aws chicago user group meetup on june 24, 2014
TRANSCRIPT
![Page 1: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/1.jpg)
Organizer !Margaret WalkerCohesiveFT !!Tweet: @MargieWalker #AWSChicago
Sponsored by
Hosted by
#AWSChicago
![Page 2: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/2.jpg)
!
AWS Chicago Meetup !
July?
![Page 3: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/3.jpg)
6:00 pm Introductions 6:10 pm Lightning Talks !
Live from DC! - Ben Hagen, Senior Cloud Security Engineer at Netflix @benhagen "Securing your AWS installation" - Bryan Murphy, Technical Architect at Mediafly @bryanmurphy "Advanced Monitoring and Detection on Linux-based workloads in AWS" - Aaron Botsis, Lead Product Manager at ThreatStack @aaronb "AWS Security best practices" - Mattew Long, Founder and CEO at roZoom, Inc @mlong168 !
6:30 pm Q & A 7:00 pm Networking, drinks and pizza
Agenda Sponsored by
Hosted by
#AWSChicago
![Page 4: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/4.jpg)
“Live from DC!” !Ben Hagen Senior Cloud Security Engineer at Netflix !Tweet: @benhagen#AWSChicago !
Sponsored by
Hosted by
#AWSChicago
![Page 5: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/5.jpg)
“Securing your AWS installation” !Bryan Murphy Technical Architect at Mediafly !Tweet: @bryanmurphy#AWSChicago !
Sponsored by
Hosted by
#AWSChicago
![Page 6: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/6.jpg)
Safe Harbor Statement: Our discussions may include predictions, estimates or other information that might be considered forward-looking. While these forward-looking statements represent our current judgment on what the future holds, they are subject to risks and uncertainties that could cause actual results to differ materially. You are cautioned not to place undue reliance on these forward-looking statements, which reflect our opinions only as of the date of this presentation. Please keep in mind that we are not obligating ourselves to revise or publicly release the results of any revision to these forward- looking statements in light of new information or future events. Throughout today’s discussion, we will attempt to convey some important factors relating to our business that may affect our predictions. © 2006-2014 Mediafly, Inc. | Confidential
Infrastructure Security Best PracticesOn Amazon Web Services
Bryan Murphy
![Page 7: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/7.jpg)
© 2006-2014 Mediafly, Inc. | Confidential
Mediafly, Inc.Technical ArchitectBack-end services, video processing, scaling and architecture
Mobitrac, Inc.Senior DeveloperTravelling salesman problem, routing algorithms, and mapping
RBC/Centura MortgageLead Web DeveloperOnline loan officer hosting platform and rate search engine
Who am I?
![Page 8: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/8.jpg)
© 2006-2014 Mediafly, Inc. | Confidential
Who are we?
“The Content Mobility Cloud”
We process and store highly sensitive content for Fortune 500 customers, and deliver that content to white-labeled mobile apps and the web
• Sales presentations and selling collateral• Pre-release/pre-air video
Customers include:• Global banks• Leading consumer-packaged goods companies• TV and theatrical studios
Small, passionate, growing team• We are hiring! Search mediafly careers
![Page 9: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/9.jpg)
© 2006-2014 Mediafly, Inc. | Confidential
Infrastructural Security
Three major areas:
Content Infrastructure Operations
● Keeping content encrypted from ingest through delivery
● E.g. key exchange, at-rest encryption, DRM, more
● Hardening server security while ensuring reliability, performance and low cost
● E.g. users and roles, VPC, server bootstrapping
● Ensuring procedures and personnel keep content secure
● E.g. managing account termination, principles of least privilege
![Page 10: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/10.jpg)
© 2006-2014 Mediafly, Inc. | Confidential
Secure All Communication
The cloud is a hostile environment• Service limitations (no private load balancers,
security group limits)• Network limitations (no multicast, no shared ip
addresses, etc.)• Noisy neighbors• Malicious third parties
What to do:• SSL/TLS everywhere• Encrypt: transports, configuration, data, binaries• Use standard tools (openssl/gnupg) • Implement authorization for internal services
![Page 11: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/11.jpg)
© 2006-2014 Mediafly, Inc. | Confidential
Authorization and Access Control
Restricted Access• Many credentials, limited permissions• Restricted one-time-use accounts or accounts
with expiration where possible
Protecting Credentials• Use public key cryptography• Store encrypted credentials in source control
IAM Accounts vs. Roles• Roles: good for isolated servers, boot• Accounts: good for services, users
DENIED!
![Page 12: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/12.jpg)
© 2006-2014 Mediafly, Inc. | Confidential
Isolate Services and CustomersIsolation
• Isolate services and environments from each other using bulkheads
• Examples: VPN, ssh proxy, REST API, message queues
Stateless Servers• Deliver credentials as needed using public key
cryptography• Execute in sandbox• Purge sandbox on completion
![Page 13: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/13.jpg)
© 2006-2014 Mediafly, Inc. | Confidential
Verification
Automated Security Testing
Regular Audits• Manual internal audits• Third party automated testing• Third party security audits
Logging
Monitoring
![Page 14: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/14.jpg)
© 2006-2014 Mediafly, Inc. | Confidential
Infrastructural Security is a Balancing Act
Secure Flexible
![Page 15: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/15.jpg)
© 2006-2014 Mediafly, Inc. | Confidential
Thank you!
Bryan Murphy
twitter.com/bryanmurphy
twitter.com/mediafly
![Page 16: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/16.jpg)
“Advanced Monitoring and Detection on Linux-based workloads in AWS” !Aaron Botsis Lead Product Manager at ThreatStack !Tweet: @aaronb#AWSChicago !
Sponsored by
Hosted by
#AWSChicago
![Page 17: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/17.jpg)
ADVANCED SECURITY MONITORING FOR
THE CLOUD
Aaron Botsis @aaronb, @threatstack
![Page 18: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/18.jpg)
![Page 19: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/19.jpg)
who is logging into my (machines|applications|SaaS accounts) !
what are they are running !
of running apps, what are making network activity, and where !
every kernel module loaded every library
every file created/modified/removed everything!!!!
but why stop there?
![Page 20: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/20.jpg)
but aaron, why?
![Page 21: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/21.jpg)
![Page 22: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/22.jpg)
!
prevention fails
![Page 23: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/23.jpg)
thanks, aaron
![Page 24: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/24.jpg)
step 1: audit all of the things
logins processes
network activity file access
kernel modules shared libraries
![Page 25: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/25.jpg)
// `curl google.com` emits this: !{ id: 1018103008, start: 1399236274, end: 1399236275, duration: 1, protocol: 'tcp', byte_count: 1195, packet_count: 11, src_ip_numeric: 3232300674, dst_ip_numeric: 1127355157, src_ip: '192.168.254.130', dst_ip: '67.50.19.21', src_port: 37814, dst_port: 80 }
by thinking inside the box
![Page 26: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/26.jpg)
step 2: build behavior
profilesdoes apache always spawn a shell?
does that shell always switch privs to root? does root always make network connections to China?
![Page 27: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/27.jpg)
..by thinking outside the box
![Page 28: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/28.jpg)
step 3: anomalies help
prevent devs know app best
behavior deviations help identify attack new vectors create rules to looks for known misbehavior
disable behavioral detection programmatically
![Page 29: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/29.jpg)
Why DevOps.!(…a tangent)
![Page 30: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/30.jpg)
bonus: detection
![Page 31: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/31.jpg)
thank you.
![Page 32: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/32.jpg)
“AWS Security best practices” !Mattew Long Founder and CEO at roZoom, Inc !Tweet: @mlong168#AWSChicago !
Sponsored by
Hosted by
#AWSChicago
![Page 33: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/33.jpg)
![Page 34: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/34.jpg)
About Me
President & CEO @roZoomTwitter @mlong168Linkedin: http://linkd.in/T90u7l
![Page 35: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/35.jpg)
AWS Security: Act One
![Page 36: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/36.jpg)
![Page 37: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/37.jpg)
![Page 38: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/38.jpg)
To ensure a secure global infrastructure, AWS configures infrastructure components and provides services and features you can use to enhance security, such as the Identity and Access Management (IAM) service, which you can use to manage users and user permissions in a subset of AWS services. To ensure secure services, AWS offers shared responsibility models for each of the different type of service that we offer:
● Infrastructure services ● Container services ● Abstracted services
![Page 39: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/39.jpg)
Infrastructure Services
![Page 40: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/40.jpg)
Container Services
![Page 41: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/41.jpg)
Abstracted Services
![Page 42: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/42.jpg)
Security Best PracticesAWS Management Console/IAM
![Page 43: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/43.jpg)
Security Best PracticesAWS Management Console: Enable Two Factor Authentication
![Page 44: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/44.jpg)
Security Best PracticesAWS OS-Level Access to EC2
● Options for security of encryption keys:○ Store of on encrypted media○ CloudHSM○ LDAP/IAM Bridge: http://bit.ly/1lNlgV8○ Gazzang: http://bit.ly/1lNkO9m
● Options for Os-Level Authentication○ LDAP/Active Directory/Kerbose, etc..○ Two-Factor auth: Google Authenticator (http:
//bit.ly/1lNtwo5),Wikid, RSA○ LDAP/IAM Bridge: http://bit.ly/1lNlgV8
![Page 45: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/45.jpg)
Security Best PracticesProtecting Data at Rest
For regulatory or business requirement reasons, you might want to further protect your data at rest stored in Amazon S3, on Amazon EBS, Amazon RDS, or other services from AWS.
● Accidental information disclosure ● Data integrity compromise ● Accidental deletion ● System, infrastructure, hardware or software
availability
![Page 46: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/46.jpg)
Security Best PracticesProtecting Data at Rest: S3
![Page 47: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/47.jpg)
Security Best PracticesProtecting Data at Rest: EBS
![Page 48: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/48.jpg)
Security Best PracticesProtecting Data at Rest: RDS/Databases/EMR,etc
● Ensure you encrypt any sensitive information on disk or at the database level
● Always segment out data layer from application layer● If access if require from outside of AWS regions or
network, make sure you use SSL or VPC to encrypt data
![Page 49: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/49.jpg)
Security Best PracticesProtecting Data in Transit
![Page 50: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/50.jpg)
Security Best PracticesNetwork Layering
![Page 51: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/51.jpg)
Security Best PracticesOther Topics
● DDoS Protection: Black Swan, Cloudflare, Cloudfront ● Monitoring and Alerting: Garylog2, Fluentd, Splunk,
Cloudtrail● Unified Threat Management : AlienVault● Vulnerability Scanning: MetaSploit, Nessus● IDS: Snort, OSSEC● Web Application Firewalls: Imperva, Modsecurity● Data Loss Prevention● AWS VPC or Direct connect for on-premise network
access● AWS Trusted Advisor Scanning or Nessus
![Page 52: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/52.jpg)
![Page 53: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/53.jpg)
Credits
Credits go to the following:AWS Security Best Practices: http://bit.ly/T97y3I
![Page 54: AWS Chicago user group meetup on June 24, 2014](https://reader034.vdocument.in/reader034/viewer/2022042717/55d567c2bb61eb645e8b45a8/html5/thumbnails/54.jpg)
Q & A !!Pizza’s almost here! !
!
Sponsored by
Hosted by
#AWSChicago