Adversaries automate. Who says the good guys can't as well? By combining AWS offerings like AWS CloudTrail, Amazon Cloudwatch, AWS Config, and AWS Lambda with the power of Amazon Alexa, you can do more security tasks faster, with fewer resources. Force multiplying your security team is all about automation! Last year, we showed off penetration testing at the push of an (AWS IoT) button, and surprise-previewed how to ask Alexa to run Inspector as-needed. Want to see other ways to ask Alexa to be your cloud security sidekick? We have crazy new demos at the ready to show security geeks how to sling security automation solutions for their AWS environments (and impress and help your boss, too).

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Force Multiply Your Security
Team with Automation and Alexa
D o n “ B e e t l e ” B a i l e y , A W S S e c u r i t y
B r i a n W a g n e r , A W S P r o f e s s i o n a l S e r v i c e s
S I D 3 0 2
N o v e m b e r 2 7 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to Expect from This Session
• Iteration of previous re:Invent talks
• Philosophy behind automating security work stuff
• Guide for picking stuff to automate
• Examples for various parts of your team
• Additional Resources
• Demos!

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Previously @ re:Invent
YouTube search …
• “Intrusion Detection in the Cloud” 2014
• “Incident Response (IR) in the Cloud” 2014
• “Wrangling Security Events in The Cloud” 2015
• “Automating Security Event Response” 2016

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why Alexa? … Why Not?
• Familiar
• Helpful
• Process repeatability
• Forcing function
• Goals
• “Suspension of Strong Authn/Authz Disbelief”

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DevSecOps in A Nutshell
• Cloud-y
• Security that permeates
• Beyond security as part of SDLC
• Security LIVES in prod
• Security scaling to support the business
SID306 - How Chick-fil-A Embraces DevSecOps on AWS

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Modern Security Roles (Not Roles for EC2)
• Application Security
• Compliance
• Security Engineering
• Security Operations
• Threat Intelligence
• And MORE …!

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Everyone Has An “Ugh”
• Manual
• Repetitive
• Time-consuming
• Soul-crushing

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Importance of Empowering Security Geeks
• Deepest understanding
• Self-preservation
• Build or buy economics
• No more holding out for a hero
• Burn-out is real

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How AWS Can Naturally Enable
• Ability to programmatically inventory environment—
knowing what you need to protect is key
• Awareness of what’s happening, what’s changing, from
AWS API activity to application behavior
• Detection and alerting mechanisms, freedom to create,
and flexibility to configure and tune what’s appropriate
for YOU
• Analysis and response, via the same platform, natively
or with AWS partner solutions

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
CloudTrail
Amazon
CloudWatch
Events
AWS
Lambda
Amazon
Simple
Notification
Service
AWS API
endpoints
Your Staff Amazon S3
bucket
Your
security
team
AWS
IAM
role
AWS API
Your SaaS
tools
Event Detect → Automation Workflow Example

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
From Idea to Code to Execution Redux
• What is my expressed security objective in words?
• Is this configuration or behavior related?
• What data, where, could help inform me?
• Do I have requisite ownership or visibility?
• What are my performance requirements?
• What mechanisms support the above?
• What is my expressed security objective in code?

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I want to identify any instances
running vulnerable software.”

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #1 Under The Hood
Amazon Inspector
webappdata
AWS Lambda

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Alexa Difference
• Complexity beyond push-button
• Desired interrupts/gates
• Ad-hoc opportunities
• Staff flexibility
• Training fodder
• Not an either/or
Alexa Skill
Echo Lambda
Function

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example Activities
• Audit (scanning, inventory, confirm configuration)
• Remediation (patching, refresh)
• Response (isolation, tagging, enforcement)
• Analysis (forensics, log diving)
• Reporting (event summary, output pivot)

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where / How to Pivot from Events
• Amazon SNS notification
• Use of tags
• Look for tags
• New work from event

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where / How to Pivot from Events
• Amazon SNS notification
• Use of tags
• Look for tags
• New work from event

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where / How to Pivot from Events
• Amazon SNS notification
• Use of tags
• Look for tags
• New work from event

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where / How to Pivot from Events
• Amazon SNS notification
• Use of tags
• Look for tags
• New work from event
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
”ec2.amazonaws.com"
],
"eventName": [
"CreateTags"
]
}
}
CloudWatch Event Rule

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where / How to Pivot from Events
• Amazon SNS notification
• Use of tags
• Look for tags
• New work from event

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I want to patch any instances
running vulnerable software.”

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager FTW
State Manager Maintenance WindowInventory
Automation Parameter Store
Run Command
Patch Manager

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #2 Under The Hood
Patch Manager
webappdata
AWS Lambda

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I want to tag and isolate an
abnormally acting instance.”

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #3 Under The Hood
AWS Lambda
CloudWatch
Event Rule

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #3 Under The Hood
AWS Lambda

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I want to run forensics on an
instance previously tagged as
suspicious.”

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo

34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #3 Under The Hood
AWS Lambda

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Army of One, Yay!
Interacting with Alexa to do things like …
• Launch Amazon Inspector to identify instances with
vulnerabilities
• Patch instances with critical vulnerabilities
• Isolate misbehaving instances and tag them for forensic
analysis
• Perform forensic analysis on implicated instances

36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I want to know what my awesome
security team has done recently.”

37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo

38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Other Resources
• ThreatResponse, open source IR tools for AWS
https://threatresponse.cloud
• Netflix, “Security Monkey”, “Scumblr”, etc.
https://netflix.github.io/
• NCC Group, “Scout2”
https://nccgroup.github.io/Scout2/

40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Partners

43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Other Talks
• SID301 - Using AWS Lambda as a Security Team
• SID304 - SecOps 2021 Today: Using AWS Services to
Deliver SecOps
• SID319 - Incident Response in the Cloud
• SID322 - The AWS Philosophy of Security
• ALX326 - Applying Alexa's Natural Language To Your
Challenges

44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Other AWS Security Resources
• Support
https://aws.amazon.com/support
• AWS Cloud Security
https://aws.amazon.com/security
• AWS Security Blog
https://aws.amazon.com/blogs/security/
• Contact the AWS security team
aws-security@amazon.com

45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Summary
• Automating security stuff with Alexa is not sci-fi
• There is a wide variety of your activities that could
benefit from and are ripe for Alexa
• Empowering your security geeks to automate with
Alexa pays dividends
• There are plenty of resources to help you get started,
and starting small/simple is A-OK
• Go find some ugh and automate with Alexa today!

46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!