Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide Uniformly Scalable Security Capabilities - SID333 - re:Invent 2017

1,322 views

Published on

Learn how Autodesk implemented security at scale, moved to native AWS security products and features, as well as attained SOC certification.

  • Be the first to comment

Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide Uniformly Scalable Security Capabilities - SID333 - re:Invent 2017

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security at Scale: H o w A u t o d e s k L e v e r a g e s N a t i v e A W S T e c h n o l o g i e s t o P r o v i d e U n i f o r m l y S c a l a b l e S e c u r i t y C a p a b i l i t i e s K o l b y D a u l e r , L e a d C l o u d S e c u r i t y E n g i n e e r ( A u t o d e s k ) A s h a C h a k r a b a r t y , P r i n c i p a l S o l u t i o n s A r c h i t e c t ( A W S ) S I D 3 3 3 AWS re:Invent N o v e m b e r 3 0 , 2 0 1 7
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to Expect from the Session - Assumes high-level familiarity with Serverless Architectures and AWS security services - How to standardize security principles for your cloud deployments - Learn how to architect tools using native AWS services to enable security governance and compliance
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Imagine This… - 400+ AWS Accounts (with new accounts added frequently) - 150+ products running on the cloud - Multiple business units, dozens of teams, thousands of instances - Must have: SOC Compliance to pass security audits
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Create a set of principles that teams can adopt to design for security Utilize native AWS capabilities to gain visibility and continuously monitor your security posture Automate security operations Making Security Ubiquitous
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. - What is your end goal? What are your pain points? - What data do you need to collect? - What do you want to monitor? - When do you want to know about security events? - Who should have access to what? - What compliance certifications need to be achieved? Introspect
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Develop, Design, and Build Identity & Access Management Infrastructure Security Data Encryption Inventory & Configuration Monitoring & Logging
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Develop, Design, and Build
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Founded in 1982, 1985 IPO
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Founded in 1982, 1985 IPO M&A 1990s
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Founded in 1982, 1985 IPO M&A 1990s ~50% of employees via acquisitions
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Founded in 1982, 1985 IPO M&A 1990s ~50% of employees via acquisitions 150+ products and services
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Founded in 1982, 1985 IPO M&A 1990s ~50% of employees via acquisitions 150+ products and services Organic initial AWS adoption
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Founded in 1982, 1985 IPO M&A 1990s ~50% of employees via acquisitions 150+ Products and Services Organic Initial AWS adoption Platform centric company
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The goal: Secure a large, diverse environment by creating a consistent security posture across hundreds of accounts with a slim team
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The solution: Maximize efficiency by centralizing our capabilities, minimizing our operational overhead, and amplifying our wins by finding alignment with other team’s goals
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Solutions • PTH — Lightweight tool for IAM management • Pronto — Incident response automation toolkit • Pulsar — Monitoring, notification, reporting, and enforcement platform • Amazon GuardDuty — AWS managed threat detection service
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PTH Serverless IAM Provisioning and Management Framework
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access Management — Common Challenges • Overly permissive policies • Non-standardized usernames • Non-standardized service user names • Thousands of AWS access keys • Varied practices for using groups, roles, instance profiles, and so on
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PTH — Goals • Centralize management • Maintain a low operational overhead – simplify naming, manage less keys • Lead by example – adhere to best practices • Expose this capability to other teams – plug into established business services to facilitate better IAM practices
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PTH AWS Lambda AWS IAM Amazon API Gateway
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PTH Architecture API Gateway IAM Lambdas
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PTH Architecture API Gateway IAM Lambdas Execution Lambda
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PTH Architecture API Gateway IAM Execution Role IAM Lambdas Execution Lambda
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PTH Architecture API Gateway IAM Execution Role IAM Lambdas Execution Lambda
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pronto Incident Response Automation Toolkit
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IR — Common Challenges • Improvable MTTR for IR • Lack of access to an account • Lack of resource ownership information due to incorrect naming, and/or tagging • Isolating an instance can be a sensitive task, especially manually • Setting up a forensics environment and positioning the instance appropriately in a timely fashion
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pronto — Goals • Improve MTTR for IR • Centralize • Use a central role over user accounts for carving out instances • Have a preconfigured forensics environment ready to accept an image at all times • Reduce overhead • Use common, design reviewed and approved automation
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pronto Native AWS Services Lambda Amazon EC2 IAM AWS Step Functions API Gateway
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Security Account Source Account Amazon API Gateway IAM security group instance 1. Modify Security Group 2. Shutdown instance 3. Terminate instance
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Security Account Source Account Amazon API Gateway IAM instanceAWS Step Functions AMIAMIForensics VPC
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Security Account Source Account Amazon API Gateway IAM instanceAWS Step Functions Snapshot(s) Amazon Volume Analysis Tooling
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pulsar Monitoring, Notification, Reporting, and Enforcement Platform
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Monitoring & Enforcement — Common Challenges • Disparate logging solutions and nonstandard resource management practices can lead to additional operations overhead and increased MTTR for IR • Not efficient for security teams to chase down violations when enforcement for many situations can be automated, tracked, and notified on
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pulsar — Goals • Centralize logging, monitoring, and enforcement using repeatable, modularized, and approved automation and standards • Reduce operational overhead and MTTR for IR by improving resource management and configuration, visibility, data stores, and proactively enforce these changes • Responsibly expose this data to the correct teams and create an extensible platform that invites contribution
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pulsar Lambda EC2 IAM API Gateway Amazon SNS Amazon SES AWS Config AWS CloudTrail Amazon S3
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 user Source Account #2 user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 AWS CloudTrail user Source Account #2 AWS CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 user ec2:runinstances s3:getobject iam:getrolepolicy CloudWatch Lambda AWS Config
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account Centralized Amazon S3 Bucket (CloudTrail)
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon S3 ObjectCreated Sample
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account Centralized Amazon S3 Bucket (CloudTrail) CloudTrail Object Translator
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail Object Translator Unzip Parse Drop or route
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account CloudTrail Object Translator iam:* ec2:runinstances Centralized Amazon S3 Bucket (CloudTrail)
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account CloudTrail Object Translator iam:* ec2:runinstances CSA (Cloud Security Action) Lambdas Centralized Amazon S3 Bucket (CloudTrail)
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Security Actions (AWS Lambda Functions) Standardized (Utils.py) Analyze Drop or respond
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account CloudTrail Object Translator iam:* ec2:runinstances Notification Topic Ticket Creation Topic Action Lambdas Centralized Amazon S3 Bucket (CloudTrail)
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Integration (AWS Lambda Functions) Tie into existing business services Modularize standard communication and tracking Increase coordination
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account CloudTrail Object Translator iam:* ec2:runinstances Notification Topic SES SES Alert Action Lambdas Centralized Amazon S3 Bucket (CloudTrail)
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account CloudTrail Object Translator iam:* ec2:runinstances Notification Topic Ticket Creation Topic SES SES Alert Action Lambdas Centralized Amazon S3 Bucket (CloudTrail)
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account CloudTrail Object Translator iam:* ec2:runinstances Ticket Creation Topic SES SES Alert Rapid Enforcement LambdaCross Account Role Action Lambdas Centralized Amazon S3 Bucket (CloudTrail)
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account CloudTrail Object Translator iam:* ec2:runinstances Action Lambdas Ticket Creation Topic SES SES Alert Resource CMDBs (Amazon DynamoDB) Rapid Enforcement LambdaCross Account Role Centralized Amazon S3 Bucket (CloudTrail) Resource CMDBs (Amazon DynamoDB)
  54. 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account CloudTrail Object Translator iam:* ec2:runinstances Action Lambdas Ticket Creation Topic SES SES Alert Rapid Enforcement LambdaCross Account Role AWS Config Resource CMDBs (Amazon DynamoDB) Resource CMDBs (Amazon DynamoDB) Centralized Amazon S3 Bucket (CloudTrail)
  55. 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CS CMDBs (Amazon DynamoDB Tables) Extended information Near real time updates Quick queries Allow for scheduled reporting and notification, timed enforcements, and exception tracking
  56. 56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account Central S3 CloudTrail Bucket CloudTrail Object Translator iam:* ec2:runinstances Ticket Creation Topic SES SES Alert Cross Account Role Resource CMDBs Resource CMDBs Action Lambdas Config Informed Enforcement Lambda
  57. 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account Central S3 CloudTrail Bucket CloudTrail Object Translator iam:* ec2:runinstances Ticket Creation Topic SES SES Alert Enforcement LambdasCross Account Role Resource CMDBs Resource CMDBs Action Lambdas Scheduled Lambda Cross Account Role Config
  58. 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. This Looks Like a “One Size Fits All” Solution So Far…
  59. 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account CloudTrail Object Translator iam:* ec2:runinstances Ticket Creation Topic SES SES Alert Informed Enforcement LambdaCross Account Role Action Lambdas Scheduled Lambda Cross Account Role AWS Config Resource CMDBs (Amazon DynamoDB) Resource CMDBs (Amazon DynamoDB) Centralized Amazon S3 Bucket (CloudTrail)
  60. 60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account CloudTrail Object Translator iam:* ec2:runinstances Action Lambdas API Gateway Centralized Amazon S3 Bucket (CloudTrail)
  61. 61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. External Inputs Threat intel Non AWS resources Additional tooling
  62. 62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Source Account #1 CloudTrail user Source Account #2 CloudTrail user ec2:runinstances s3:getobject iam:getrolepolicy kms:decrypt lambda:updatefunctioncode dynamodb:getitem Central Account CloudTrail Object Translator iam:* ec2:runinstances Ticket Creation Topic SES SES Alert Informed Enforcement LambdaCross Account Role Action Lambdas Scheduled Lambda Cross Account Role API Gateway AWS Config Centralized Amazon S3 Bucket (CloudTrail) Resource CMDBs (Amazon DynamoDB) Resource CMDBs (Amazon DynamoDB)
  63. 63. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty AWS Managed Threat Detection Service
  64. 64. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty AWS Lambda AWS CloudWatch Events Amazon GuardDuty Amazon Kinesis Firehose Amazon ES
  65. 65. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Amazon GuardDuty CloudWatch Events
  66. 66. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty CloudWatch Events Security Analysis Central CloudWatch EventBus Amazon GuardDuty
  67. 67. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty CloudWatch Events Kinesis Firehose Amazon ES Security Analysis Central Processing Lambda Central CloudWatch EventBus Amazon GuardDuty
  68. 68. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty CloudWatch Events Kinesis Firehose Amazon ES Security AnalysisGuardDuty Topic in Pulsar Account Central Processing Lambda Central CloudWatch EventBus Amazon GuardDuty
  69. 69. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Result Samples • Anomaly Detection: potentially sensitive API calls from an unusual ISP • GuardDuty sent an alert when I was making CloudTrail calls from a relative’s house without being on VPN • DNS Log analysis: potential C&C activity • GuardDuty identified one of our honeypots after the honeypot began sending outbound requests to a domain designated as a C&C • VPC Flow: unprotected ports being probed by a malicious IP • GuardDuty allows us to add weight to existing notifications that warn of insecure security group configurations by alerting on probes and brute force attempts on unprotected ports
  70. 70. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Takeaways • Painless setup with transparent pricing for first 30 days • Allowed our team to focus on findings and integrations rather than maintaining the service itself • More than just IDS on VPC flow logs — the combination of CloudTrail, DNS Logs, Threat Intel, and Machine learning yield high caliber, informed findings • The GuardDuty team has been quick to iterate on feedback and continually improve the service so we are excited to continue working with GuardDuty and the evolution of the service
  71. 71. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What Did We Learn? • Native AWS Services provide secure, reliable, and managed capabilities that empower security teams to focus on security over operations • Don’t be afraid of designing the final architecture from the beginning — learn as you go, design with a bias towards extensibility, and let go when features or capabilities are released that make parts or the whole of your designs obsolete • Learn as many AWS services as you can — just because they are not security related does not mean you cannot use them to increase the efficiency of your security operations
  72. 72. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×