More Related Content Similar to Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018 (20) More from Amazon Web Services (20) Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Leadership Session:
AWS Security
Steve Schmidt
Vice President and Chief Information Security Officer
Amazon Web Services
Twitter: @StephenSchmidt
S E C 3 0 5 - L
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
4. “The truth must be quite
plain, if one could just
clear away the litter.”
Agatha Christie,
A Caribbean Mystery
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Behind the scenes - SecOps on-call
AWS Security Ticket - Port Scanning abuse case created …
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Ticket – LogScan errors detected …
Behind the scenes - SecOps on-call
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Ticket – Experiencing 500s in …
Behind the scenes - SecOps on-call
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Behind the scenes - SecOps on-call
AWS Security Ticket – Proxy high latency in XXX region …
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Expectations
Buy-in from leadership
Radically restrict and monitor Human Access to data /
Patching / Log retention duration / Credentials lifespan +
blast radius reduction / AWS Encryption everywhere /
Canaries and invariants for security functionality
Key performance indicators
AppSec reviews / Automated Security checks / Third-party
Audits / Internal Time Spent metrics / Conformity with SLAs
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Correction of Errors (COE)
• Compile detailed timeline to systematically understand the incident.
• Analyze impact on business and customers
• Find root cause of issue by diving deep into sequence of events
• Address root cause via trackable and deliverable action items
• Eliminate opportunity for reoccurrence by analyzing and sharing
lessons learned
This is NOT a process to place blame, nor is it a punitive tool
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Correction of Errors (COE) – The five “why”s
•Ask questions until you have actionable root causes
•Address root causes with actions/deadline/owner
•Your analysis may branch into multiple root causes
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Suspicious page from a obfuscated phishing domain (no whois record) …
Behind the scenes - SecOps on-call
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The power of the AWS Cloud
– Our customers
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
239 new security features
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Management,
security, and
monitoring
Storage
Customer instances
Network
Hypervisor
Original Amazon EC2 host architecture
SERVER
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Improved performance by isolating functions within the
hypervisor; moving them away from hardware
• Offloaded network processing to dedicated hardware
within the system, decoupling from hardware that
managed the hypervisor, saving significant CPU time
through more efficient network packet processing
• Offloaded storage, requiring Amazon EC2 host software
to validate, encrypt and route storage requests
Amazon EC2 - C3 & C4 instances launched
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Management,
security, and
monitoring
Storage
Customer instances
Network
Nitro hypervisor
2017: Amazon EC2 C5 instances launched
SERVER
NITRO
SYSTEM
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resource-based
policies
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPN
Connection
Network Load
Balancer
Inter-Region
VPC Peering
Bring Your
Own IP
Address
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Continuous
changeRecordingChanging
resources
AWS Config - Overview
History
Stream
Snapshot
(ex. 2018-06-05)
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Store the compliance
history of AWS resources
evaluated by Config rules
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Now offers agentless
network assessments
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty adds three new threat detections
UnauthorizedAccess:EC2/TorClient
UnauthorizedAccess:EC2/TorRelay
CryptoCurrency:EC2/BitcoinTool.B.
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Processes an average
92.7million/sec
flow log records
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty = automatic cost savings
• Travel company | 44% reduction in GuardDuty spend
• Financial services company | 82% reduction
• Automotive company | 79% reduction
• Social media company | 86% reduction
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introducing: Amazon S3 block public access
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 block public access
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Ticket - DDoS abuse case created …
Behind the scenes - SecOps on-call
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
34. “The time to repair the roof is
when the sun is shining.”
John F. Kennedy,
State of the Union, 1962
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
24
48
61
82
159
280
516
722
1017
1430
1,800+
0 300 600 900 1200 1500 1800 2100
1
2
3
4
5
6
7
8
9
10
11
Pace of innovation | Launches
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
From reactive to proactive
Pace of innovation: 1800+ updates
Meets pace of protection: 239 security updates
… through automation
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pattern for automated remediation
Detection
Alerting
Remediation
Countermeasures
Forensics
VPC
Flow logs
APIs
Team
collaboration
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch + AWS Lambda + AWS Systems Manager
Amazon EC2
instance contents
Amazon EC2 instance:
ec2-user$ top
ec2-user$ pcap
Event
Documents
Amazon EBS
Volume
Amazon EBS
snapshot
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example response timeline
Time
Analyze
Trace origin
Remediate
Event
Rule matched
Alert sent
Correlate
Check baseline
Remediate
Incidentdetected
Traditional
Response
Response
Locate
Get logs
Correlate
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Kinesis
• Capture, store, and analyze streaming data
• Quickly load TBs per hour of streaming data into
the cloud for applications such as social media
analysis or IoT
• Build custom applications that process or
analyze streaming data such as real-time content
recommendations
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Physical Security – Kinesis Video
Have cameras for physical security?
Leverage Kinesis Video
New Glacier Deep Archive storage
at $0.00099 GB a month
42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our mission
Powering prosperity around the world
44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Who we are:
Founded
8,900
Employees
50M
Customers
1993
IPO
$6B
FY18
Revenue
21
Locations
1983
45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where are we in our journey?
46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why AWS?
Cost efficiencies
for highly elastic
business model
Speed and ease for
our engineers and
operations teams
Strategic enterprise
partnership and
cultural fit
47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
…and we discovered more
Recruitment
AWS is a magnet
Global reach
Servers where we
need them
Security innovation
Security as code
48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS security services circa 2012
49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Intuit’s security hierarchy of needs
4Authentication
Access and privileges
Asset management
Metadata and attribution
2
Encryption
Protection of data in
transit and at rest
5
Zoning and containment
Govern the boundaries
1
Logging
Collecting metadata
3
50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Meeting security requirements in the cloud in 2012
Asset management
2
Authentication
4
Logging
3
Encryption
5
Zoning & containment
1
51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Zoning and containment
1
KEY BENEFITS
• Reduced network attack surface
• Retired 1000+ EC2 software VPNs with
significant operational savings
VPN
Connection
52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Asset management
2
KEY BENEFITS
• Accurate and up to date inventory of
AWS accounts, resources and systems
• Faster response and remediation due
to clear attribution to resource owners
• Lower operational costs, fewer
headaches
Orgs.
53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Logging
3
KEY BENEFITS
• Better detection through audit trails
of control/data plane events and
network logs
• Find the signals from the noise in
petabytes of logs
Flow logs
54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authentication
4
KEY BENEFITS
• Single sign-on to AWS tied to
Intuit identity
• Meet compliance requirements at
scale
• Policy management across Intuit’s
AWS fleet of accounts
Orgs.
Fine Grained
Access
55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encryption
5
KEY BENEFITS
• Checkbox transparent data
encryption standard for all Intuit’s
data at rest
• Encryption of data at rest across
AWS services
• Audit trail of access to all keys
App Level
Encryption
56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Meeting security requirements in the cloud today
Asset management
Authentication
Encryption
Logging
Zoning & containment
57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• 70+ Intuit patents and
collaborated with AWS on dozens
of services
• Pioneered DevSecOps model for
public cloud
• Accelerated delivery of new
security and platform capabilities
InnovationCost
• Lower TCO by eliminating
clones and converging on AWS
services
• Increased investments to
combat rapidly evolving threat
landscape
• Faster detection and response
• Lowering security risks faster
• More scalable controls across the
enterprise
• Leveraging the power of all Intuit
engineers through DevSecOps
Speed
and ease
Security benefits
59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Looking ahead
60. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Michele Iacovone
SVP, Chief Information Security & Fraud Officer
61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
62. ”As long as the world is turning and
spinning, we’re gonna be dizzy and
we’re gonna make mistakes.”
Mel Brooks
63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security incidents in the news
inappropriate access to personal information …
Financial Services: unauthorized third parties used employee information
to gain access to company websites, possibly accessing personal information …
Retail: investigating an incident where a contract worker improperly handled
employee data …
Financial Services: may have occurred through a technique called
"credential stuffing," in which hackers who have stolen passwords for other
websites try them out under the assumption that people use the same passwords
everywhere they go on the web …
64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Fine-grained entitlements
• Strict separation of duties (SoD)
• Rich audit trail for compliance
• Micro-segmentation
• Cloud + DevOps = rapid patching
• Multiple recovery options
Minimize attack surface
65. “The necessity of procuring
good Intelligence is apparent
& need not be further urged.”
George Washington
66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat intelligence
Consume feeds from various sources:
• AWS Security
• Commercial feeds
• Open source feeds
• Customer provided threat intel (STIX)
• Known malware infected hosts
• IP Blacklist
• Anonymizing Proxies
• Sites hosting malware & hacker tools
= Great catch-all for suspicious & malicious activity
67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Call to action: Try this at home
1) Document all human interaction with
systems that process data. Engineering &
operations teams should drive this goal
2) Deeply understand how software is
created and shipped. Don’t just sit with
AppSec team, include Dev and Security team
68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Call to action: Try this at home
3) Catalog controls and visibility into
Continuous Integration and Continuous Delivery
(CI/CD) pipelines. This is where change management
and control happens
4) Set crisp goals with owners to harden pipeline
69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Call to action: Try this at home
5) Drive workload deployment from source
code. Catalog % of workloads built on automation
6) Reduce human access to systems that process
sensitive data by:
80%(hint: this can’t be done through effort alone)
70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Maximize your most valuable resource
71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automation retains talent
72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Excessive traffic to external IP address: xx.xx.xxx.xxx rate xxxxxx packets p/sec …
Behind the scenes - SecOps on-call
73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
75. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Provable Security
Provable Security
verify the
correctness of
https://aws.amazon.com/security/provable-security/
76. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Source control
Current state
• Network and system engineers
directly log into systems to make
changes
• Fixed credentials
• Version control for infrastructure
configuration is a decoupled process
• Changes are committed to
source control for infrastructure
and pipeline executes the change
• Temp credentials vended to the
build system
• Changes cannot be made
without version control
Future state
77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IT map - Traditional IT
Products & services
CTO/VP applications/LoB owners
Digital products, brand websites, mobile
applications, point of-sale systems, commerce
E-mail, productivity, collaboration, HR,
finance, ERP
Back office systems
CIO/VP corp systems
Desktop support, device management,
telephony, IT support
End user computing
VP IT support
Infrastructure/delivery
VP Infrastructure
Information Security
CISO
Encryption, Key Management, Identity Management, Firewalls, IDS, DDoS
PMO Engineering Operations Design
78. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
End user
computing
Back office
systems
Business app Business app Business app Business app Business appBusiness app
Products and services
Information Security
Cloud Center of Excellence
IT map - A cloud-first tomorrow
79. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compliance certifications at launch
80. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Keynotes
KEYNOTE: Andy Jassy, CEO, AWS
Wednesday, November 28
8:00am-10:30am
The Venetian, Level 2
KEYNOTE: Dr. Werner Vogels, CTO, Amazon
Thursday, November 29
8:30am-10:30am
The Venetian, Level 2
81. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Tonight
Become an IAM Policy Master in 60 Minutes or Less
7pm – 8pm | Aria West, Level 3, Ironwood 5
Wednesday, Nov 28th
Using AWS Lambda as a Security Team
1pm – 2pm | Mirage, Grand Ballroom F
Wednesday, Nov 28th
Data Protection: Encryption, Availability, Resiliency, and Durability
3:15pm – 4:15pm | MGM, Level 1, Grand Ballroom 113
82. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Wednesday, Nov 28th
Well-Architected for Security
4:45pm – 5:45pm | Venetian, Level 3, Murano 3302
Thursday, Nov 29th
Netflix Cloud Forensics
1pm – 2pm | Mirage, Grand Ballroom F
Friday, Nov 30th
Mastering Identity at Every Layer of the Cake
10am – 11am | Venetian, Level 4, Delfino 4005
83. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Jam at re:Invent
Security Jam: MGM Studio Ballroom - Thursday, Nov. 29 @ 8AM
Join us for a day-long security jam! We will provide the beat and brand-new
incident response scenarios where you can learn new skills and practice
current ones against a set of simulated security incidents
Powered By:
Jam Lounge: Venetian Partner Expo Hall – Tundra Lounge
AWS and a select few partners will provide environments and scenarios
where you can learn new skills and practice current ones while competing in
the following areas: Security, All-In, and Data Analytics
Powered By:
84. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
More information
Visit the AWS Booth: Venetian Expo Hall
AWS Security Twitter: @AWSSecurityInfo
My Twitter: @StephenSchmidt
AWS Security Blog: aws.amazon.com/blogs/security/
85. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Coming in 2019: AWS re:Inforce
86. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Employee locked out of his account under suspicious circumstances …
Behind the scenes - SecOps on-call
88. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.