© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or i...
Overview
Strategy Tactics
Tactics
Tactics
Auditing
Monitoring
Incident Response
Forensic Investigations
Traditional Responsibility Model
!
Operating System
Application
Account Management*
You
Facilities
Physical Security
Physi...
Shared Responsibility Model
You
Operating System
Application
Account Management*
Security Groups*
Network Configuration*
A...
Our story
Hybrid architecture
On-premises Cloud
Full architecture
Payment
Client Data
On-premises
AWS
Payment
Games
Store
Logs
Content
Viewers
Client Data
Full architecture, expansion
AWS
Payment
Games
Store
Logs
Content
Viewers
Client Data
Payment
Client Data
On-premises
Full architecture, AWS services
AWS
Payment
Games
Store
Logs
Content
Viewers
Client Data
Amazon EC2
Amazon EC2
Amazon EC2
...
Before After
Structure
Bonus
Auditing
PCI Compliance
Requirements
Encrypting data at rest (3.4.1)
Address new threats & vulnerabilities (6.6)
Log external facing services & de...
Creating an audit trail, before
Servers
Storage Area Network
On-premises
Firewall
IPS
Central logging
Payment
Client Data
On-premises AWS
Amazon CloudTrail
EC2 instances
Central management
Amazon S3
Amazon CloudFrontAmazon R...
Creating an audit trail, bonus points
You get
Record of changes via AWS CloudTrail
Security control reporting via Deep Sec...
In action…
Monitoring
Visibility
Requirements
Basic event info (4W+H)
Context of the event
Consistent identity across environments
Timely
Visibility, before
On-premises
FirewallIPS
Central logging SIEM
SwitchSwitchSwitchDirectory Server
AWS
Amazon CloudTrail
EC2 instances
Amazon S3 Bucket
Amazon CloudFrontAmazon RDS
Visibility, after
Central loggingSIEM
Ama...
Visibility, bonus points
You get
More work to put together events
Richer context around events
Why it matters
Visibility i...
In action…
Incident Response
Under pressure
SANS incident response process
Preparation
Identification
Containment
Eradication

Recovery
Lessons Learned
Get ready!
Wha...
Requirements
Quickly identify affected area
Minimize impact
Recovery quickly
Server
On-premises
Analysis Report
Incident Response, before
Replacement
Improve
AWS
Incident Response, after
Server
Analysis Report
Replacement
Improve
Incident Response, bonus points
You get
Faster return to production
More time for analysis
Why it matters
Every minute of ...
In action…
Server Analysis Report
Analyst
Optimized Response
LogProcessor
Replacement
API Improve
Forensic Investigations
Rinse & Repeat
Perception
Reality
Reality, visualized
Requirements
Repeatable
Account for & prove each step
Not get in the way of recovery
Heavily documented
Forensics, before
Server
On-premises
Logs Analysis Testimony
AWS
Forensics, after
Instance
Logs Analysis Testimony
Forensics, bonus points
You get
Faster analysis & lower costs
Ability to replicate entire environment
Why it matters
Legal...
In action…
Original
Concurrent
Analysis
Examiner
Copy 0
Copy 1
Copy 2
Commands
Keys
Auditing Monitoring IR Forensics
Thank you.
Mark Nunnikhoven
mark_nunnikhoven@trendmicro.com
@marknca
Updating Security Operations for the Cloud
Updating Security Operations for the Cloud
Updating Security Operations for the Cloud
Updating Security Operations for the Cloud
Updating Security Operations for the Cloud
Updating Security Operations for the Cloud
Upcoming SlideShare
Loading in …5
×

Updating Security Operations for the Cloud

1,341 views
1,119 views

Published on

Learn how to increase the effectiveness of your security operations as you move to the cloud. We will discuss how your current incident response, forensic investigations, monitoring, and audit response tactics have to change in the cloud. Pulling from experiences helping clients move to the cloud, industry research, and the school of hard knocks, this talk will help provide practical advice you can apply today.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,341
On SlideShare
0
From Embeds
0
Number of Embeds
169
Actions
Shares
0
Downloads
81
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Updating Security Operations for the Cloud

  1. 1. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. Updating Security Operations For The Cloud Mark Nunnikhoven Vice President, Cloud & Emerging Technologies Trend Micro 26-Mar-2014
  2. 2. Overview
  3. 3. Strategy Tactics
  4. 4. Tactics
  5. 5. Tactics Auditing Monitoring Incident Response Forensic Investigations
  6. 6. Traditional Responsibility Model ! Operating System Application Account Management* You Facilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure
  7. 7. Shared Responsibility Model You Operating System Application Account Management* Security Groups* Network Configuration* AWS Facilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure
  8. 8. Our story
  9. 9. Hybrid architecture On-premises Cloud
  10. 10. Full architecture Payment Client Data On-premises AWS Payment Games Store Logs Content Viewers Client Data
  11. 11. Full architecture, expansion AWS Payment Games Store Logs Content Viewers Client Data Payment Client Data On-premises
  12. 12. Full architecture, AWS services AWS Payment Games Store Logs Content Viewers Client Data Amazon EC2 Amazon EC2 Amazon EC2 Amazon CloudFront Amazon S3 Amazon EC2Amazon RDS Payment Client Data On-premises
  13. 13. Before After Structure Bonus
  14. 14. Auditing
  15. 15. PCI Compliance
  16. 16. Requirements Encrypting data at rest (3.4.1) Address new threats & vulnerabilities (6.6) Log external facing services & defences (10.2, 10.5.4) Protect systems against malware (5.1) * PCI has many, many more requirements, this is just a sample
  17. 17. Creating an audit trail, before Servers Storage Area Network On-premises Firewall IPS Central logging
  18. 18. Payment Client Data On-premises AWS Amazon CloudTrail EC2 instances Central management Amazon S3 Amazon CloudFrontAmazon RDS Creating an audit trail, after
  19. 19. Creating an audit trail, bonus points You get Record of changes via AWS CloudTrail Security control reporting via Deep Security’s API Why it matters Regular assurance controls are in place
  20. 20. In action…
  21. 21. Monitoring
  22. 22. Visibility
  23. 23. Requirements Basic event info (4W+H) Context of the event Consistent identity across environments Timely
  24. 24. Visibility, before On-premises FirewallIPS Central logging SIEM SwitchSwitchSwitchDirectory Server
  25. 25. AWS Amazon CloudTrail EC2 instances Amazon S3 Bucket Amazon CloudFrontAmazon RDS Visibility, after Central loggingSIEM Amazon S3
  26. 26. Visibility, bonus points You get More work to put together events Richer context around events Why it matters Visibility is key to your security practice
  27. 27. In action…
  28. 28. Incident Response
  29. 29. Under pressure
  30. 30. SANS incident response process Preparation Identification Containment Eradication
 Recovery Lessons Learned Get ready! What is it? Did we get it? Is it gone?
 Again? Get better, fast!
  31. 31. Requirements Quickly identify affected area Minimize impact Recovery quickly
  32. 32. Server On-premises Analysis Report Incident Response, before Replacement Improve
  33. 33. AWS Incident Response, after Server Analysis Report Replacement Improve
  34. 34. Incident Response, bonus points You get Faster return to production More time for analysis Why it matters Every minute of downtime counts
  35. 35. In action…
  36. 36. Server Analysis Report Analyst Optimized Response LogProcessor Replacement API Improve
  37. 37. Forensic Investigations
  38. 38. Rinse & Repeat
  39. 39. Perception
  40. 40. Reality
  41. 41. Reality, visualized
  42. 42. Requirements Repeatable Account for & prove each step Not get in the way of recovery Heavily documented
  43. 43. Forensics, before Server On-premises Logs Analysis Testimony
  44. 44. AWS Forensics, after Instance Logs Analysis Testimony
  45. 45. Forensics, bonus points You get Faster analysis & lower costs Ability to replicate entire environment Why it matters Legal requirements Better defences
  46. 46. In action…
  47. 47. Original Concurrent Analysis Examiner Copy 0 Copy 1 Copy 2 Commands
  48. 48. Keys
  49. 49. Auditing Monitoring IR Forensics
  50. 50. Thank you. Mark Nunnikhoven mark_nunnikhoven@trendmicro.com @marknca

×