Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automating your AWS Security Operations

4,059 views

Published on

You automated your deployment, elasticized your workloads, and dynamically provisioned your fleet. What do you do next?

Tackle automating your security needs using the latest capabilities in the cloud! There’s no single path to building an automated and continuous security architecture that works for every organization, but certain key principles and techniques are used by the early adopter cloud elite that give them distinct advantages. It's time to re-think your organization’s processes and behaviors to demonstrate the latest efficiencies in your security operations. In this webinar, learn how Intuit implements cloud security automation with Evident.io and other innovative cloud technologies.

Join us to learn:
• How security will be integrated into the overall processes of development and deployment.
• How to tie security acceptance tests, a subset of your key security controls, right into the end of your functional testing process to promote builds with confidence at greater speed.
• How to be successful with API-enabled, continuous security tools in the cloud.
• How to operationalize security alarms, enabling world-class incident response and remediation capabilities.

Published in: Technology

Automating your AWS Security Operations

  1. 1. Securing your data on AWS Pat McDowell Solutions Architect at AWS Tim Prendergast CEO and Co-Founder at Evident.io Shannon Lietz DevSecOps Leader at Intuit
  2. 2. $6.53M 56% 70% Increase in theft of hard intellectual property Of consumers indicated they’d avoid businesses following a security breach Average cost of a data breach Your data and IP are your most valuable assets https://www.csid.com/resources/stats/data-breaches/ http://www.pwc.com/gx/en/issues/cyber- security/information-security-survey.html https://www.csid.com/resources/stats/data-breaches/
  3. 3. In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How? Automating logging and monitoring Simplifying resource access Making it easy to encrypt properly Enforcing strong authentication AWS can be more secure than your existing environment
  4. 4. AWS and you share responsibility for security AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Identity & Access Control Network Security Customer applications & content You get to define your controls ON the Cloud AWS takes care of the security OF the Cloud You Inventory & Config Data Encryption
  5. 5. Constantly monitored The AWS infrastructure is protected by extensive network and security monitoring systems: • Network access is monitored by AWS security managers daily • AWS CloudTrail lets you monitor and record all API calls • Use VPC Flow Logs to monitor and analyze network traffic to your instances
  6. 6. Highly available The AWS infrastructure footprint protects your data from costly downtime: • 33 Availability Zones in 12 regions for multi-synchronous geographic redundancy • Retain control of where your data resides for compliance with regulatory requirements • Mitigate the risk of DDoS attacks using services like AutoScaling, Route 53
  7. 7. Integrated with your existing resources AWS enables you to improve your security using many of your existing tools and practices: • Integrate your existing Active Directory • Use dedicated connections as a secure, low-latency extension of your data center • Provide and manage your own encryption keys if you choose
  8. 8. Key AWS Certifications and Assurance Programs
  9. 9. +
  10. 10. Security Automation is a key differentiator for cloud companies
  11. 11. You are responsible for protecting your data/assets Customer Data Applications Identity Access Management OS Network Firewall Client-side Encryption Server-side Encryption Network Traffic Protection Compute Storage Networking AWS Global Infrastructure (Regions, Azs, Edge Locations) AWS: Security of the Cloud Customer: Security on the Cloud
  12. 12. You have a huge quantity of intelligence to process This is just a SUBSET of an average company’s data flows Amazon Elasticsearch
  13. 13. The Human Challenge Humans have finite scale…
  14. 14. …Then we turn to automation.
  15. 15. Security breach
  16. 16. Why automate Security? We’re less than one million security professionals short of “equilibrium” and lagging…
  17. 17. No matter how good your process is, Alert Fatigue will trump it… Why automate Security? Alert Psychology proves that fatigue destroys process
  18. 18. As infrastructure and software delivery accelerate, there is no alternative. The fallacy of choice…
  19. 19. Security DevOps Security Automation is good for everyone  DevOps builds Value  Security builds Trust  Customers / businesses need  Trust and Value
  20. 20. Evident Security Platform (ESP)  Built by cloud pioneers from Adobe, AWS, and Netflix  Agentless deployment (<5 mins)  Continuous security scanning & alerting across several AWS Services  Aligns your Security and DevOps teams on protecting cloud assets  Tracks security state to support audit, compliance, and incident response needs
  21. 21. Leader in Cloud Security Automation & Innovation Leader in DevSecOps + Evident & Intuit
  22. 22. Cloud Security Operations “boldly go where no human has gone before…” Shannon Lietz DevSecOps Leader at Intuit @devsecops
  23. 23. The Context… Cloud Security Operations Imagine:  Software defined security  Thousands of changes a day  The biggest “big data” problem MeanTimetoResolution(MTTR) 6 months Fast MTTR… the final frontier
  24. 24. So what hinders “secure” innovation @ speed & scale? 1. Manual processes & meeting culture 2. Point in time assessments 3. Friction for friction’s sake 4. Contextual misunderstandings 5. Decisions being made outside of value creation 6. Late constraints and requirements 7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration 10. Management and political interference (approvals, exceptions)
  25. 25. In the Cloud, Everything is Code
  26. 26. Let’s switch some things around… Data Center Network Servers Virtualization Operations Platforms Buyer Identifier Cloud Account(s) Virtual IP Addresses Containerization Appliances Storage Security Features Applications Ephemeral Instances Scale on Demand IAAS, PAAS, SAAS Resource Testing Built-In Security Long-Term Contracts Partner Marketplaces Slow-ish Decisions Experiments
  27. 27. Software Defined Security  Requires significant intimate knowledge, context & understanding  Critical Cloud Security Operations Elements: – Zoning & Blast Radius Containment – Instrumentation & Monitoring to create the feedback loop – Security as Code Platform (Whitelisting, Encryption, Authorization) – API Catalog & Testing for the Full Stack – Asset Inventory & Hardened Baselines [Software, Services, Components, etc.]
  28. 28. The Basic Cloud Model Cloud Provider Network Backbone Cloud Platform (Orchestration) Network Compute Storage Cloud Account(s) Load Balancers Compute Instances VPCs Block Storage Object Storage Relational Databases NoSQL Databases Containers Content Acceleration Messaging Email Utilities Key Management API/Templates Certificate Management Partner PlatformInternet Backbone
  29. 29. Developers have lots of options…
  30. 30. Reality… Data Center Cloud Provider Network Internet Cloud Provider Network Data Center Cloud Provider Network Cloud Provider Network Cloud Provider Network
  31. 31. And Attackers also have lots of options… Victims Attackers
  32. 32. Shift controls & mindset Security Monitoring
  33. 33. Cloud Security Operations in the Cloud… Monitor & Inspect Everything insightssecurity science security tools & data Cloud accounts S3 Glacier EC2 CloudTrail ingestion threat intel continuous response security feedback loop (speed matters)
  34. 34. What’s this look like in practice? Etc…Etc…Etc…
  35. 35. Account Sharding is a new control!  Splitting cloud workloads into many accounts has a benefit.  Accounts should contain less than 100% of a cloud workload.  Works well with APIs; works dismal with forklifts.  What is your appetite for risk? Cloud Workload Templates Cloud Provider Network 33 % 33 % 33 % Attacker Cloud Account Cloud Account Cloud Account
  36. 36. Long live APIs…  Everything in the cloud should be an API, even Security…  Protocols that are not cloudy should not span across environments.  If you wouldn’t put it on the Internet then you should put an API and Authentication in front of it: – Messaging – Databases – File Transfers – Logging Cloud Provider Network Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B User Routing Data Replication Application Gateway File Transfers Log Sharing Messaging My API
  37. 37. Host-Based Controls  Shared Responsibility and Cloud require host-based controls.  Instrumentation is everything!  Fine-grained controls require more scrutiny and bigger big data analysis.  Agents & Outbound Reporting to an API are critical Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B Instance Cloud Provider Network Instance
  38. 38. Don’t Hug Your Instances…  Research suggests that you should replace your instances at least every 10 days, and that may not be often enough.  Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching.  Make sure to keep a snapshot for forensic and compliance purposes.  Use config management automation to make changes part of the stack.  Refresh routinely; refresh often! 10DAYS
  39. 39. Overcoming Inconvenience  Use built-in transparent encryption when possible.  Use native cloud key management and encryption when available.  Develop back up strategies for keys and secrets.  Apply App Level Encryption to help with SQL Injection and preserving Safe Harbor.  Use APIs to exchange data and rotate encryption.
  40. 40. Migrating Security to the Left where it can get built-in design build deploy operate How do I secure my app? What component is secure enough? How do I secure secrets for the app? Is my app getting attacked? How? Typical gates for security checks & balances Mistakes and drift often happen after design and build phases that result in weaknesses and potentially exploits Most costly mistakes Happen during design Security is a Design Constraint faster security feedback loop
  41. 41. Use Cloud Native Security Features...  Cloud native security features are designed to be cloudy.  Audit is a primary need!  Configuration and baseline checks baked into a Cloud Provider’s Platform help with making decisions and uncovering risks early in the Continuous Delivery cycle.  Be deliberate about how to use built-in security controls and who has access.
  42. 42. Secure Baselines & Patterns help a lot! AMI Amazon Elastic MapReduce AWS Import/ Export Security Monitoring Egress Proxy CFn Template Bastion CFn Template Secure VPC CFn Template CloudTrail CFn Template Secrets Bundle MarketPlace templates resourcespatterns services
  43. 43. Fanatical Security Testing static UX & Interfaces Micro Services Web Services Code CFn Templates dynamic Build Artifacts Deployment Packages Resources Patterns & Baselines run-time Security Groups Account Configuration Real-Time Updates Patterns & Baselines
  44. 44. Red Team, Security Operations & Science  API Key Exposure -> 8 hrs  Default Configs -> 24 Hrs  Security Groups -> 24 Hrs  Escalation of Privs -> 5 D  Known Vuln -> 8 Hrs
  45. 45. Cloud Security Disaster Recovery & Forensics is a different animal…  Regional recovery is not enough to cover security woes.  Security events can quickly escalate to disasters.  Got a disaster recovery team?  Multi-Account strategies with separation of duties can help.  Don’t hard code if you can help it.  Encryption is inconvenient, but necessary… Cloud Workload Templates Disaster Templates Cloud Provider Network 50 % 50 % Cloud Account Cloud Account Cloud Account 50 % Cloud Account 50 %
  46. 46. Compliance Operations as Continuous Improvement https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf
  47. 47. Code can solve the great divide  Paper-resident policies do not stand up to constant cloud evolution and lessons learned.  Translation from paper to code can lead to mistakes.  Traditional security policies do not 1:1 translate to Full Stack deployments. Data Center • Choose strong passwords • Use MFA • Rotate API credentials • Cross-account access Page 3 of 433 Cloud Provider Network • Lock your doors • Badge in • Authorized personnel only • Background checks EVERYTHING AS CODE
  48. 48. Security Decision Support
  49. 49. Speed & Ease can increase security!  Fast remediation can remove attack path quickly.  Resolution can be achieved in minutes compared to months in a datacenter environment.  Continuous Delivery has an advantage of being able to publish over an attacker.  Built-in forensic snapshots and blue/green publishing can allow for systems to be recovered while an investigation takes place. APP APP DB DB APP DB ATTACKED FORENSICSRECOVERED
  50. 50. This could be your MTTR…MeanTimetoResolution(MTTR) 6 months
  51. 51. Get Involved and Join the Community  devsecops.org  @devsecops on Twitter  DevSecOps on LinkedIn  DevSecOps on Github  RuggedSoftware.org  Compliance at Velocity

×