Scaling Security Operations and Automating Governance: Which AWS Services Should I Use?
•Download as PPTX, PDF•
1 like•800 views
This session enables security operators to automate governance and implement use cases addressed by AWS services such as AWS CloudTrail, AWS Config Rules, Amazon CloudWatch Events, and Trusted Advisor. Based on the nature of vulnerabilities, internal processes, compliance regimes, and other priorities, this session discusses the service to use when. We also show how to detect, report, and fix vulnerabilities, or gain more information about attackers. We dive deep into new features and capabilities of relevant services and use an example from an AWS customer, Siemens AG, about how to best automate governance and scale. A prerequisite for this session is knowledge of security and basic software development using Java, Python, or Node.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Scaling Security Operations and Automating Governance: Which AWS Services Should I Use?
Similar to Scaling Security Operations and Automating Governance: Which AWS Services Should I Use? (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (20)
Scaling Security Operations and Automating Governance: Which AWS Services Should I Use?
- 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Using AWS Services to Automate Governance of Security Controls and Remediate Violations January 19, 2017 Security Ops Which AWS services do I use? Michael Braendle , pprahlad@amazon.com Principal Product Manager, AWS
- 2. What to Expect from the Session • SecDevOps: What? • Services and features galore: What do I use? • Using relevant services • Customer example: Siemens AG - Making it real Improve your quality of life
- 4. Meet Toby, Software developer Flexibility, Speed, Low cost, Reliability, .. .. .. Freedom to be creative ….throughout his professional career of 2 full years! Is a do-er Wants impact
- 5. Meet Joe, Mr. Security • Leading cloud adoption efforts • Part of central cloud security team • Manages other infrastructures • Deals with security escalations • Does not like being in critical path • Wants to works smart, but has to work hard Ultimately responsible for security
- 6. Security: A lot going on Security Policy Compliance regimes Report compliance Evangelize cloud within the org and outside Put out fires Investigate issues deeply
- 7. AWS Tools could help AWS Config Rules AWS CloudTrail Trusted Advisor CloudWatch Events VPC Flow Logs AWS WAF Security Certificate Manager IAM Security Certificate Manager
- 8. Security: A lot going on Security Policy Compliance regimes Report compliance Evangelize cloud within the org and outside Put fires out Investigate issues deeply Many Many services Many Many features
- 9. How do I sustain this?
- 10. Joe’s typical tasks 1. Create security policies 2. Assess compliance; help others check for compliance 3. Investigate and analyze relevant information; fix critical security issues quickly 4. Deal with escalations 5. Generate evidence and reports
- 11. Create Policies
- 12. Policies in code Trusted Advisor Best Practice checks • Get 35+ checks with zero effort • Example: ELBs with missing security groups, S3 Bucket open access permissions, etc. • Create an administrator role in each account • Assume admin role to read check status using TA APIs • DescribeTrustedAdvisorCheckSummaries • DescribeTrustedAdvisorCheckResult Useful for broadly applicable policies with no specific exceptions
- 14. Policies in code Config Rules Managed and Custom Rules Managed Rules • Pre-built, but need to turn on • Triggered periodically/on changes and apply to specific resources • Modify publishes source on GitHub to customize further Useful for resources with specific policies. Flexible.
- 16. Policies in code Custom Rules • Write up your own rules. Ultimate flexibility • Publish your best practices on GitHub • Annotate results to add policy details or tickets
- 19. Create Policies in code
- 21. Assess compliance • Audit assessment is a spot check • Policies in code Continuous assessments • Self service governance • Prioritize assessments • Find an owner for the result
- 22. Options for assessing compliance Config Rules to assess and report configuration compliance • Annotate results with resource owner • Custom Rules integrate with ticketing
- 23. AWS Config + Inventory Assess compliance using Config Rules EC2 Systems Manager and AWS Config will capture • Software Inventory in EC2 instance • Firewall rules • Patch level • Application version
- 25. Create Policies in code Assessment and Governance
- 27. Using Config Rules and CloudWatch Events Use CloudWatch Events and Lambda triggers to fix things Custom Config Rules for remediations in Lambda Enable traceability and logging for audit
- 28. CloudTrail Data Events for S3 Act on API activity immediately in CloudWatch Events • Data Events for S3 • Trigger rules that “fix” the problem • Trace invocations and actions in CloudWatch Logs
- 29. S3, CloudTrail, CloudWatch Events, Lambda
- 30. Create Policies in code Assessment and Governance Fix Violations
- 32. Security Escalations • Logs, activity data is critical • Use automation to increase surveillance on suspicious activity (e.g. CloudTrail is turned off) • Timely response could be to quarantine • SOP should be in code!
- 33. Create Policies in code Assessment and Governance Fix Violations Deal with Escalations
- 35. Reports • Weekly Trusted Advisor reports • Archived CloudTrail activity in S3 (never delete) • CloudTrail Lookup for 1 week, CloudWatch Logs for longer term lookup • AWS Config Snapshot for broad, point-in-time views • AWS Config GetResourceConfigHistory >get-resource-config-history --resource-type <value> --resource-id <value> [--later-time <value>] [--earlier-time <value>]
- 36. Create Policies in code Assessment and Governance Fix Violations Deal with Escalations Evidence for Audit Automate and share: Templatize across accounts, regions, industries
- 38. The real world
- 39. The Company
- 40. Siemens Mobility Services Digital Services Smart remote monitoring and data services for maximum reliability Siemens AG - MO CS STC SC-SO October 2016
- 41. Rail vehicles deliver large volumes of data – but what do we do with it to generate value? • Modern trains send 1 billion data points per year • Additionally: Work orders Spare parts list Geo data The basis Turn all this data into information und derive actions The challenge 100% Availability for you Siemens AG - MO CS STC SC-SO October 2016
- 42. We provide a common data policy • The collected technical data belongs to the customer. • The data will be stored by Siemens or by contracted sub- suppliers of Siemens. • Siemens shall fulfill it‘s contractual obligations, e.g. providing cockpit or reports. For other reasons than this, Siemens is not obliged to store the data and is not liable for loss of data (unless this is contracted). • However, Siemens is obliged to protect the customers data by applying state-of-the-art security measures to do so. • Siemens can use the data for its own purposes during the contract period (right to use). Selling the data is not permitted! • Customer may request after the end of the contract that Siemens erases all the data with regards to the customer contract. Customer “owns” the data from the assets and Siemens can “use” it Data input Big data from assets Data analytics Algorithmic processes Data output Smart data generated by Siemens Experts SiemensCustomer Customer and Siemens Siemens AG - MO CS STC SC-SO October 2016
- 43. 10 11 Railigent™ The platform to manage your assets smarter 10 01 011010101101 00 0 1 1 1 0 1 1 0 1 0 00101011010 00111 0 1 1 0 01100110100111011010 10101011010 0 0 1101110 0 1 1 010 1 0 11 0 1 0 0 0 1 1 1 0 11010 011 010 1010 10 101 10111 001001011 1011010111 011001111 001001011 11010 01110 Management Dispatcher Maintenance engineer Data visualizationData evaluationData processingData transmission Railigent Connect Secure data transmission from sensor to central data storage Turning data into value and enabling Digital Services solutions (Smart Monitoring, Smart Data Analysis and Smart Prediction) Railigent powered by Sinalytics Advanced algorithms Expertise domain Know-how Best practises Modular Customized solution packages: Define reports as you need them Scalable From basic to advanced solutions: Upgrade your system as needed Open Fits into your environment: Standard interfaces ensure interoperability Siemens AG - MO CS STC SC-SO October 2016
- 44. GovernanceTools AWS Architecture AWS Config / rules Amazon CloudWatch AWS CloudTrail AWS Trusted Advisor AWS IAM AWS KMS AWS CloudFormation Siemens AG - MO CS STC SC-SO October 2016
- 45. Topics to Service mapping Comliance and Security Topic Basd on ISO 27001 / 27002 an IEC 62443 Access Control (9) P P Asset Management (8) P Communications Security P P Compliance (18) P P P P AWS Config AWS CloudTrail Amazon CloudWatch AWS Trusted Advisor Siemens AG - MO CS STC SC-SO October 2016
- 46. Topics to Service mapping Comliance and Security Topic ISO 27001 / 27002 Cryptography (10) P P Information Security Aspects of Business Continuity Management (17) P P Information Security Incident Management (16) P P Operations Security P P AWS Config AWS CloudTrail Amazon CloudWatch AWS Trusted Advisor Siemens AG - MO CS STC SC-SO October 2016
- 47. Used AWS Config Rules: Pre defined Rules Custom Rules encrypted-volumes rds-in-private-subnet s3-bucket-logging-enabled advaced iam policy on diffrent user types cloud-trail-enabled Advanced security group requirements eip-attached root-account-mfa-enabled iam-password-policy rds-storage-encrypted required-tags Siemens AG - MO CS STC SC-SO October 2016 Good source for star with own rules is: https://github.com/awslabs/aws-config-rules
- 48. Siemens Governance Requirements Audit Logfiles Config changes AWS Config Amazon CloudWatch AWS CloudTrail Amazon SNS AWS Config rules https://s3-us-west-2.amazonaws.com/awscloudtrail/cloudwatch- alarms-for-cloudtrail-api- activity/CloudWatch_Alarms_for_CloudTrail_API_Activity.json. Siemens AG - MO CS STC SC-SO October 2016
- 49. 4 eyes principle Regular checks Connection list Siemens Governance Requirements AWS Trusted Advisor flow logs AWS Trusted Advisor Siemens AG - MO CS STC SC-SO October 2016
- 50. Conclusions • Security shall be the initial part of the development SecDevOps • Get a clear view what are the requirements, AWS provides a lot of tools to fulfill most of the requirements. • Automation is the key to success. Siemens AG - MO CS STC SC-SO October 2016
- 51. Remember to complete your evaluations!
- 52. Thank you!
Editor's Notes
- We have this session a the end of the conference because we wanted to showcase some of the new capabilities we just launched You’ll not only learn more about these capabilities, but also see how we can use them
- As Siemens mobility we develop highspeed, commuter trains metros ,lightrails and also the rail automation and electrification part for mass transportation systems all over the world.
- Our goal is 100% availabilty for the cusotmers fleet
- One of our main perquisite is that the data belongs to our customers. We help them with our people expertise and tools to get most out of the data.
- The railigent platform based on AWS and is full new cloud native approach to get most out of the data. We benefit from the AWS Ecosystem by gaining modular services with high flexibility and scalability
- Complete Environment deployment is done via CloudFormation We have 4 Levels in our Account Structure. 1. the Sandbox where all developers can play around an learn 2. The dev account for develop in an near production environment 3. The test account for pre production tests 4. Finally the production account where the customer data is processed. The dev and test have also access to the production data based on an granular access policy and read-only rights. For Cloud Trail we use the Vault principle as best practice -> store everything in an external account s3-bucket with limited rights
- We have an Internal Requirement Database based on classification with shown topics on ISO 27001 and IEC 62443 (industrial automation and control system security ) There we have over a 100 requirements for security and operation assigned to the chapters shown on the slide The numbers in brackets represents the chapters in the ISO 1. For Access Control there are requirements like user management, password complexity and so on. 2. For Asset management there is for example an requirement that we always need to know what was running in past and what's running now. 3. Communications security demands secure communication over all layers. 4. Compliance is more about the process stuff like doing a self-assessment and risk analysis
- 5. Cryptography should be clear, it is about preferred cipher suits and allowed algorithm and how to deal with certificates 6. Information Security Aspects of Business Continuity Management is mainly about to having an IT Disaster Recovery Plan 7. Information Security Incident Management how to deal with incidents, think about escalation procedures before something happens. 8. And finally Operations Security, know what's running, document everything do change, demand and capacity management. This is for today the most discussed chapter on our side because of were in a transformation from an classic it operations department to an secdevops team. There are others like Enviromenatal & Physical Controles which i let out because it is fullfiled by AWS directly
- We use some of the standart rules and are constantly expanding it by custome rules based on the requirments i showed before. Examples are rds-in-private-subnet advaced iam policy on diffrent user types Advanced security group requirements
- We have an Default set which is delivered by our global IT department on every deployed account. There for there is an centralized order process for ordering accounts internally. We have an automated audit process that is established always before the first users access an account full automated by Cloud Watch and Cloud Trial supported by SNS for notifications. In background you see an example code CloudWatch_Alarms_for_CloudTrail_API_Activity which is also public availible and helps us a lot. We´re tracking every config Change by AWS config and controlling the important things by config rules As mentioned before the consolidated billing allows us to use the full functionality from Trusted Advisor
- 4eyes principle means alway 2 people each time one with an operations view and one with a secuirty view have to look on the reports and notifications coming out of the trusted advisor and our config rules checks Regular checks are done automatic when new resources are deployed via attached config rules and additionally on an regular time basis by the trusted advisor that 2 layer security checks helps us to gain trust from our info sec department As next step we have activated flow logs and will now establish additional checks on the data flows.
- Steven Schmidt -> Security should be step Zero An integrated solution is necessary for an successful development Very help full for us was -> Excellent Support by AWS Experts Excellent Documentation, Whitepapers and Checklists an all points to on major conlusion You´ve heard it all the time on most of the talks but it´s true Automation is the key.