© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Scott C. Kennedy, Security Scientist, Intuit

Erik Naugle, Director Cloud Security, Intuit

October 2015

SEC326

Security Science via Big Data

What to Expect from the Session

• Get introduced to DevSecOps

• Learn about security science

• See how Intuit is using security science & big data

Our Mission at Work…

The Cloud Security Team (CST) will deliver transparent security

oversight and monitoring that enables safe use of cloud

resources without friction for our online business, by:

• Becoming the team to follow by establishing a DevSecOps

function that solves for secure use of cloud services.

• Automating our processes and solutions to ensure scaled

global delivery.

• Partnering across Intuit to ensure speed & ease for our

innovation.

Compliance Engineering

OperationsScience

Why is DevSecOps Needed ?

What is DevSecOps

• Agile discipline

• Best of each security specialty in one framework

• Value provided as security services

• Make it easy for business to take the right risks

• Reduce friction and disruptions

• Continuous improvement mindset

… Requires profiling, testing, and an ability to put

security in perspective

Drivers for DevSecOps

Embedding into DevOps was a disaster…

• Compliance checklists didn’t take us far before we

stopped scaling…

• We couldn’t keep up with deployments without

automation…

• Traditional security operations did not work…

• And we needed far more data than we expected to help

the business make decisions…

The Tenets of DevSecOps

1. Customer-focused mindset

2. Scale, scale, scale

3. Objective criteria

4. Proactive hunting

5. Continuous detection & response

The Art of DevSecOps

DevSecOps

Security Engineering

Experiment, Automate, Test

Security Operations

Hunt, Detect, Contain

Compliance Operations

Respond, Manage, Train

Security Science

Learn, Measure, Forecast

Security Science?

• Need to change the conversation from F.U.D. to facts

• Science is a fact-based examination

• Theories established

• Testable against real data

• Revised and retested as the landscape changes…

• Question -> Hypotheses -> Experiment -> Analyze -> Repeat

• Answers simple questions

Examples of Security Science

• What is your password policy?

• Why?

• How frequently should you restack your hosts?

• Can you make choices beforehand to improve this?

Ways Intuit is using Security Science

• Advocacy

• Education

• Threat reduction

Enhance Ability to “Detect & Contain”

Use big data analytics to improve detection methods

• Looking for the slow & steady attacker

• Find the one-packet-only attacks

• Find coordinated spread spectrum scans

• Detect AWS misuse cases before incidents occur

Use data visualization to uncover unseen existing issues

• Hunt the wumpus

It’s Log! It’s Big! It’s Heavy! It’s Wood!

• As of 9/2015, we have 990+ separate AWS accounts

• We use Splunk™ as our logging platform

• Partner with 3rd party to add value

• Operate a 24/7 SOC to trigger on AWS incidents

• Compliance

• Security

• Ingest CloudTrail/S3/ELB/etc. into unified logs

• Send all logs into TAP for further aggregation and alerts

• Looking to migrate to Hunk/EMR as future directions?

Using Logs to Profile Drift from Standards

Insights

Security

scienceSecurity

tools & data

AWS

accounts

Amazon S3Amazon

Glacier

Amazon

EC2

AWS

CloudTrail

Ingestion

Threat intel

Benefits of Unified Logs

• Single pane of glass to see everything

• Allows complex queries and lookups

Egress Monitoring + Threat Intel to Detect Misuse

EC2

Subnet

VPC

Account

Ingestion

Incident Handling Triggered on Events?

• Use triggers/reports on AWS usage patterns

• Detect misuse early

Diving Through the Unified Views

Using combined views of data to find underlying patterns

Steer PD to “Ensure Apps are Secure”

• Develop insights to illustrate the rationale behind CST

• Win over the PD teams to use the CST model

• Increase overall security posture by illuminating security gaps

• Help PD teams overcome friction on security issues

• Create tooling to allow PD teams to self educate

• Guide them to right decisions via scoring

• Allow them to model scoring impacts before implementation

Portal – Gateway to Success in Cloud Adoption

• Displays account details

• Education access

• Tools to help scale

Why Focus on This?

21

Why is Scoring Important?

• Grades are powerful motivators

• Allows the PD leader to drill down

• Why am I failing?

• Where am I using that?

• But, then what?

CVSS modeling

• How to the decisions I make affect my grading scores?

• How frequently do I have to restack?

• What is the impact of package choices?

• Ruby or Python?

• MySQL or Postgres?

• Apache or Nginx?

Future directions

• Continue to create tooling for PD teams

• Encryption methods vs. cracking costs

• Key rotation tempo vs. re-encryption speed/costs

• Deep dive on DNS queries

• Find misuse without blocking

• Redirection for laptops, cloud, & Datacenter for intel

gathering

Wrap up

• Join DevSecOps Community via LinkedIn, GitHub, and Twitter

• DevSecOps.org

• linkedin.com/grp/home?gid=6817408

• github.com/devsecops

• twitter.com/devsecops

• Assess your org's cloud adoption strategy, security requirements

and work backwards

• Bring science into your security decisions.

Related Sessions

• BDT205 - Your First Big Data Application on AWS

• SEC308 - Wrangling Security Events in the Cloud

• SEC320 - AWS Security Beyond the Host: Leveraging

the Power of AWS to Automate Security and Compliance

• SEC402 - Enterprise Cloud Security via DevSecOps 2.0

Remember to complete

your evaluations!

Thank you!