1)(ii)(A) Risk Analysis
• 164.308 (a)(1)(ii)(B) Risk
Management
• 164.308 (a)(5)(ii)(B) Protection
from Malicious Software
• 164.308 (a)(6)(iii) Response &
Reporting
Alert Logic Security Operations Center providing Monitoring, Protection, and Reporting
• Basic user and permission management
• Credential management
• Delegation
Basic user and permission management
0. Create individual users. Benefits
• Unique credentials
• Individual credential rotation
• Individual permissions
Basic user and permission management
1. Grant least privilege.
Benefits
• Less chance of people making
mistakes
• Easier to relax than tighten up
• More granular control
Basic user and permission management
2. Manage permissions with groups.
Benefits
• Easier to assign the same
permissions to multiple users
• Simpler to reassign permissions
based on change in
responsibilities
• Only one change to update
permissions for multiple users
Basic user and permission management
3. Restrict privileged access further with conditions.
Benefits
• Additional granularity when
defining permissions
• Can be enabled for any AWS
service API
• Minimizes chances of
accidentally performing
privileged actions
Basic user and permission management
4. Enable AWS CloudTrail to get logs of
API calls.
Benefits
• Visibility into your user activity by
recording AWS API calls to an
Amazon S3 bucket
It’s really easy to set it up!
Turn AWS CloudTrail On
Apply to all AWS Regions
Price = $0.00002/event
Or $2 for 100,000 events
That brings us to our 1st Show & Tell
Price = $0.00002/event
Or
$2 for 100,000 events
Credential management
4. Enable AWS CloudTrail to get logs of API calls.
5. Configure a strong password policy.
Benefits
• Ensures your users and your
data are protected
Credential management
4. Enable AWS CloudTrail to get logs of API calls.
6. Rotate security credentials regularly.
Benefits
• Normal best practice
Credential management
4. Enable AWS CloudTrail to get logs of API calls.
7. Enable MFA for privileged users & root user.
Benefits
• Supplements user name and
password to require a one-time
code during authentication
Delegation
4. Enable AWS CloudTrail to get logs of API calls.
7. Enable MFA for privileged users & root user.
8. Use IAM roles to share access.
Benefits
• No need to share security
credentials
• No need to store long-term
credentials
• Use cases
- Cross-account access
- Intra-account delegation
- Federation
•
–
–
– IMPORTANT: Never share security credentials
More Show & Tell!
Delegation
4. Enable AWS CloudTrail to get logs of API calls.
7. Enable MFA for privileged users & root user.
9. Use IAM roles for Amazon EC2 instances.
Benefits
• Easy to manage access keys on
EC2 instances
• Automatic key rotation
• Assign least privilege to the
application
• AWS SDKs fully integrated
• AWS CLI fully integrated
Delegation
4. Enable AWS CloudTrail to get logs of API calls.
7. Enable MFA for privileged users & root user.
10. Reduce or remove use of root.
Benefits
• Reduce potential for misuse of
credentials
Turning MFA on AWS Root Acct
4. Enable AWS CloudTrail to get logs of API calls.
7. Enable MFA for privileged users.
11. Use Config & Config Rules
Benefits
• Automates security controls
• Streamlines auditing
Enabling AWS Config
Setting up Config Rules
Setting up Config Rules
4. Enable AWS CloudTrail to get logs of API calls.
7. Enable MFA for privileged users.
11. Use Config & Config Rules
12. Have EC2 SSH key diversity
Benefits
• Automates security controls
• Streamlines auditing
13
0. Users
1. Permissions
2. Groups
3. Conditions
4. Auditing
5. Password
6. Rotate
7. MFA
8. Sharing
9. Roles
10. Root
11. Use Config & Config Rules
12. Have EC2 SSH key diversity
NETWORK
Ava
ila
bilit
y Z
on
e A
Ava
ila
bilit
y Z
on
e B
AWS Virtual Private
Cloud • Provision a logically isolated
section of the AWS cloud
• You choose a private IP range
for your VPC
• Segment this into subnets to
deploy your compute instances
AWS network security• AWS network will prevent
spoofing and other common
layer 2 attacks
• You cannot sniff anything but
your own EC2 host network
interface
• Control all external routing and
connectivity
Web App
DBWeb
App
DBWeb
Web
Deny all traffic
Allow
App
DBWeb
WebPort 443
Port
443
App
DBWeb
WebPUBLIC
PRIVATE PRIVATE
REPLICATE ON-PREM
Digital
WebsitesBig Data
Analytics
Enterprise
Apps
Route traffic between
VPCs in private and
peer specific subnets
between each VPC
Even between AWS
accountsCommon Services
AWS VPC
Peering
resiliently and directly
YOUR AWS ENVIRONMENT
AWS
Direct
Connect
YOUR
PREMISES
Digital
Websites
Big Data
Analytics
Dev and
Test
Enterprise
Apps
AWS
Internet
VPN
Physical Data Center AWS VPC
VLANs/Subnets Subnets
Routers Route Tables
Stateful Firewalls Security Groups
Stateless Firewalls or Network ACLs Network ACLs
Network Interface Card Elastic Network Interface (ENI)
Web Application Firewall AWS WAF or other products (like Alert Logic)
Internet Connection Internet Gateway (IGW)
NAT (probably on firewall) NAT Gateway Service or NAT Instance
Inter Datacenter connectivity IPSec VPN, OpenVPN (for users), Direct Connect
Private IP (RFC 1918) Private IP (RFC 1918) persistent for the life (EC2)
Public/External IP Public IP (dynamic), Elastic IP (static)
Network based IDS/IPS Host based IPS/IDS
DHCP Server Managed DHCP Service (DHCP Options Set)
DNS Server Managed or self-hosted DNS (DHCP Options Set)
Intra-Network Isolation or Connectivity VPC Peering
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-
permissions_examples.html
http://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-
integration.html
https://youtu.be/fCH4r3s4THQ
https://youtu.be/5_bQ6Dgk6k8
https://youtu.be/ykmqjgLdmL4
https://youtu.be/3qln2u1Vr2E
https://youtu.be/_wiGpBQGCjU