In this session you will learn how to improve your development of security tools and functions to allow you to create functions that create other functions -- based on the data in the environment. Merging security automation, CI/CD, and serverless infrastructure, you can create functions that act semi-autonomously with permission boundaries and step function logic.

1. P U B L I C S E C T O R
S U M M I T
Washingt on, DC

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Beyond Security Automation:
How to Move Past Developing Ad-hoc Tools and Make Tools that
Develop Automatically
Brad Dispensa
Pr. Security and Compliance
AWS WWPS
3 0 2 8 3 0

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Agenda
• Security tools available to develop with in your environment
• Where to start on this journey
• Looking at data differently
• Proactive vs. reactive model

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Security tools available

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Quick overview of the tools of the trade

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Core security services
Amazon GuardDuty
Amazon Inspector
Amazon Macie
AWS Artifact
AWS Certificate Manager AWS CloudHSM
AWS Firewall Manager
AWS Identity and Access
Management (IAM)
AWS Secrets Manager
AWS Key Management
Service
AWS Security Hub
AWS Shield
AWS WAF

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Meta security tools
AWS Lambda Amazon Simple
Notification Service Amazon Elasticsearch
Service
Amazon Athena
AWS Systems Manager
AWS Command Line
Interface
AWS Config
Amazon CloudWatch
AWS CloudFormation AWS CloudTrail
Amazon Simple Storage
Service (S3)
AWS Organizations

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Example core + Meta
9
Example:
GuardDuty auto-responder
AWS Cloud
AWS Lambda
GD Finding
Amazon GuardDuty Amazon CloudWatch
AWS Cloud
AWS Lambda
Lambda responder
Amazon GuardDutyRole Amazon EC2
AWS Systems Manager

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Where do we need to start

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Observation
In order to react to anything, we first need to know what we have and
review its contents.
Common mistakes:
• Customers don’t look at the data they already have
• Forgot to check that “X” was enabled
Why?
• “Unknown uknowns”: I don’t know what I should be looking for
• Relying on manual process instead of codified solutions

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Check assumptions in code
AWS Cloud
AWS Lambda
AWS Cloud
AWS Cloud
AWS Cloud
Role
AWS CloudTrail
AWS CloudTrail
AWS CloudTrail

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Example Cloudtrail lookup
import boto3
client = boto3.client('cloudtrail')
response = client.describe_trails(
includeShadowTrails=True )
for i in response['trailList']:
if i['IsMultiRegionTrail'] == True:
return i['S3BucketName'], i['TrailARN']

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Check for FlowLogs enabled on all VPCs
import boto3
client = boto3.client('ec2’)
def check_flowlogs(vpc_id):
response = client.describe_flow_logs(
Filter=[
{ 'Name': 'resource-id',
'Values': [ vpc_id ] },
],)
if len(response[u'FlowLogs']) == 0:
print vpc_id
response = client.describe_vpcs()
for i in response['Vpcs']:
check_flowlogs(i['VpcId'])

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Example
AWS Security best practices white paper:
• P.70 - “Log everything and alert based on given threshold for the
policies.”
• Use core functionality like VPC flow logs
• Constrain security groups with high-risk access to limit CIDR ranges
Common response:
• Look only for patterns you already know
• E.g. Only looking for port open port TCP 22 with Config or an Adhoc
Lambda function.

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
This is what customers do
import boto3
client = boto3.client('ec2')
response = client.describe_vpcs()
for i in response['Vpcs']:
sgid = client.describe_security_groups(
Filters=[
{
'Name': 'vpc-id',
'Values': [i['VpcId']]
},
])
for ii in sgid['SecurityGroups']:
for iii in ii['IpPermissions']:
if 'FromPort' in iii or 'ToPort' in iii:
if iii['FromPort'] == 22 or iii['ToPort'] == 22:
if len(iii['IpRanges']) != 0 and iii['IpRanges'][0]['CidrIp'] == '0.0.0.0/0':
print ii['GroupId']

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Wait, so then what’s the issue with it?

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Why is this a bad idea then?

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
SSM Sessions Manager > SSH
• SSH access should be an exception moving forward
• SSM is policy driven and integrates with IAM
• Interaction with SSM is logged via Cloudtrail
• Granular IAM policy allows specific resource access.
AWS Systems Manager

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Stepping up the game
Instead of looking only at what we expect, can we look at what we
observe normally and draw from that?
Can we look at multiple data-sources and combine information to better
evaluate risk?

23. Public subnet
Example:
Look for normal traffic
patterns
VPC
AWS Cloud
Virtual private cloud
10.1.0.0/16
Public subnet
10.1.0.0/19
Internet gateway
Web Instance-1 Web Instance-2
Attempted probe
TCP-3389
Elastic Load Balancing (ELB)
Flow logs

24. Public subnet
Example:
Look for normal traffic
patterns
VPC
AWS Cloud
Virtual private cloud
10.1.0.0/16
Public subnet
10.1.0.0/19
Internet gateway
Web Instance-1 Web Instance-2
Attempted probe
TCP-3389
Elastic Load Balancing (ELB)
Flow logs
AWS Systems Manager
Amazon CloudWatch
AWS Lambda

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Get process and pulling connections
AWS SSM Run:
#Network dump
netstat –ant|grep ESTABLISHED
#Process compare
netstat -nlpt
#Pull process list
ps aux
tcp 0 0 10.1.1.179:49058 212.7.219.6:8800 ESTABLISHED
tcp 0 0 10.1.1.179:33324 173.194.36.117:443 ESTABLISHED
tcp 0 0 127.0.1.1:8080 0.0.0.0:* LISTEN 1391/tomcat
tcp 0 0 127.0.0.1:443 0.0.0.0:* LISTEN 661/NGINX
tcp6 0 0 ::1:631 :::* LISTEN 661/cupsd
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAN
ec2-user 26464 11.1 0.7 2861432 62132 ?? S Fri09AM 1:29.23 /bin/tomcat
root 169 6.5 1.2 3947388 97728 ?? Ss Tue02PM 70:48.79 /usr/local/src/nginx

26. Public subnet
Example:
Look for normal traffic
patterns
VPC
AWS Cloud
Virtual private cloud
10.1.0.0/16
Public subnet
10.1.0.0/19
Internet gateway
Web Instance-1 Web Instance-2
Attempted probe
TCP-3389
Elastic Load Balancing (ELB)
Flow logs
AWS Systems Manager
Amazon CloudWatch
AWS Lambda
outputs

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Can we automate this automation?
Function that will use SageMaker to look for patterns in IPV4 traffic intra-
vpc and detect outlier but authorized communication.

28. Amazon SageMaker: IP Insights
Capture associations between IPv4 addresses and various entities
(user IDs, account numbers, etc..).
Identify a user attempting to log into a web service from an
anomalous IP address
Identify an account that is attempting to create computing resources
from an unusual IP address.
Amazon SageMaker IP
Insights model gives much
higher scores to malicious
events, and there is a clear
separation between the two
distributions.

29. Amazon Simple
Notification Service
AWS
Lambda
Elastic Load Balancing
(ELB)

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Account A
Account B
Account B
Security account
Amazon S3
bucket
1.2.3.4/32
1.2.3.4/32
1.2.3.4/32

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Looking at data differently

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Adding another meta-tool
AWS Step Functions

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Small, reusable code functions
AWS Lambda
AWS Lambda
AWS Lambda

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Proactive > Reactive

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Look for changes from baseline

38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Advanced functions
Use tools and functions as early alerting and respond with the data
collected from the event.

39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": ”Deny",
"Action": "*",
"Resource": "*"
}
]
}
aws iam create-user --user-name developer-team-owl
aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/audit-
owl --user-name developer-team-owl

41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
aws iam create-access-key --user-name developer-team-owl
{
"AccessKey": {
"UserName": "developer-team-owl ",
"Status": "Active",
"CreateDate": "2015-03-09T18:39:23.411Z",
"SecretAccessKey":
"wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
"AccessKeyId": "AKIAIOSFODNN7EXAMPLE"
}
}

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
VPC Flow Logs: Automation
Private subnet
Compliance
app
If any REJECT > 0,
then…
Elastic
Network
Interface
Metric filter
Filter on all
any REJECTFlow Logs group
CloudWatch
alarm
Source IP

43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
S3 honey bucket
Company-
payroleAdversary http Adversaryapi
Amazon Simple
Storage Service (S3)

44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Auto retire resources

45. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T

46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T