Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018

1,446 views

Published on

Stephen Schmidt, Chief Information Security Officer at AWS, addresses the current state of security in the cloud, with a particular focus on feature updates, the AWS internal "secret sauce," and what's on horizon in terms of security, identity, and compliance tooling.

  • Be the first to comment

Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Leadership Session: AWS Security Steve Schmidt Vice President and Chief Information Security Officer Amazon Web Services Twitter: @StephenSchmidt S E C 3 0 5 - L
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  3. 3. “The truth must be quite plain, if one could just clear away the litter.” Agatha Christie, A Caribbean Mystery
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Behind the scenes - SecOps on-call AWS Security Ticket - Port Scanning abuse case created …
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Ticket – LogScan errors detected … Behind the scenes - SecOps on-call
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Ticket – Experiencing 500s in … Behind the scenes - SecOps on-call
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Behind the scenes - SecOps on-call AWS Security Ticket – Proxy high latency in XXX region …
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Expectations Buy-in from leadership Radically restrict and monitor Human Access to data / Patching / Log retention duration / Credentials lifespan + blast radius reduction / AWS Encryption everywhere / Canaries and invariants for security functionality Key performance indicators AppSec reviews / Automated Security checks / Third-party Audits / Internal Time Spent metrics / Conformity with SLAs
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Correction of Errors (COE) • Compile detailed timeline to systematically understand the incident. • Analyze impact on business and customers • Find root cause of issue by diving deep into sequence of events • Address root cause via trackable and deliverable action items • Eliminate opportunity for reoccurrence by analyzing and sharing lessons learned This is NOT a process to place blame, nor is it a punitive tool
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Correction of Errors (COE) – The five “why”s •Ask questions until you have actionable root causes •Address root causes with actions/deadline/owner •Your analysis may branch into multiple root causes
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Suspicious page from a obfuscated phishing domain (no whois record) … Behind the scenes - SecOps on-call
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The power of the AWS Cloud – Our customers
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 239 new security features
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Management, security, and monitoring Storage Customer instances Network Hypervisor Original Amazon EC2 host architecture SERVER
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Improved performance by isolating functions within the hypervisor; moving them away from hardware • Offloaded network processing to dedicated hardware within the system, decoupling from hardware that managed the hypervisor, saving significant CPU time through more efficient network packet processing • Offloaded storage, requiring Amazon EC2 host software to validate, encrypt and route storage requests Amazon EC2 - C3 & C4 instances launched
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Management, security, and monitoring Storage Customer instances Network Nitro hypervisor 2017: Amazon EC2 C5 instances launched SERVER NITRO SYSTEM
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resource-based policies
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPN Connection Network Load Balancer Inter-Region VPC Peering Bring Your Own IP Address
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Continuous changeRecordingChanging resources AWS Config - Overview History Stream Snapshot (ex. 2018-06-05)
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Store the compliance history of AWS resources evaluated by Config rules
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Now offers agentless network assessments
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty adds three new threat detections UnauthorizedAccess:EC2/TorClient UnauthorizedAccess:EC2/TorRelay CryptoCurrency:EC2/BitcoinTool.B.
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Processes an average 92.7million/sec flow log records
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty = automatic cost savings • Travel company | 44% reduction in GuardDuty spend • Financial services company | 82% reduction • Automotive company | 79% reduction • Social media company | 86% reduction
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introducing: Amazon S3 block public access
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 block public access
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Ticket - DDoS abuse case created … Behind the scenes - SecOps on-call
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  33. 33. “The time to repair the roof is when the sun is shining.” John F. Kennedy, State of the Union, 1962
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 24 48 61 82 159 280 516 722 1017 1430 1,800+ 0 300 600 900 1200 1500 1800 2100 1 2 3 4 5 6 7 8 9 10 11 Pace of innovation | Launches
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. From reactive to proactive Pace of innovation: 1800+ updates Meets pace of protection: 239 security updates … through automation
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Pattern for automated remediation Detection Alerting Remediation Countermeasures Forensics VPC Flow logs APIs Team collaboration
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch + AWS Lambda + AWS Systems Manager Amazon EC2 instance contents Amazon EC2 instance: ec2-user$ top ec2-user$ pcap Event Documents Amazon EBS Volume Amazon EBS snapshot
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example response timeline Time Analyze Trace origin Remediate Event Rule matched Alert sent Correlate Check baseline Remediate Incidentdetected Traditional Response Response Locate Get logs Correlate
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Kinesis • Capture, store, and analyze streaming data • Quickly load TBs per hour of streaming data into the cloud for applications such as social media analysis or IoT • Build custom applications that process or analyze streaming data such as real-time content recommendations
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Physical Security – Kinesis Video Have cameras for physical security? Leverage Kinesis Video New Glacier Deep Archive storage at $0.00099 GB a month
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our mission Powering prosperity around the world
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Who we are: Founded 8,900 Employees 50M Customers 1993 IPO $6B FY18 Revenue 21 Locations 1983
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where are we in our journey?
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why AWS? Cost efficiencies for highly elastic business model Speed and ease for our engineers and operations teams Strategic enterprise partnership and cultural fit
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. …and we discovered more Recruitment AWS is a magnet Global reach Servers where we need them Security innovation Security as code
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS security services circa 2012
  48. 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Intuit’s security hierarchy of needs 4Authentication Access and privileges Asset management Metadata and attribution 2 Encryption Protection of data in transit and at rest 5 Zoning and containment Govern the boundaries 1 Logging Collecting metadata 3
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Meeting security requirements in the cloud in 2012 Asset management 2 Authentication 4 Logging 3 Encryption 5 Zoning & containment 1
  50. 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Zoning and containment 1 KEY BENEFITS • Reduced network attack surface • Retired 1000+ EC2 software VPNs with significant operational savings VPN Connection
  51. 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Asset management 2 KEY BENEFITS • Accurate and up to date inventory of AWS accounts, resources and systems • Faster response and remediation due to clear attribution to resource owners • Lower operational costs, fewer headaches Orgs.
  52. 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Logging 3 KEY BENEFITS • Better detection through audit trails of control/data plane events and network logs • Find the signals from the noise in petabytes of logs Flow logs
  53. 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authentication 4 KEY BENEFITS • Single sign-on to AWS tied to Intuit identity • Meet compliance requirements at scale • Policy management across Intuit’s AWS fleet of accounts Orgs. Fine Grained Access
  54. 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Encryption 5 KEY BENEFITS • Checkbox transparent data encryption standard for all Intuit’s data at rest • Encryption of data at rest across AWS services • Audit trail of access to all keys App Level Encryption
  55. 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Meeting security requirements in the cloud today Asset management Authentication Encryption Logging Zoning & containment
  56. 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  57. 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • 70+ Intuit patents and collaborated with AWS on dozens of services • Pioneered DevSecOps model for public cloud • Accelerated delivery of new security and platform capabilities InnovationCost • Lower TCO by eliminating clones and converging on AWS services • Increased investments to combat rapidly evolving threat landscape • Faster detection and response • Lowering security risks faster • More scalable controls across the enterprise • Leveraging the power of all Intuit engineers through DevSecOps Speed and ease Security benefits
  58. 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Looking ahead
  59. 59. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Michele Iacovone SVP, Chief Information Security & Fraud Officer
  60. 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  61. 61. ”As long as the world is turning and spinning, we’re gonna be dizzy and we’re gonna make mistakes.” Mel Brooks
  62. 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security incidents in the news inappropriate access to personal information … Financial Services: unauthorized third parties used employee information to gain access to company websites, possibly accessing personal information … Retail: investigating an incident where a contract worker improperly handled employee data … Financial Services: may have occurred through a technique called "credential stuffing," in which hackers who have stolen passwords for other websites try them out under the assumption that people use the same passwords everywhere they go on the web …
  63. 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Fine-grained entitlements • Strict separation of duties (SoD) • Rich audit trail for compliance • Micro-segmentation • Cloud + DevOps = rapid patching • Multiple recovery options Minimize attack surface
  64. 64. “The necessity of procuring good Intelligence is apparent & need not be further urged.” George Washington
  65. 65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Threat intelligence Consume feeds from various sources: • AWS Security • Commercial feeds • Open source feeds • Customer provided threat intel (STIX) • Known malware infected hosts • IP Blacklist • Anonymizing Proxies • Sites hosting malware & hacker tools = Great catch-all for suspicious & malicious activity
  66. 66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Call to action: Try this at home 1) Document all human interaction with systems that process data. Engineering & operations teams should drive this goal 2) Deeply understand how software is created and shipped. Don’t just sit with AppSec team, include Dev and Security team
  67. 67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Call to action: Try this at home 3) Catalog controls and visibility into Continuous Integration and Continuous Delivery (CI/CD) pipelines. This is where change management and control happens 4) Set crisp goals with owners to harden pipeline
  68. 68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Call to action: Try this at home 5) Drive workload deployment from source code. Catalog % of workloads built on automation 6) Reduce human access to systems that process sensitive data by: 80%(hint: this can’t be done through effort alone)
  69. 69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Maximize your most valuable resource
  70. 70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automation retains talent
  71. 71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Excessive traffic to external IP address: xx.xx.xxx.xxx rate xxxxxx packets p/sec … Behind the scenes - SecOps on-call
  72. 72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  73. 73. “The future depends on what you do today.” Mahatma Gandhi
  74. 74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Provable Security Provable Security verify the correctness of https://aws.amazon.com/security/provable-security/
  75. 75. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Source control Current state • Network and system engineers directly log into systems to make changes • Fixed credentials • Version control for infrastructure configuration is a decoupled process • Changes are committed to source control for infrastructure and pipeline executes the change • Temp credentials vended to the build system • Changes cannot be made without version control Future state
  76. 76. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IT map - Traditional IT Products & services CTO/VP applications/LoB owners Digital products, brand websites, mobile applications, point of-sale systems, commerce E-mail, productivity, collaboration, HR, finance, ERP Back office systems CIO/VP corp systems Desktop support, device management, telephony, IT support End user computing VP IT support Infrastructure/delivery VP Infrastructure Information Security CISO Encryption, Key Management, Identity Management, Firewalls, IDS, DDoS PMO Engineering Operations Design
  77. 77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. End user computing Back office systems Business app Business app Business app Business app Business appBusiness app Products and services Information Security Cloud Center of Excellence IT map - A cloud-first tomorrow
  78. 78. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliance certifications at launch
  79. 79. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Keynotes KEYNOTE: Andy Jassy, CEO, AWS Wednesday, November 28 8:00am-10:30am The Venetian, Level 2 KEYNOTE: Dr. Werner Vogels, CTO, Amazon Thursday, November 29 8:30am-10:30am The Venetian, Level 2
  80. 80. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Tonight Become an IAM Policy Master in 60 Minutes or Less 7pm – 8pm | Aria West, Level 3, Ironwood 5 Wednesday, Nov 28th Using AWS Lambda as a Security Team 1pm – 2pm | Mirage, Grand Ballroom F Wednesday, Nov 28th Data Protection: Encryption, Availability, Resiliency, and Durability 3:15pm – 4:15pm | MGM, Level 1, Grand Ballroom 113
  81. 81. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Wednesday, Nov 28th Well-Architected for Security 4:45pm – 5:45pm | Venetian, Level 3, Murano 3302 Thursday, Nov 29th Netflix Cloud Forensics 1pm – 2pm | Mirage, Grand Ballroom F Friday, Nov 30th Mastering Identity at Every Layer of the Cake 10am – 11am | Venetian, Level 4, Delfino 4005
  82. 82. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Jam at re:Invent Security Jam: MGM Studio Ballroom - Thursday, Nov. 29 @ 8AM Join us for a day-long security jam! We will provide the beat and brand-new incident response scenarios where you can learn new skills and practice current ones against a set of simulated security incidents Powered By: Jam Lounge: Venetian Partner Expo Hall – Tundra Lounge AWS and a select few partners will provide environments and scenarios where you can learn new skills and practice current ones while competing in the following areas: Security, All-In, and Data Analytics Powered By:
  83. 83. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. More information Visit the AWS Booth: Venetian Expo Hall AWS Security Twitter: @AWSSecurityInfo My Twitter: @StephenSchmidt AWS Security Blog: aws.amazon.com/blogs/security/
  84. 84. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Coming in 2019: AWS re:Inforce
  85. 85. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Employee locked out of his account under suspicious circumstances … Behind the scenes - SecOps on-call
  86. 86. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  87. 87. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×