1. .
Cloud Security for AWS
Preventing the Vicious Cycle of Security Failure
Protecting Your Cloud from Advanced Targeted Attacks
Andrew Hurren, Senior Regional Solution Architect, ANZ,
Intel Security
2. .
2
Data Center Client Wearables/IoT
Intel’s Vision
If it is smart and connected, it is best with Intel
3. .
• Creating differentiated and open platforms for innovation
• Protecting digital identities for personal and transaction security
• Delivering Security Connected at optimal TCO
• Safeguarding our operations, our products and our customers
Consumer Endpoint Corporate Endpoint Network Security Management/Analytics
Network &
Gateway Security
Consumer
Endpoint
Corporate
Endpoint
Management/Analytics
Intel Security Group
Delivering ubiquitous security to individuals and business on all computing
devices
4. .
The Need for Efficiency
The fundamental security challenge
Time Imperative Resource ConstraintsIncreasing Complexity
Resolve more risk, faster and with fewer resources
Growing IoT Devices, Cloud Adoption and Evolving Threats
5. .
Threat Defense Lifecycle
Continuous, Automated, and Shared Threat Intelligence
Detect – Illuminate low-threshold maneuvering through
advanced intelligence and analytics.
Protect – Stop pervasive attack vectors while also
disrupting never-before-seen techniques and payloads.
Adapt – Apply insights immediately throughout an
integrated security system.
Correct – Improve triage and prioritize response as part of
a fluid investigation.
6. Cloud Security is a Shared Responsibility
https://aws.amazon.com/security/sharing-the-security-responsibility/
.
7. .
McAfee Management Platform
On-premises security Private cloud security Public cloud security
Protection and Detection Controls
Security Analytics and Corrective Controls
Scalable, Comprehensive, Easy-to-use Solution
Consolidated Management and Security Tools
Intel Security
Architecture
8. .
Neutralize Emerging Threats
Safeguard Vital Data Optimize Security Operations
Fortify Critical Environments
Intel Security: Capability Offerings
Endpoint
Protection
Network
Security
Data
Security
Web
Security
Security
Management
Endpoint
Detection &
Response
Server
Security
Threat
Sandboxing
Security
Services
Threat
Intelligence
10. .
Visibility into Cloud Infrastructure
• Gain insights of cloud
infrastructure
• Manage cloud and on-
premises security needs from
one console
• Identify and respond to
security issues
• Save time with automated
workflows
• AWS hierarchy of systems are
logically grouped under region
20. .
Traditional Endpoint Protection Approaches
Blacklisting
Known bad files
Anti-virus technology
Intelligence is global
Daily updates
Whitelisting
Known good files
Application whitelisting
Intelligence is manual
Ad-hoc updates
What about
everything else?
21. .
Advanced Reputation-Based Inspection
Unknown
Author? Suspicious
attributes?
Global, local, 3rd
party knowledge?
Connected
countermeasures?
Endpoint, Network,
Gateway, Cloud
McAfee or
3rd Party
Connected
countermeasures?
Known Bad Known Good
File Is
New
Packed
Suspiciously
Low
Prevalence
!
22. .
McAfee
TIE Endpoint
Module
McAfee
TIE Endpoint
Module
McAfee
ATD
McAfee
Web Gateway
Enhanced Protection for Workloads
Data
Exchange
Layer
McAfee
Global Threat
Intelligence
3rd Party
Solutions
McAfee
TIE Server
File age hidden
Signed with a
revoked certificate
Created by an untrusted
process
Trust Level: Low
Action: Block
Threat Intelligence Exchange (TIE)
23. .
McAfee
ESM
McAfee
TIE Endpoint
Module
McAfee
TIE Endpoint
Module
McAfee
ePO
Advanced Threat Defense
Data
Exchange
Layer
McAfee
MOVE
McAfee
Application
Control
McAfee
DLP Endpoint
McAfee
Global Threat
Intelligence
Unknown files are sent
to ATD for static and
dynamic analysis
Updated file
information is shared
instantly to all
connected solutions,
providing real-time
protection
McAfee
ATD
McAfee
Web Gateway
McAfee
NSP
3rd Party
Solutions
McAfee
TIE Server
ATD determines
file to be malicious
Other Solutions
Other Solutions
Value of TIE + ATD
25. .
A challenging and stressful environment
Security’s Perfect Storm
*Source: SANS IR Survey, August 2015
Many Tools and
Limited Expertise
Masses of
Security Data
1
0
1
0
1
1
1
0
0
0
1
0
0
1
1
0
1
1
1
0
0
0
1
0
1
0
1
1
0
1
0
1
1
1
0
0
0
1
0
Time to Detect
and Respond
1
1
0
0
0
1
0
1
0
0
0
1
0
1
0
1
1
0
1
1
0!
Just how mature are security operations teams today?
Over 44% say they are immature, sharing incident response teams with IT and having limited tools.
Another 24.6% say they are still maturing, but at least they have a full SOC and expansive tools.
26. .
Identity Hidden Threats across Multiple Vectors
Value of Log Analysis
• Turn Security Data into Actionable Intelligence
• REDUCE Detection Time
• Identify Malware, Malicious Activity, Unauthorised behaviour, Fraud…
• Correlation and Patterns
• Behavioural Baselines and Anomalies
• Risk Correlation
• Address Agentless / Server-Less Environments
Masses of
Security Information
1
0
1
0
1
1
1
0
0
0
1
0
0
1
1
0
1
1
1
0
0
0
1
0
1
0
1
1
0
1
0
1
1
1
0
0
0
1
0
27. .
Real Time Advanced Analytics
Automated rule, risk/behavior, and statistical correlation
Threat Prioritization
Turns billions of “so what” events into actionable information
INTELLIGENT
Optimized threat and compliance management
Intel Security SIEM Solutions
INTEGRATED
ACTIONABLE
Comprehensive Security
Broad data collection of devices, including cloud support
Security Connected integrations to enable efficient and effective response
Active and Customizable Dashboards
Make threat investigation and response easy
High Performance Data Management Engine
Fast response to data collection, analytics, and threat analysis
Ease of Operation
Hundreds of out-of-the-box rules & reports; A unified compliance framework
!
29. .
Centralise Security Analysis – Collect at the Source
McAfee ESM
Components
AWS Service Log Sources
Private, Cloud and Hybrid Deployment Models
• ESM Management
• ESM Log Collectors
• ESM Advanced Correlation Engine
• ESM Raw Log Storage
McAfee ESM
Components
On-Premise/Private Log Sources
• ESM Management
• ESM Log Collectors
• ESM Advanced Correlation Engine
• ESM Raw Log Storage
Amazon
EC2Physical and/or Virtual
corporate data center AWS cloud
Direct Connect/VPN
30. .
Incident Identification, Forensics and Response
Use Cases
• Detect a slow bruteforce of a web application user account
• Identify the geo-location of the adversary and reputation of their source network
• Identify all subsequent activities carried out by that user throughout your environment
• Identify any risky or anomalous behaviour associated with that user, or the assets that
that user has interacted with
• REACT and block associated indicators such as geo-location, user, process, network…
directly from the SIEM platform
• Create watchlists (alerts) for similar behaviours
32. .
Fewer resource
constraints
Integrate, streamline, and
automate processes to
improve operational
efficiency.
Solving security’s most acute pain points
Delivering Business and Security OutcomesProblemSolution
Complexity Time Constraints
Respond
rapidly
Deliver automated
detection and
correction; operate
as a security system.
Resolve more threats
Extend beyond discrete and
siloed security. Move to a
cohesive threat lifecycle
defense; “Cloudify,” and
“mobilize” protection.