Organizer	

!
Margaret Walker

CohesiveFT	

!
!
Tweet: @MargieWalker

#AWSChicago	

Sponsored by
Hosted by
#AWSChicago
!
AWS Chicago Meetup	

!
July?
6:00 pm Introductions	

6:10 pm Lightning Talks	

!
Live from DC! - Ben Hagen, Senior Cloud Security Engineer
at Netflix @b...
“Live from DC!”	

!
Ben Hagen	

Senior Cloud Security Engineer at Netflix	

!
Tweet: @benhagen

#AWSChicago	

!
Sponsored b...
“Securing your AWS installation”	

!
Bryan Murphy	

Technical Architect at Mediafly	

!
Tweet: @bryanmurphy

#AWSChicago	

...
Safe Harbor Statement: Our discussions may include predictions, estimates or other information that might be considered
fo...
© 2006-2014 Mediafly, Inc. | Confidential
Mediafly, Inc.
Technical Architect
Back-end services, video processing, scaling ...
© 2006-2014 Mediafly, Inc. | Confidential
Who are we?
“The Content Mobility Cloud”
We process and store highly sensitive c...
© 2006-2014 Mediafly, Inc. | Confidential
Infrastructural Security
Three major areas:
Content Infrastructure Operations
● ...
© 2006-2014 Mediafly, Inc. | Confidential
Secure All Communication
The cloud is a hostile environment
• Service limitation...
© 2006-2014 Mediafly, Inc. | Confidential
Authorization and Access Control
Restricted Access
• Many credentials, limited p...
© 2006-2014 Mediafly, Inc. | Confidential
Isolate Services and Customers
Isolation
• Isolate services and environments fro...
© 2006-2014 Mediafly, Inc. | Confidential
Verification
Automated Security Testing
Regular Audits
• Manual internal audits
...
© 2006-2014 Mediafly, Inc. | Confidential
Infrastructural Security is a Balancing Act
Secure Flexible
© 2006-2014 Mediafly, Inc. | Confidential
Thank you!
Bryan Murphy
twitter.com/bryanmurphy
twitter.com/mediafly
“Advanced Monitoring and
Detection on Linux-based
workloads in AWS”	

!
Aaron Botsis	

Lead Product Manager at ThreatStack...
ADVANCED SECURITY
MONITORING FOR
THE CLOUD
Aaron Botsis
@aaronb, @threatstack
who is logging into my (machines|applications|SaaS accounts)
!
what are they are running
!
of running apps, what are makin...
but aaron, why?
!
prevention fails
thanks, aaron
step 1:
audit all of the things
logins
processes
network activity
file access
kernel modules
shared libraries
// `curl google.com` emits this:
!
{
id: 1018103008,
start: 1399236274,
end: 1399236275,
duration: 1,
protocol: 'tcp',
byt...
step 2:
build behavior
profiles
does apache always spawn a shell?
does that shell always switch privs to root?
does root a...
..by thinking outside
the box
step 3:
anomalies help
prevent
devs know app best
behavior deviations help identify attack new vectors
create rules to loo...
Why DevOps.!
(…a tangent)
bonus: detection
thank you.
“AWS Security best practices”	

!
Mattew Long	

Founder and CEO at roZoom, Inc 	

!
Tweet: @mlong168

#AWSChicago	

!
Spon...
About Me
President & CEO @roZoom
Twitter @mlong168
Linkedin: http://linkd.in/T90u7l
AWS Security: Act One
To ensure a secure global infrastructure, AWS configures infrastructure components
and provides services and features you ...
Infrastructure Services
Container Services
Abstracted Services
Security Best Practices
AWS Management Console/IAM
Security Best Practices
AWS Management Console: Enable Two Factor Authentication
Security Best Practices
AWS OS-Level Access to EC2
● Options for security of encryption keys:
○ Store of on encrypted medi...
Security Best Practices
Protecting Data at Rest
For regulatory or business requirement reasons, you might want to further ...
Security Best Practices
Protecting Data at Rest: S3
Security Best Practices
Protecting Data at Rest: EBS
Security Best Practices
Protecting Data at Rest: RDS/Databases/EMR,etc
● Ensure you encrypt any sensitive information on d...
Security Best Practices
Protecting Data in Transit
Security Best Practices
Network Layering
Security Best Practices
Other Topics
● DDoS Protection: Black Swan, Cloudflare, Cloudfront
● Monitoring and Alerting: Gary...
Credits
Credits go to the following:
AWS Security Best Practices: http://bit.
ly/T97y3I
Q & A 	

!
!
Pizza’s almost here!	

!
!
Sponsored by
Hosted by
#AWSChicago
AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014
AWS Chicago user group meetup on June 24, 2014
Upcoming SlideShare
Loading in...5
×

AWS Chicago user group meetup on June 24, 2014

363

Published on

All presentation slides for the Chicago AWS user group meetup held at Mediafly on June 24, 2014. Thanks to speakers:
Ben Hagen, Senior Cloud Security Engineer at Netflix @benhagen
Bryan Murphy, Technical Architect at Mediafly @bryanmurphy
Aaron Botsis, Lead Product Manager at ThreatStack @aaronb
Mattew Long, Founder and CEO at roZoom, Inc @mlong168

Thanks to sponsors:
Hosts: Mediafly
Beers and drinks: ThreatStack
Pizza: el el see
Organizers: CohesiveFT

See you in July!
RSVP here: http://www.meetup.com/Chicago-Amazon-Web-Services-Group/

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
363
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

AWS Chicago user group meetup on June 24, 2014

  1. 1. Organizer ! Margaret Walker
 CohesiveFT ! ! Tweet: @MargieWalker
 #AWSChicago Sponsored by Hosted by #AWSChicago
  2. 2. ! AWS Chicago Meetup ! July?
  3. 3. 6:00 pm Introductions 6:10 pm Lightning Talks ! Live from DC! - Ben Hagen, Senior Cloud Security Engineer at Netflix @benhagen "Securing your AWS installation" - Bryan Murphy,Technical Architect at Mediafly @bryanmurphy "Advanced Monitoring and Detection on Linux-based workloads in AWS" - Aaron Botsis, Lead Product Manager at ThreatStack @aaronb "AWS Security best practices" - Mattew Long, Founder and CEO at roZoom, Inc @mlong168 ! 6:30 pm Q & A 7:00 pm Networking, drinks and pizza Agenda Sponsored by Hosted by #AWSChicago
  4. 4. “Live from DC!” ! Ben Hagen Senior Cloud Security Engineer at Netflix ! Tweet: @benhagen
 #AWSChicago ! Sponsored by Hosted by #AWSChicago
  5. 5. “Securing your AWS installation” ! Bryan Murphy Technical Architect at Mediafly ! Tweet: @bryanmurphy
 #AWSChicago ! Sponsored by Hosted by #AWSChicago
  6. 6. Safe Harbor Statement: Our discussions may include predictions, estimates or other information that might be considered forward-looking. While these forward-looking statements represent our current judgment on what the future holds, they are subject to risks and uncertainties that could cause actual results to differ materially. You are cautioned not to place undue reliance on these forward-looking statements, which reflect our opinions only as of the date of this presentation. Please keep in mind that we are not obligating ourselves to revise or publicly release the results of any revision to these forward- looking statements in light of new information or future events. Throughout today’s discussion, we will attempt to convey some important factors relating to our business that may affect our predictions. © 2006-2014 Mediafly, Inc. | Confidential Infrastructure Security Best Practices On Amazon Web Services Bryan Murphy
  7. 7. © 2006-2014 Mediafly, Inc. | Confidential Mediafly, Inc. Technical Architect Back-end services, video processing, scaling and architecture Mobitrac, Inc. Senior Developer Travelling salesman problem, routing algorithms, and mapping RBC/Centura Mortgage Lead Web Developer Online loan officer hosting platform and rate search engine Who am I?
  8. 8. © 2006-2014 Mediafly, Inc. | Confidential Who are we? “The Content Mobility Cloud” We process and store highly sensitive content for Fortune 500 customers, and deliver that content to white-labeled mobile apps and the web • Sales presentations and selling collateral • Pre-release/pre-air video Customers include: • Global banks • Leading consumer-packaged goods companies • TV and theatrical studios Small, passionate, growing team • We are hiring! Search mediafly careers
  9. 9. © 2006-2014 Mediafly, Inc. | Confidential Infrastructural Security Three major areas: Content Infrastructure Operations ● Keeping content encrypted from ingest through delivery ● E.g. key exchange, at-rest encryption, DRM, more ● Hardening server security while ensuring reliability, performance and low cost ● E.g. users and roles, VPC, server bootstrapping ● Ensuring procedures and personnel keep content secure ● E.g. managing account termination, principles of least privilege
  10. 10. © 2006-2014 Mediafly, Inc. | Confidential Secure All Communication The cloud is a hostile environment • Service limitations (no private load balancers, security group limits) • Network limitations (no multicast, no shared ip addresses, etc.) • Noisy neighbors • Malicious third parties What to do: • SSL/TLS everywhere • Encrypt: transports, configuration, data, binaries • Use standard tools (openssl/gnupg) • Implement authorization for internal services
  11. 11. © 2006-2014 Mediafly, Inc. | Confidential Authorization and Access Control Restricted Access • Many credentials, limited permissions • Restricted one-time-use accounts or accounts with expiration where possible Protecting Credentials • Use public key cryptography • Store encrypted credentials in source control IAM Accounts vs. Roles • Roles: good for isolated servers, boot • Accounts: good for services, users DENIED!
  12. 12. © 2006-2014 Mediafly, Inc. | Confidential Isolate Services and Customers Isolation • Isolate services and environments from each other using bulkheads • Examples: VPN, ssh proxy, REST API, message queues Stateless Servers • Deliver credentials as needed using public key cryptography • Execute in sandbox • Purge sandbox on completion
  13. 13. © 2006-2014 Mediafly, Inc. | Confidential Verification Automated Security Testing Regular Audits • Manual internal audits • Third party automated testing • Third party security audits Logging Monitoring
  14. 14. © 2006-2014 Mediafly, Inc. | Confidential Infrastructural Security is a Balancing Act Secure Flexible
  15. 15. © 2006-2014 Mediafly, Inc. | Confidential Thank you! Bryan Murphy twitter.com/bryanmurphy twitter.com/mediafly
  16. 16. “Advanced Monitoring and Detection on Linux-based workloads in AWS” ! Aaron Botsis Lead Product Manager at ThreatStack ! Tweet: @aaronb
 #AWSChicago ! Sponsored by Hosted by #AWSChicago
  17. 17. ADVANCED SECURITY MONITORING FOR THE CLOUD Aaron Botsis @aaronb, @threatstack
  18. 18. who is logging into my (machines|applications|SaaS accounts) ! what are they are running ! of running apps, what are making network activity, and where ! every kernel module loaded every library every file created/modified/removed everything!!!! but why stop there?
  19. 19. but aaron, why?
  20. 20. ! prevention fails
  21. 21. thanks, aaron
  22. 22. step 1: audit all of the things logins processes network activity file access kernel modules shared libraries
  23. 23. // `curl google.com` emits this: ! { id: 1018103008, start: 1399236274, end: 1399236275, duration: 1, protocol: 'tcp', byte_count: 1195, packet_count: 11, src_ip_numeric: 3232300674, dst_ip_numeric: 1127355157, src_ip: '192.168.254.130', dst_ip: '67.50.19.21', src_port: 37814, dst_port: 80 } by thinking inside the box
  24. 24. step 2: build behavior profiles does apache always spawn a shell? does that shell always switch privs to root? does root always make network connections to China?
  25. 25. ..by thinking outside the box
  26. 26. step 3: anomalies help prevent devs know app best behavior deviations help identify attack new vectors create rules to looks for known misbehavior disable behavioral detection programmatically
  27. 27. Why DevOps.! (…a tangent)
  28. 28. bonus: detection
  29. 29. thank you.
  30. 30. “AWS Security best practices” ! Mattew Long Founder and CEO at roZoom, Inc ! Tweet: @mlong168
 #AWSChicago ! Sponsored by Hosted by #AWSChicago
  31. 31. About Me President & CEO @roZoom Twitter @mlong168 Linkedin: http://linkd.in/T90u7l
  32. 32. AWS Security: Act One
  33. 33. To ensure a secure global infrastructure, AWS configures infrastructure components and provides services and features you can use to enhance security, such as the Identity and Access Management (IAM) service, which you can use to manage users and user permissions in a subset of AWS services. To ensure secure services, AWS offers shared responsibility models for each of the different type of service that we offer: ● Infrastructure services ● Container services ● Abstracted services
  34. 34. Infrastructure Services
  35. 35. Container Services
  36. 36. Abstracted Services
  37. 37. Security Best Practices AWS Management Console/IAM
  38. 38. Security Best Practices AWS Management Console: Enable Two Factor Authentication
  39. 39. Security Best Practices AWS OS-Level Access to EC2 ● Options for security of encryption keys: ○ Store of on encrypted media ○ CloudHSM ○ LDAP/IAM Bridge: http://bit.ly/1lNlgV8 ○ Gazzang: http://bit.ly/1lNkO9m ● Options for Os-Level Authentication ○ LDAP/Active Directory/Kerbose, etc.. ○ Two-Factor auth: Google Authenticator (http: //bit.ly/1lNtwo5),Wikid, RSA ○ LDAP/IAM Bridge: http://bit.ly/1lNlgV8
  40. 40. Security Best Practices Protecting Data at Rest For regulatory or business requirement reasons, you might want to further protect your data at rest stored in Amazon S3, on Amazon EBS, Amazon RDS, or other services from AWS. ● Accidental information disclosure ● Data integrity compromise ● Accidental deletion ● System, infrastructure, hardware or software availability
  41. 41. Security Best Practices Protecting Data at Rest: S3
  42. 42. Security Best Practices Protecting Data at Rest: EBS
  43. 43. Security Best Practices Protecting Data at Rest: RDS/Databases/EMR,etc ● Ensure you encrypt any sensitive information on disk or at the database level ● Always segment out data layer from application layer ● If access if require from outside of AWS regions or network, make sure you use SSL or VPC to encrypt data
  44. 44. Security Best Practices Protecting Data in Transit
  45. 45. Security Best Practices Network Layering
  46. 46. Security Best Practices Other Topics ● DDoS Protection: Black Swan, Cloudflare, Cloudfront ● Monitoring and Alerting: Garylog2, Fluentd, Splunk, Cloudtrail ● Unified Threat Management : AlienVault ● Vulnerability Scanning: MetaSploit, Nessus ● IDS: Snort, OSSEC ● Web Application Firewalls: Imperva, Modsecurity ● Data Loss Prevention ● AWS VPC or Direct connect for on-premise network access ● AWS Trusted Advisor Scanning or Nessus
  47. 47. Credits Credits go to the following: AWS Security Best Practices: http://bit. ly/T97y3I
  48. 48. Q & A ! ! Pizza’s almost here! ! ! Sponsored by Hosted by #AWSChicago
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×