Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC326) Security Science Using Big Data


Published on

AWS provides all sorts of security features and capabilities, and these features generate tons of data to be sifted and analyzed. In this session, hear what we are doing to support ingestion, processing, and storage of data at scale to support our Security Science and DevSecOps programs. We've had a lot of experience understanding what is and is not possible for crunching security data using big data environments. In fact, we've discovered it's much easier to develop the tools and processes necessary to support applications than you might think.

Published in: Technology
  • Be the first to comment

(SEC326) Security Science Using Big Data

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scott C. Kennedy, Security Scientist, Intuit Erik Naugle, Director Cloud Security, Intuit October 2015 SEC326 Security Science via Big Data
  2. 2. What to Expect from the Session • Get introduced to DevSecOps • Learn about security science • See how Intuit is using security science & big data
  3. 3. Our Mission at Work… The Cloud Security Team (CST) will deliver transparent security oversight and monitoring that enables safe use of cloud resources without friction for our online business, by: • Becoming the team to follow by establishing a DevSecOps function that solves for secure use of cloud services. • Automating our processes and solutions to ensure scaled global delivery. • Partnering across Intuit to ensure speed & ease for our innovation.
  4. 4. Compliance Engineering OperationsScience Why is DevSecOps Needed ?
  5. 5. What is DevSecOps • Agile discipline • Best of each security specialty in one framework • Value provided as security services • Make it easy for business to take the right risks • Reduce friction and disruptions • Continuous improvement mindset … Requires profiling, testing, and an ability to put security in perspective
  6. 6. Drivers for DevSecOps Embedding into DevOps was a disaster… • Compliance checklists didn’t take us far before we stopped scaling… • We couldn’t keep up with deployments without automation… • Traditional security operations did not work… • And we needed far more data than we expected to help the business make decisions…
  7. 7. The Tenets of DevSecOps 1. Customer-focused mindset 2. Scale, scale, scale 3. Objective criteria 4. Proactive hunting 5. Continuous detection & response
  8. 8. The Art of DevSecOps DevSecOps Security Engineering Experiment, Automate, Test Security Operations Hunt, Detect, Contain Compliance Operations Respond, Manage, Train Security Science Learn, Measure, Forecast
  9. 9. Security Science? • Need to change the conversation from F.U.D. to facts • Science is a fact-based examination • Theories established • Testable against real data • Revised and retested as the landscape changes… • Question -> Hypotheses -> Experiment -> Analyze -> Repeat • Answers simple questions
  10. 10. Examples of Security Science • What is your password policy? • Why? • How frequently should you restack your hosts? • Can you make choices beforehand to improve this?
  11. 11. Ways Intuit is using Security Science • Advocacy • Education • Threat reduction
  12. 12. Enhance Ability to “Detect & Contain” Use big data analytics to improve detection methods • Looking for the slow & steady attacker • Find the one-packet-only attacks • Find coordinated spread spectrum scans • Detect AWS misuse cases before incidents occur Use data visualization to uncover unseen existing issues • Hunt the wumpus
  13. 13. It’s Log! It’s Big! It’s Heavy! It’s Wood! • As of 9/2015, we have 990+ separate AWS accounts • We use Splunk™ as our logging platform • Partner with 3rd party to add value • Operate a 24/7 SOC to trigger on AWS incidents • Compliance • Security • Ingest CloudTrail/S3/ELB/etc. into unified logs • Send all logs into TAP for further aggregation and alerts • Looking to migrate to Hunk/EMR as future directions?
  14. 14. Using Logs to Profile Drift from Standards Insights Security scienceSecurity tools & data AWS accounts Amazon S3 Amazon Glacier Amazon EC2 AWS CloudTrail Ingestion Threat intel
  15. 15. Benefits of Unified Logs • Single pane of glass to see everything • Allows complex queries and lookups
  16. 16. Egress Monitoring + Threat Intel to Detect Misuse EC2 Subnet VPC Account Ingestion
  17. 17. Incident Handling Triggered on Events? • Use triggers/reports on AWS usage patterns • Detect misuse early
  18. 18. Diving Through the Unified Views Using combined views of data to find underlying patterns
  19. 19. Steer PD to “Ensure Apps are Secure” • Develop insights to illustrate the rationale behind CST • Win over the PD teams to use the CST model • Increase overall security posture by illuminating security gaps • Help PD teams overcome friction on security issues • Create tooling to allow PD teams to self educate • Guide them to right decisions via scoring • Allow them to model scoring impacts before implementation
  20. 20. Portal – Gateway to Success in Cloud Adoption • Displays account details • Education access • Tools to help scale
  21. 21. Why Focus on This?
  22. 22. Why is Scoring Important? • Grades are powerful motivators • Allows the PD leader to drill down • Why am I failing? • Where am I using that? • But, then what?
  23. 23. CVSS modeling • How to the decisions I make affect my grading scores? • How frequently do I have to restack? • What is the impact of package choices? • Ruby or Python? • MySQL or Postgres? • Apache or Nginx?
  24. 24. Future directions • Continue to create tooling for PD teams • Encryption methods vs. cracking costs • Key rotation tempo vs. re-encryption speed/costs • Deep dive on DNS queries • Find misuse without blocking • Redirection for laptops, cloud, & Datacenter for intel gathering
  25. 25. Wrap up • Join DevSecOps Community via LinkedIn, GitHub, and Twitter • • • • • Assess your org's cloud adoption strategy, security requirements and work backwards • Bring science into your security decisions.
  26. 26. Related Sessions • BDT205 - Your First Big Data Application on AWS • SEC308 - Wrangling Security Events in the Cloud • SEC320 - AWS Security Beyond the Host: Leveraging the Power of AWS to Automate Security and Compliance • SEC402 - Enterprise Cloud Security via DevSecOps 2.0
  27. 27. Remember to complete your evaluations!
  28. 28. Thank you!