This session enables security operators to automate governance and implement use cases addressed by AWS services such as AWS CloudTrail, AWS Config Rules, Amazon CloudWatch Events, and Trusted Advisor. Based on the nature of vulnerabilities, internal processes, compliance regimes, and other priorities, this session discusses the service to use when. We also show how to detect, report, and fix vulnerabilities, or gain more information about attackers. We dive deep into new features and capabilities of relevant services and use an example from an AWS customer, Siemens AG, about how to best automate governance and scale. A prerequisite for this session is knowledge of security and basic software development using Java, Python, or Node.
2. What to Expect from the Session
• SecDevOps: What?
• Services and features galore: What do I use?
• Using relevant services
• Customer example: Siemens AG - Making it real
Improve your quality of life
4. Meet Toby, Software developer
Flexibility,
Speed,
Low cost,
Reliability,
..
..
..
Freedom to be creative
….throughout his professional career of 2 full years!
Is a do-er
Wants impact
5. Meet Joe, Mr. Security
• Leading cloud adoption efforts
• Part of central cloud security team
• Manages other infrastructures
• Deals with security escalations
• Does not like being in critical path
• Wants to works smart, but has to
work hard
Ultimately responsible for security
6. Security: A lot going on
Security Policy
Compliance regimes
Report compliance
Evangelize cloud within the org and outside
Put out fires
Investigate issues deeply
7. AWS Tools could help
AWS Config Rules
AWS CloudTrail
Trusted Advisor
CloudWatch Events
VPC Flow Logs
AWS WAF
Security Certificate Manager
IAM
Security Certificate Manager
8. Security: A lot going on
Security Policy
Compliance regimes
Report compliance
Evangelize cloud within the org and outside
Put fires out
Investigate issues deeply
Many Many services
Many Many features
12. Policies in code
Trusted Advisor Best Practice checks
• Get 35+ checks with zero effort
• Example: ELBs with missing security groups, S3 Bucket open
access permissions, etc.
• Create an administrator role in each account
• Assume admin role to read check status using TA APIs
• DescribeTrustedAdvisorCheckSummaries
• DescribeTrustedAdvisorCheckResult
Useful for broadly applicable policies with no specific exceptions
13.
14. Policies in code
Config Rules Managed and Custom Rules
Managed Rules
• Pre-built, but need to turn on
• Triggered periodically/on changes and apply to specific resources
• Modify publishes source on GitHub to customize further
Useful for resources with specific policies. Flexible.
15.
16. Policies in code
Custom Rules
• Write up your own rules. Ultimate flexibility
• Publish your best practices on GitHub
• Annotate results to add policy details or tickets
21. Assess compliance
• Audit assessment is a spot check
• Policies in code Continuous assessments
• Self service governance
• Prioritize assessments
• Find an owner for the result
22. Options for assessing compliance
Config Rules to assess and report configuration
compliance
• Annotate results with resource owner
• Custom Rules integrate with ticketing
23. AWS Config + Inventory
Assess compliance using Config Rules
EC2 Systems Manager and AWS Config will capture
• Software Inventory in EC2 instance
• Firewall rules
• Patch level
• Application version
27. Using Config Rules and CloudWatch Events
Use CloudWatch Events and Lambda triggers to fix things
Custom Config Rules for remediations in Lambda
Enable traceability and logging for audit
28. CloudTrail Data Events for S3
Act on API activity immediately in CloudWatch Events
• Data Events for S3
• Trigger rules that “fix” the problem
• Trace invocations and actions in CloudWatch Logs
32. Security Escalations
• Logs, activity data is critical
• Use automation to increase surveillance on suspicious
activity (e.g. CloudTrail is turned off)
• Timely response could be to quarantine
• SOP should be in code!
33. Create Policies in code
Assessment and Governance
Fix Violations
Deal with Escalations
35. Reports
• Weekly Trusted Advisor reports
• Archived CloudTrail activity in S3 (never delete)
• CloudTrail Lookup for 1 week, CloudWatch Logs for
longer term lookup
• AWS Config Snapshot for broad, point-in-time views
• AWS Config GetResourceConfigHistory
>get-resource-config-history --resource-type <value> --resource-id <value> [--later-time <value>] [--earlier-time
<value>]
36. Create Policies in code
Assessment and Governance
Fix Violations
Deal with Escalations
Evidence for Audit
Automate and share: Templatize
across accounts, regions, industries
40. Siemens Mobility Services
Digital Services
Smart remote monitoring and data services for
maximum reliability
Siemens AG - MO CS STC SC-SO October 2016
41. Rail vehicles deliver large volumes of data –
but what do we do with it to generate value?
• Modern trains send 1
billion data points per
year
• Additionally:
Work orders
Spare parts list
Geo data
The basis
Turn all this
data
into
information
und derive
actions
The challenge
100%
Availability
for you
Siemens AG - MO CS STC SC-SO October 2016
42. We provide a common data policy
• The collected technical data belongs to the customer.
• The data will be stored by Siemens or by contracted sub-
suppliers of Siemens.
• Siemens shall fulfill it‘s contractual obligations, e.g.
providing cockpit or reports. For other reasons than this,
Siemens is not obliged to store the data and is not liable
for loss of data (unless this is contracted).
• However, Siemens is obliged to protect the customers
data by applying state-of-the-art security measures to do
so.
• Siemens can use the data for its own purposes
during the contract period (right to use).
Selling the data is not permitted!
• Customer may request after the end of the contract
that Siemens erases all the data with regards
to the customer contract.
Customer “owns” the data from the assets and
Siemens can “use” it
Data input
Big data
from assets
Data analytics
Algorithmic
processes
Data output
Smart data generated
by Siemens Experts
SiemensCustomer Customer
and Siemens
Siemens AG - MO CS STC SC-SO October 2016
43. 10
11
Railigent™
The platform to manage your assets smarter
10
01
011010101101
00
0
1
1
1
0
1
1
0 1 0
00101011010 00111
0 1 1 0
01100110100111011010
10101011010 0 0 1101110
0 1 1 010 1 0 11
0 1
0
0
0
1
1
1
0
11010
011 010 1010
10 101 10111
001001011
1011010111
011001111
001001011
11010
01110
Management
Dispatcher
Maintenance engineer
Data visualizationData evaluationData processingData transmission
Railigent Connect
Secure data transmission
from sensor to central
data storage
Turning data into value and enabling Digital Services
solutions (Smart Monitoring,
Smart Data Analysis and Smart Prediction)
Railigent
powered by Sinalytics
Advanced
algorithms
Expertise domain
Know-how
Best practises
Modular
Customized solution packages:
Define reports as you need them
Scalable
From basic to advanced solutions:
Upgrade your system as needed
Open
Fits into your environment:
Standard interfaces ensure
interoperability
Siemens AG - MO CS STC SC-SO October 2016
44. GovernanceTools
AWS Architecture
AWS
Config / rules
Amazon
CloudWatch
AWS
CloudTrail
AWS Trusted
Advisor
AWS IAM AWS KMS
AWS
CloudFormation
Siemens AG - MO CS STC SC-SO October 2016
45. Topics to Service mapping
Comliance and Security Topic
Basd on ISO 27001 / 27002 an IEC 62443
Access Control (9) P P
Asset Management (8) P
Communications Security P P
Compliance (18) P P P P
AWS
Config
AWS
CloudTrail
Amazon
CloudWatch
AWS Trusted
Advisor
Siemens AG - MO CS STC SC-SO October 2016
46. Topics to Service mapping
Comliance and Security Topic
ISO 27001 / 27002
Cryptography (10) P P
Information Security Aspects of Business Continuity
Management (17) P P
Information Security Incident Management (16) P P
Operations Security P P
AWS
Config
AWS
CloudTrail
Amazon
CloudWatch
AWS Trusted
Advisor
Siemens AG - MO CS STC SC-SO October 2016
47. Used AWS Config Rules:
Pre defined Rules Custom Rules
encrypted-volumes rds-in-private-subnet
s3-bucket-logging-enabled advaced iam policy on diffrent user types
cloud-trail-enabled Advanced security group requirements
eip-attached
root-account-mfa-enabled
iam-password-policy
rds-storage-encrypted
required-tags
Siemens AG - MO CS STC SC-SO October 2016
Good source for star with own rules is:
https://github.com/awslabs/aws-config-rules
50. Conclusions
• Security shall be the initial part of the development SecDevOps
• Get a clear view what are the requirements, AWS provides a lot of
tools to fulfill most of the requirements.
• Automation is the key to success.
Siemens AG - MO CS STC SC-SO October 2016
We have this session a the end of the conference because we wanted to showcase some of the new capabilities we just launched
You’ll not only learn more about these capabilities, but also see how we can use them
As Siemens mobility we develop highspeed, commuter trains metros ,lightrails and also the rail automation and electrification part for mass transportation systems all over the world.
Our goal is 100% availabilty for the cusotmers fleet
One of our main perquisite is that the data belongs to our customers.
We help them with our people expertise and tools to get most out of the data.
The railigent platform based on AWS and is full new cloud native approach to get most out of the data.
We benefit from the AWS Ecosystem by gaining modular services with high flexibility and scalability
Complete Environment deployment is done via CloudFormation
We have 4 Levels in our Account Structure.
1. the Sandbox where all developers can play around an learn
2. The dev account for develop in an near production environment
3. The test account for pre production tests
4. Finally the production account where the customer data is processed.
The dev and test have also access to the production data based on an granular access policy and read-only rights.
For Cloud Trail we use the Vault principle as best practice -> store everything in an external account s3-bucket with limited rights
We have an Internal Requirement Database based on classification with shown topics on ISO 27001
and IEC 62443 (industrial automation and control system security )
There we have over a 100 requirements for security and operation assigned to the chapters shown on the slide
The numbers in brackets represents the chapters in the ISO
1. For Access Control there are requirements like user management, password complexity and so on.
2. For Asset management there is for example an requirement that we always need to know what was running in past and what's running now.
3. Communications security demands secure communication over all layers.
4. Compliance is more about the process stuff like doing a self-assessment and risk analysis
5. Cryptography should be clear, it is about preferred cipher suits and allowed algorithm and how to deal with certificates
6. Information Security Aspects of Business Continuity Management is mainly about to having an IT Disaster Recovery Plan
7. Information Security Incident Management how to deal with incidents, think about escalation procedures before something happens.
8. And finally Operations Security, know what's running, document everything do change, demand and capacity management. This is for today the most discussed chapter on our side because of were in a transformation from an classic it operations department to an secdevops team.
There are others like Enviromenatal & Physical Controles which i let out because it is fullfiled by AWS directly
We use some of the standart rules and are constantly expanding it by custome rules based on the requirments i showed before.
Examples are
rds-in-private-subnet
advaced iam policy on diffrent user types
Advanced security group requirements
We have an Default set which is delivered by our global IT department on every deployed account.
There for there is an centralized order process for ordering accounts internally.
We have an automated audit process that is established always before the first users access an account full automated by Cloud Watch and Cloud Trial supported by SNS for notifications.
In background you see an example code CloudWatch_Alarms_for_CloudTrail_API_Activity which is also public availible and helps us a lot.
We´re tracking every config Change by AWS config and controlling the important things by config rules
As mentioned before the consolidated billing allows us to use the full functionality from Trusted Advisor
4eyes principle means alway 2 people each time one with an operations view and one with a secuirty view have to look on the reports and notifications coming out of the trusted advisor and our config rules checks
Regular checks are done automatic when new resources are deployed via attached config rules and additionally on an regular time basis by the trusted advisor that 2 layer security checks helps us to gain trust from our info sec department
As next step we have activated flow logs and will now establish additional checks on the data flows.
Steven Schmidt -> Security should be step Zero
An integrated solution is necessary for an successful development
Very help full for us was -> Excellent Support by AWS Experts
Excellent Documentation, Whitepapers and Checklists an all points to on major conlusion
You´ve heard it all the time on most of the talks but it´s true Automation is the key.