automating your aws security operations
TRANSCRIPT
![Page 1: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/1.jpg)
Securing your data on AWSPat McDowell Solutions Architect at AWSTim Prendergast CEO and Co-Founder at Evident.ioShannon Lietz DevSecOps Leader at Intuit
![Page 2: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/2.jpg)
$6.53M 56% 70%Increase in theft of hard
intellectual property Of consumers indicated they’d avoid businesses
following a security breach
Average cost of adata breach
Your data and IP are your most valuable assets
https://www.csid.com/resources/stats/data-breaches/ http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
https://www.csid.com/resources/stats/data-breaches/
![Page 3: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/3.jpg)
In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How?
Automating logging and monitoring
Simplifying resource access
Making it easy to encrypt properly
Enforcing strong authentication
AWS can be more secure than your existing environment
![Page 4: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/4.jpg)
AWS and you share responsibility for security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge Locations
Identity & Access Control
NetworkSecurity
Customer applications & content You get to define your controls ON the Cloud
AWS takes care of the security OF the Cloud
YouInventory & Config Data Encryption
![Page 5: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/5.jpg)
Constantly monitoredThe AWS infrastructure is protected by extensive network and security monitoring systems:
• Network access is monitored by AWS security managers daily
• AWS CloudTrail lets you monitor and record all API calls
• Use VPC Flow Logs to monitor and analyze network traffic to your instances
![Page 6: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/6.jpg)
Highly availableThe AWS infrastructure footprint protects your data from costly downtime:
• 33 Availability Zones in 12 regions for multi-synchronous geographic redundancy
• Retain control of where your data resides for compliance with regulatory requirements
• Mitigate the risk of DDoS attacks using services like AutoScaling, Route 53
![Page 7: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/7.jpg)
Integrated with your existing resourcesAWS enables you to improve your security using many of your existing tools and practices:
• Integrate your existing Active Directory
• Use dedicated connections as a secure, low-latency extension of your data center
• Provide and manage your own encryption keys if you choose
![Page 8: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/8.jpg)
Key AWS Certifications and Assurance Programs
![Page 9: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/9.jpg)
+
![Page 10: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/10.jpg)
Security Automation is a key differentiator for cloud companies
![Page 11: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/11.jpg)
You are responsible for protecting your data/assetsCustomer Data
Applications Identity Access Management
OS Network Firewall
Client-side Encryption
Server-side Encryption
Network Traffic Protection
Compute Storage Networking
AWS Global Infrastructure (Regions, Azs, Edge Locations)
AWS: Security of the Cloud
Customer: Security on the Cloud
![Page 12: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/12.jpg)
You have a huge quantity of intelligence to process
This is just a SUBSET of an average company’s data flows
Amazon Elasticsearch
![Page 13: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/13.jpg)
The Human ChallengeHumans have finite scale…
![Page 14: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/14.jpg)
…Then we turn to automation.
![Page 15: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/15.jpg)
Security breach
![Page 16: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/16.jpg)
Why automate Security?
We’re less than one million security professionals short of “equilibrium” and lagging…
![Page 17: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/17.jpg)
No matter how good your process is, Alert Fatigue will trump it…
Why automate Security?Alert Psychology proves that fatigue destroys process
![Page 18: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/18.jpg)
As infrastructure and software delivery accelerate, there is no alternative.
The fallacy of choice…
![Page 19: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/19.jpg)
Security
DevOps
Trust
Security Automation is good for everyone DevOps builds Value Security builds Trust Customers / businesses need Trust and Value
![Page 20: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/20.jpg)
Evident Security Platform (ESP) Built by cloud pioneers from Adobe,
AWS, and Netflix Agentless deployment (<5 mins) Continuous security scanning &
alerting across several AWS Services Aligns your Security and DevOps
teams on protecting cloud assets Tracks security state to support audit,
compliance, and incident response needs
![Page 21: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/21.jpg)
Leader in Cloud SecurityAutomation & Innovation
Leader in DevSecOps
+
Evident & Intuit
![Page 22: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/22.jpg)
Cloud Security Operations“boldly go where no human has gone before…”Shannon Lietz DevSecOps Leader at Intuit@devsecops
![Page 23: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/23.jpg)
The Context… Cloud Security OperationsImagine: Software defined security Thousands of changes a day The biggest “big data” problem
Mea
n Ti
me
to R
esol
utio
n (M
TTR
)6 months
Fast MTTR…the final frontier
![Page 24: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/24.jpg)
So what hinders “secure” innovation @ speed & scale?
1. Manual processes & meeting culture2. Point in time assessments3. Friction for friction’s sake4. Contextual misunderstandings5. Decisions being made outside of value creation6. Late constraints and requirements7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration10. Management and political interference (approvals, exceptions)
SECURITY IS LAST MINUTE
UNPLANNED, UNSCHEDULED
WORK… BUMMER!!!!
![Page 25: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/25.jpg)
In the Cloud,
Everything is Code
![Page 26: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/26.jpg)
Let’s switch some things around…Data Center
NetworkServers
Virtualization
Operations
Platforms
Buyer IdentifierCloud Account(s)
Virtual IP AddressesContainerization
Appliances
Storage
Security Features
ApplicationsEphemeral Instances
Scale on DemandIAAS, PAAS, SAAS
Resource TestingBuilt-In Security
Long-Term ContractsPartner Marketplaces
Slow-ish Decisions
Experiments
![Page 27: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/27.jpg)
Software Defined Security Requires significant intimate knowledge, context &
understanding Critical Cloud Security Operations Elements:
– Zoning & Blast Radius Containment– Instrumentation & Monitoring to create the feedback loop– Security as Code Platform (Whitelisting, Encryption,
Authorization)– API Catalog & Testing for the Full Stack– Asset Inventory & Hardened Baselines [Software,
Services, Components, etc.]
![Page 28: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/28.jpg)
The Basic Cloud ModelCloud Provider Network
Backbone
Cloud Platform (Orchestration)
Network Compute Storage
Cloud Account(s)
Load Balancers
ComputeInstances
VPCs
Block Storage
Object Storage
RelationalDatabases
NoSQLDatabases
Containers
ContentAcceleration
Messaging Email
Utilities
Key Management
API/Templates
Certificate Management
PartnerPlatformInternet
Backbone
![Page 29: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/29.jpg)
Developers have lots of options…
![Page 30: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/30.jpg)
Reality…
Data Center
Cloud Provider Network
Internet
Cloud Provider Network
Data Center
Cloud Provider Network
Cloud Provider Network
Cloud Provider Network
![Page 31: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/31.jpg)
And Attackers also have lots of options…
Victims
Attackers
![Page 32: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/32.jpg)
Shift controls & mindset
SecurityMonitoring
![Page 33: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/33.jpg)
Cloud Security Operations in the Cloud…Monitor & Inspect Everything
insightssecurityscience
securitytools & data
Cloud accounts
S3
Glacier
EC2
CloudTrail
ingestion
threat intel continuous response
security feedback loop (speed matters)
![Page 34: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/34.jpg)
What’s this look like in practice?
Etc…Etc…Etc…
![Page 35: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/35.jpg)
Account Sharding is a new control! Splitting cloud workloads into
many accounts has a benefit. Accounts should contain less
than 100% of a cloud workload. Works well with APIs; works
dismal with forklifts. What is your appetite for risk?
Cloud Workload Templates
Cloud Provider Network
33 % 33 % 33 %
Attacker
Cloud Account
Cloud Account
Cloud Account
![Page 36: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/36.jpg)
Long live APIs… Everything in the cloud should be an
API, even Security… Protocols that are not cloudy should not
span across environments. If you wouldn’t put it on the Internet then
you should put an API and Authentication in front of it:– Messaging– Databases– File Transfers– Logging
Cloud Provider Network
Tested machine image…Tested instances...Tested roles...Tested passwords...
New instance created…Instance 12345 changed…User ABC accessed Instance 12345...
B
User Routing
Data Replication
ApplicationGateway
File Transfers
Log Sharing
Messaging
My API
![Page 37: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/37.jpg)
Host-Based Controls Shared Responsibility and Cloud
require host-based controls. Instrumentation is everything! Fine-grained controls require
more scrutiny and bigger big data analysis.
Agents & Outbound Reporting to an API are critical
Tested machine image…Tested instances...Tested roles...Tested passwords...
New instance created…Instance 12345 changed…User ABC accessed Instance 12345...
B
Instance
Cloud Provider Network
Instance
![Page 38: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/38.jpg)
Don’t Hug Your Instances… Research suggests that you should replace your
instances at least every 10 days, and that may not be often enough.
Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching.
Make sure to keep a snapshot for forensic and compliance purposes.
Use config management automation to make changes part of the stack.
Refresh routinely; refresh often!
10 DAYS
![Page 39: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/39.jpg)
Overcoming Inconvenience Use built-in transparent encryption
when possible. Use native cloud key management
and encryption when available. Develop back up strategies for
keys and secrets. Apply App Level Encryption to
help with SQL Injection and preserving Safe Harbor.
Use APIs to exchange data and rotate encryption.
![Page 40: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/40.jpg)
Migrating Security to the Left where it can get built-in
design build deploy operate
How do I secure my app?
What component is
secure enough?
How do I secure secrets for the
app?
Is my app getting
attacked? How?
Typical gates for security
checks & balances
Mistakes and drift often happen after design and build phases that
result in weaknesses and potentially exploits
Most costly mistakesHappen during design
Security is a Design Constraint
faster security feedback loop
![Page 41: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/41.jpg)
Use Cloud Native Security Features... Cloud native security features are
designed to be cloudy. Audit is a primary need! Configuration and baseline checks
baked into a Cloud Provider’s Platform help with making decisions and uncovering risks early in the Continuous Delivery cycle.
Be deliberate about how to use built-in security controls and who has access.
![Page 42: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/42.jpg)
Secure Baselines & Patterns help a lot!
Security Monitoring
Egress Proxy CFn Template
Bastion CFn Template
Secure VPC CFn Template
CloudTrail CFn Template
SecretsBundle
MarketPlace
templates resourcespatterns services
![Page 43: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/43.jpg)
Fanatical Security Testing
static
UX & Interfaces
Micro Services
Web ServicesCode
CFnTemplates
dynamic
BuildArtifacts
DeploymentPackages
Resources
Patterns &Baselines
run-time
SecurityGroups
AccountConfiguration
Real-Time Updates
Patterns &Baselines
![Page 44: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/44.jpg)
Red Team, Security Operations & Science
API Key Exposure -> 8 hrs Default Configs -> 24 Hrs Security Groups -> 24 Hrs Escalation of Privs -> 5 D Known Vuln -> 8 Hrs
![Page 45: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/45.jpg)
Cloud Security Disaster Recovery & Forensics is a different animal… Regional recovery is not enough
to cover security woes. Security events can quickly
escalate to disasters. Got a disaster recovery team? Multi-Account strategies with
separation of duties can help. Don’t hard code if you can help it. Encryption is inconvenient, but
necessary…
Cloud WorkloadTemplates
DisasterTemplates
Cloud Provider Network
50 % 50 %
Cloud Account Cloud Account Cloud Account
50 %
Cloud Account
50 %
![Page 46: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/46.jpg)
Compliance Operations as Continuous Improvement
https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf
![Page 47: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/47.jpg)
Code can solve the great divide Paper-resident policies do not
stand up to constant cloud evolution and lessons learned.
Translation from paper to code can lead to mistakes.
Traditional security policies do not 1:1 translate to Full Stack deployments.
Data Center
• Choose strong passwords• Use MFA• Rotate API credentials• Cross-account access
Page 3 of 433
Cloud Provider Network
• Lock your doors• Badge in• Authorized personnel only• Background checks
EVERYTHING AS CODE
![Page 48: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/48.jpg)
Security Decision Support
![Page 49: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/49.jpg)
Speed & Ease can increase security! Fast remediation can remove attack path
quickly. Resolution can be achieved in minutes
compared to months in a datacenter environment.
Continuous Delivery has an advantage of being able to publish over an attacker.
Built-in forensic snapshots and blue/green publishing can allow for systems to be recovered while an investigation takes place.
APP APP
DB DB
APP
DBATTACKED FORENSICSRECOVERED
![Page 50: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/50.jpg)
This could be your MTTR…M
ean
Tim
e to
Res
olut
ion
(MTT
R)
6 months
![Page 51: Automating your AWS Security Operations](https://reader030.vdocument.in/reader030/viewer/2022033109/587742b21a28ab342e8b7361/html5/thumbnails/51.jpg)
Get Involved and Join the Community
devsecops.org @devsecops on Twitter DevSecOps on LinkedIn DevSecOps on Github RuggedSoftware.org Compliance at Velocity