shared security in aws

Shared Security in AWS

March 2017

Peter GordonCloud Security Architect APAC

Agenda

• Shared Security Model recap• Common threats & consequences• Ransomware and the cloud• Mapping controls to the SSM

Sophos and AWS

• Sophos is a Security Competency Partner• Have had the UTM on the AWS Marketplace since 2011• Solutions that integrate with several AWS services

Auto ScalingAmazon S3CloudFormationElastic Load Balancing

Customer is responsible for security ‘in’ the

Cloud

AWS takes care of the security ‘of’ the Cloud

AWS Shared Security Model overview

Common threats

•Web application attacks, such as SQLi and XSS• DoS and DDoS• Ransomware• Exploits• Brute force attacks

Consequences

• Data breacho User data / passwordso Financial infoo Now mandatory disclosure in Australia (for some)

• Loss of data o Encryption by ransomware

• Hijacked servers o Used as malware delivery serverso Participation in DDoS attackso Stepping stone to bigger target

• Time and cost of restoration of systems and data

7

Servers are critical assets

• Corporate / proprietary data on network shares•Web site content• Higher value targets for ransomware• Performance and availability critical for servers

Ransomware and AWS – really?

• Traditionally an end point problem, but…o Mapped drives get hit tooo Compromised web servers may be used

to spread the malwareo Some attacks encrypt web server fileso Can be delivered through an exploit kito Brute force RDP attacks

Anatomy of a Ransomware Attack

Exploit Kit or Spam with Infection

Command & Control Established

Local Files are Encrypted

Ransomware deleted, Ransom

Instructions delivered

10

Why customers need more security

• Security Groups and NACLso Port or IP filteringo No traffic or application visibilityo Unable to prevent attacks in trusted

portso No malware protection = no

ransomware protection

• Security vendorso Application controlo Forward proxy with filteringo Web Application Firewall*o Stateful Firewall and IPSo Anti-Malwareo Traffic visibility

Security Controls to address Shared Security Model

Application Security

Data Encryption

Access Control

VPC / SG / NACL

AWS Web Services

DatabaseStorageComputeNetworking

Application Updates

HIPSCustomer is expected to add protection layers

WAF

VPN

NGFW Outbound Proxy

Host Hardening

Customer updates OS and Applications

Availability ZonesRegions

Edge Locations

AWS Global Infrastructure

OS Updates NIPS

AV/NG

Customer configures AWS security features

Customer is responsible for security ‘in’ the

Cloud

AWS takes care of the security ‘of’ the Cloud

App Control

Further Mitigations

• Backup, backup, backup…• Block communications to C&C servers• Monitor and block encryption behaviour on servers• Reduce attack surface - Server lockdown / application

whitelisting• Patch your ec2 instances! OS and Applications• DDoS mitigation services (e.g. AWS Shield)• Other regular corporate security controls

• User education and user security controls (email etc)

What is Sophos doing?

• Various deployments of UTM (FW/WAF/IPS/VPN/Proxy)o Standaloneo HAo Auto-scaling

• Server host protection integrates with AWS• Phishing education for users

14