Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to Execution (SEC313)

1,695 views

Published on

With security-relevant services such as AWS Config, VPC Flow Logs, Amazon CloudWatch Events, and AWS Lambda, you now have the ability to programmatically wrangle security events that may occur within your AWS environment, including prevention, detection, response, and remediation. This session covers the process of automating security event response with various AWS building blocks, taking several ideas from drawing board to code, and gaining confidence in your coverage by proactively testing security monitoring and response effectiveness before anyone else does.

Published in: Technology

AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to Execution (SEC313)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Brian Wagner, AWS Professional Services Don “Beetle” Bailey, AWS Security November 29, 2016 SEC313 Automating Security Event Response
  2. 2. What to expect from the session • Iteration of previous re:Invent talks • Methodology for implementing security automation ideas • Decision support to match AWS mechanisms to goals • Code • Additional resources • Demos!
  3. 3. We came (with a demo) from a land down under …!
  4. 4. Building on previous talks YouTube search • “Intrusion Detection in the Cloud”  2014 • “Incident Response (IR) in the Cloud”  2014 • “Wrangling Security Events in The Cloud”  2015 SlideShare search • “Enforcing Your Security Policy at Scale”  2016
  5. 5. You’ve probably seen this before AWS foundation Services Compute Storage Database Networking AWS global infrastructure Regions Availability Zones Edge locations Client-side data encryption Server-side data encryption Network traffic protection Platform, applications, IAM Operating system, network, and firewall configuration Customer content Customers Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
  6. 6. Getting from here to there Understand AWS security practice Build strong compliance foundations Integrate IAM Enable detective controls Establish network security Implement data protection Optimize change management Automate security functions
  7. 7. Putting it all together AWS CloudTrail Amazon CloudWatch Events AWS Lambda Amazon Simple Notification Service AWS API endpoints Your Staff Amazon S3 bucket Your security team AWS IAM role AWS API Your SaaS tools
  8. 8. Questions you will need to answer • What is my expressed security objective in words? • Is this configuration or behavior related? • What data, where, could help inform me? • Do I have requisite ownership or visibility? • What are my performance requirements? • What mechanisms support the above? • What is my expressed security objective in code?
  9. 9. Security objective “I would like to push a button that launches a penetration test on my AWS environment” “I want to know when someone turns off AWS CloudTrail and automatically turn it back on” “I need to prevent my developers launching EC2 instances from unapproved Amazon Machine Images”
  10. 10. Configuration vs behavior
  11. 11. Locate the right data
  12. 12. Establish ownership and visibility for access
  13. 13. Soon vs later vs whenever
  14. 14. Service and feature selection
  15. 15. Make it so
  16. 16. The high-level playbook … CloudWatch Events event Adversary (or Intern) Your environment Responder
  17. 17. Here. We. GO!
  18. 18. Demo: “If someone turns CloudTrail off, turn it back on.”
  19. 19. Adversary cloudtrail:StopLogging CloudTrail
  20. 20. CloudWatch Events event Adversary { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "cloudtrail.amazonaws.com" ], "eventName": [ "StopLogging" ] } }
  21. 21. Adversary Responder cloudtrail.start_logging
  22. 22. Demo: “I only want approved managed policies attached to IAM users”
  23. 23. Adversary iam.attach_user_policy( UserName='Bill', PolicyArn='arn:aws:iam::aws:policy/PowerUserAccess' ) IAM
  24. 24. CloudWatch Events event Adversary { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "iam.amazonaws.com" ], "eventName": [ "AttachGroupPolicy", "AttachRolePolicy", "AttachUserPolicy" ] } }
  25. 25. Adversary Responder iam.detach_user_policy
  26. 26. Demo: “Do not allow inline IAM policies”
  27. 27. Adversary iam.put_user_policy( UserName='Bill', PolicyName='AdministratorAccess', PolicyDocument=adminpolicy ) IAM adminpolicy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }
  28. 28. CloudWatch Events event Adversary { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "iam.amazonaws.com" ], "eventName": [ ”PutGroupPolicy", ”PutRolePolicy", ”PutUserPolicy" ] } }
  29. 29. Adversary Responder iam.delete_user_policy
  30. 30. Demo: “Only allow EC2 instances launched from approved AMIs and with appropriate subnets and security groups”
  31. 31. ImageId=ami-f9dd458a SubnetId=subnet-a8aa4ef0 SecurityGroups=[ GroupId=sg-45533823 ] EC2
  32. 32. CloudWatch Events event { "detail-type": [ "EC2 Instance State-change Notification" ], "detail": { "state": [ "pending" ] }, "source": [ "aws.ec2" ] }
  33. 33. Responder # check if the AMI is approved # check if AMI is used in correct subnet # check if AMI was launched with approved security group
  34. 34. DynamoDB { "ami": "ami-0d77397e", "region": "eu-west-1", "security_groups": [ "sg-cc9a3aaa" ], "subnets": [ "subnet-ac3d7cda", "subnet-2f9c1677" ] }, { "ami": "ami-f9dd458a", "region": "eu-west-1", "security_groups": [ "sg-ee9a3a88" ], "subnets": [ "subnet-ad3d7cdb", "subnet-2e9c1676" ] }
  35. 35. { 'Time': int(time.time()), 'Source': 'auto.responder.level1', 'Resources': [ str(instance_id) ], 'DetailType': 'activeResponse', 'Detail': { 'instance': instance_id, 'actionsRequested': 'instanceTermination' } } Event
  36. 36. CloudWatch Event events { "detail-type": [ "activeResponse" ], "source": [ "auto.responder.level1" ] }
  37. 37. L2 responder ec2.terminate_instances
  38. 38. Demo: “Alexa, launch AWS Security Tools”
  39. 39. Other AWS security resources • Support https://aws.amazon.com/support • AWS Cloud Security https://aws.amazon.com/security • Contact the AWS security team aws-security@amazon.com
  40. 40. Related sessions • SAC305 “How AWS Automates Internal Compliance at Massive Scale Using AWS Services” • SAC316 “Security Automation: Spend Less Time Securing Your Applications” • SAC401 “5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules” • SAC315 “Scaling Security Operations and Automating Governance: Which AWS Services Should I Use?”
  41. 41. Summary • Security agility with AWS more achievable than ever • Identify and express your security goals, as code even • Choose your own adventure, leverage Support • And remember, when it comes to security event response … There are TWO ways to get practice, but you only get to choose ONE ;)
  42. 42. Thank you!
  43. 43. Remember to complete your evaluations!

×