Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Defending Your Workloads Against the Next Zero-Day Vulnerability

1,253 views

Published on

When serious vulnerabilities like Shellshock or Heartbleed are found, you know you should respond quickly. But when you’re juggling many priorities, and are more comfortable developing apps than security policies, emergency updates may fall to the bottom of the list. Is there a better way to protect your workloads, without a lot of work? In AWS, you approach everything in your infrastructure as an API. If you take the same approach to security, you can automate protection for zero-day vulnerabilities, without impacting agility or architecture flexibility. In this session, we’ll show you how to use AWS security groups, virtual private networks, and security capabilities like intrusion detection and prevention to defend what you put in the cloud. We will use the recent Shellshock vulnerability as a real-world threat scenario and walk you through how to combine AWS features and workload-aware security controls to prevent hackers from exploiting similar zero-day threats. Learn simple, easy to deploy security tools and techniques to protect workloads – that don't require a PhD in cyber security.

Published in: Technology
  • Login to see the comments

Defending Your Workloads Against the Next Zero-Day Vulnerability

  1. 1. Defending your workloads against the next zero-day vulnerability Justin Foster @justin_foster Trend Micro - Director of Product Management | Cloud & Data Center Security
  2. 2. The Story More at aws.trendmicro.com 2012 re:Invent SPR203 : Cloud Security is a Shared Responsibility http://bit.ly/2012-spr203 2013 re:Invent SEC208: How to Meet Strict Security & Compliance Requirements in the Cloud http://bit.ly/2013-sec208 SEC307: How Trend Micro Build their Enterprise Security Offering on AWS http://bit.ly/2013-sec307 2014 re:Invent SEC313: Updating Security Operations for the Cloud http://bit.ly/2014-sec313 SEC314: Customer Perspectives on Implementing Security Controls with AWS http://bit.ly/2014-sec314
  3. 3. Traditional Responsibility Model You Physical Infrastructure Network Virtualization Operating System Applications Data Service Configuration More at aws.amazon.com/security
  4. 4. Shared Responsibility Model AWS Physical Infrastructure Network Virtualization You Operating System Applications Data Service Configuration More at aws.amazon.com/security
  5. 5. Shared Responsibility Model AWS Physical Infrastructure Network Virtualization You Operating System Applications Data Service Configuration More at aws.amazon.com/security
  6. 6. PCI DSS Level 1 SOC 1/ISAE 3402 SOC 2 SOC 3 ISO 9001 IRAP (.au) FIPS 140-2 CJIS CSA FERPA HIPAA FedRAMP (SM) DoD CSM 1-2, 3-5 DIACAP ISO 27001 MTCS 3 ITAR MPAA G-Cloud Section 508/VPAT FISMA Shared Responsibility Model More at aws.amazon.com/compliance/
  7. 7. Shared Responsibility Model AWS Physical Infrastructure Network Virtualization You Operating System Applications Data Service Configuration More at aws.amazon.com/security
  8. 8. Vulnerability Respond Repair
  9. 9. Vulnerability ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
  10. 10. by Andreas Lindh (@addelindh)
  11. 11. bash is a common command line interpreter
  12. 12. a:() { b; } | attack 10 | 10 vulnerability. Widespread & easy to exploit
  13. 13. 1989 Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline
  14. 14. 1989 By Norlando Pobre
  15. 15. By Gavin Stewart 1989
  16. 16. By VersusLiveQuizShow 1989
  17. 17. "MicroTAC" by Redrum0486 at English Wikipedia 1989
  18. 18. Time Since Last Event Event Action Action Timeline 1989-08-05 8:32 Added to codebase 27 days, 10:20:00 Released to public 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React 2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25 5 days, 9:16:35 Limited disclosure :: CVE-2014-6271 React 2 days, 4:37:25 More details React 3:44:00 More details React 0:27:51 Public disclosure React 0:36:30 More details React
  19. 19. Important Shellshock Events Time Since Last Event Event Action Action Timeline 1989-08-05 8:32 Added to codebase 27 days, 10:20:00 Released to public 9141 days, 21:18:35 Initial report React Clock starts 2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25 3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00 3:15:00 Official patch :: CVE-2014-7186, CVE-2014-7187 Patch 4 days, 17:30:00 1 day, 11:55:00 Official patch :: CVE-2014-6277 Patch 1 day, 11:55:00 2 days, 20:24:00 Official patch :: CVE-2014-6278 Patch 2 days, 20:24:00
  20. 20. 24h 48h 72h Attack Source IP – CVE-2014-6271, 7169, 6277, 6278 Disclosure
  21. 21. 24h 48h 72h Attack Source IP – CVE-2014-6271, 7169, 6277, 6278 Disclosure
  22. 22. 24h 48h 72h Disclosure Attack Source IP – CVE-2014-6271, 7169, 6277, 6278
  23. 23. Respond ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Day 1
  24. 24. aws.amazon.com/architecture : Web application hosting
  25. 25. aws.amazon.com/architecture : Web application hosting
  26. 26. TCP : 443TCP : 443 TCP : 4433TCP : 4433 Primary workflow for our deployment
  27. 27. IAM Roles
  28. 28. AWS IaM Review
  29. 29. Security groups
  30. 30. AWS Security Group Review
  31. 31. Network segmentation
  32. 32. AWS Network Review
  33. 33. AWS VPC Checklist Review IAM roles Security groups Network segmentation Network access control lists (NACL) More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf
  34. 34. TCP : 443TCP : 443 TCP : 4433TCP : 4433 Primary workflow for our deployment
  35. 35. HTTPSTPS Intrusion prevention can look at each packet and then take action depending on what it finds
  36. 36. aws.amazon.com/architecture : Web application hosting
  37. 37. Intrusion Prevention in Action
  38. 38. Review All instances covered Workload appropriate rules Centrally managed Security controls must scale out automatically with the deployment
  39. 39. Repair ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Day 2
  40. 40. aws.amazon.com/architecture : Web application hosting
  41. 41. All instances deployment from task-specific AMI TCP : 443TCP : 443 TCP : 4433TCP : 4433
  42. 42. Workflow should be completely automated Instantiate DestroyConfigure AMI Creation Workflow Bake Instantiate Test
  43. 43. AMI Creation
  44. 44. aws.amazon.com/architecture : Web application hosting
  45. 45. Instances tend to drift from the known good state, monitoring key files & processes is important AMI Instance AlertIntegrity Monitoring
  46. 46. Integrity Monitoring
  47. 47. Keys Respond Review configuration Apply intrusion prevention Repair Patch vulnerability in new AMI Leverage integrity monitoring
  48. 48. Keys Visibility Security Time
  49. 49. Build With Confidence
  50. 50. aws.trendmicro.com NEW YORK

×