Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Force Multiply Your Security
Team with Automatio...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to Expect from This Session
• Iteration of ...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Previously @ re:Invent
YouTube search …
• “Intru...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why Alexa? … Why Not?
• Familiar
• Helpful
• Pro...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DevSecOps in A Nutshell
• Cloud-y
• Security tha...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Modern Security Roles (Not Roles for EC2)
• Appl...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Everyone Has An “Ugh”
• Manual
• Repetitive
• Ti...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Importance of Empowering Security Geeks
• Deepes...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How AWS Can Naturally Enable
• Ability to progra...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
CloudTrail
Amazon
CloudWatch
Events
AWS
Lamb...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
From Idea to Code to Execution Redux
• What is m...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I want to identify any instances
running vulner...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #1 Under The Hood
Amazon Inspector
webappda...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Alexa Difference
• Complexity beyond push-bu...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example Activities
• Audit (scanning, inventory,...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where / How to Pivot from Events
• Amazon SNS no...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where / How to Pivot from Events
• Amazon SNS no...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where / How to Pivot from Events
• Amazon SNS no...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where / How to Pivot from Events
• Amazon SNS no...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where / How to Pivot from Events
• Amazon SNS no...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I want to patch any instances
running vulnerabl...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager FTW
State Manager Mai...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #2 Under The Hood
Patch Manager
webappdata
...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I want to tag and isolate an
abnormally acting ...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #3 Under The Hood
AWS Lambda
CloudWatch
Eve...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #3 Under The Hood
AWS Lambda
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I want to run forensics on an
instance previous...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo #3 Under The Hood
AWS Lambda
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Army of One, Yay!
Interacting with Alex...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I want to know what my awesome
security team ha...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Other Resources
• ThreatResponse, open source IR...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Partners
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Other Talks
• SID301 - Using AWS Lambda as a Sec...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Other AWS Security Resources
• Support
https://a...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Summary
• Automating security stuff with Alexa i...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
Upcoming SlideShare
Loading in …5
×

SID302_Force Multiply Your Security Team with Automation and Alexa

1,359 views

Published on

Adversaries automate. Who says the good guys can't as well? By combining AWS offerings like AWS CloudTrail, Amazon Cloudwatch, AWS Config, and AWS Lambda with the power of Amazon Alexa, you can do more security tasks faster, with fewer resources. Force multiplying your security team is all about automation! Last year, we showed off penetration testing at the push of an (AWS IoT) button, and surprise-previewed how to ask Alexa to run Inspector as-needed. Want to see other ways to ask Alexa to be your cloud security sidekick? We have crazy new demos at the ready to show security geeks how to sling security automation solutions for their AWS environments (and impress and help your boss, too).

  • Be the first to comment

SID302_Force Multiply Your Security Team with Automation and Alexa

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Force Multiply Your Security Team with Automation and Alexa D o n “ B e e t l e ” B a i l e y , A W S S e c u r i t y B r i a n W a g n e r , A W S P r o f e s s i o n a l S e r v i c e s S I D 3 0 2 N o v e m b e r 2 7 , 2 0 1 7
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to Expect from This Session • Iteration of previous re:Invent talks • Philosophy behind automating security work stuff • Guide for picking stuff to automate • Examples for various parts of your team • Additional Resources • Demos!
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Previously @ re:Invent YouTube search … • “Intrusion Detection in the Cloud” 2014 • “Incident Response (IR) in the Cloud” 2014 • “Wrangling Security Events in The Cloud” 2015 • “Automating Security Event Response” 2016
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why Alexa? … Why Not? • Familiar • Helpful • Process repeatability • Forcing function • Goals • “Suspension of Strong Authn/Authz Disbelief”
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DevSecOps in A Nutshell • Cloud-y • Security that permeates • Beyond security as part of SDLC • Security LIVES in prod • Security scaling to support the business SID306 - How Chick-fil-A Embraces DevSecOps on AWS
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Modern Security Roles (Not Roles for EC2) • Application Security • Compliance • Security Engineering • Security Operations • Threat Intelligence • And MORE …!
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Everyone Has An “Ugh” • Manual • Repetitive • Time-consuming • Soul-crushing
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Importance of Empowering Security Geeks • Deepest understanding • Self-preservation • Build or buy economics • No more holding out for a hero • Burn-out is real
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How AWS Can Naturally Enable • Ability to programmatically inventory environment— knowing what you need to protect is key • Awareness of what’s happening, what’s changing, from AWS API activity to application behavior • Detection and alerting mechanisms, freedom to create, and flexibility to configure and tune what’s appropriate for YOU • Analysis and response, via the same platform, natively or with AWS partner solutions
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail Amazon CloudWatch Events AWS Lambda Amazon Simple Notification Service AWS API endpoints Your Staff Amazon S3 bucket Your security team AWS IAM role AWS API Your SaaS tools Event Detect → Automation Workflow Example
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. From Idea to Code to Execution Redux • What is my expressed security objective in words? • Is this configuration or behavior related? • What data, where, could help inform me? • Do I have requisite ownership or visibility? • What are my performance requirements? • What mechanisms support the above? • What is my expressed security objective in code?
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “I want to identify any instances running vulnerable software.”
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo #1 Under The Hood Amazon Inspector webappdata AWS Lambda
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Alexa Difference • Complexity beyond push-button • Desired interrupts/gates • Ad-hoc opportunities • Staff flexibility • Training fodder • Not an either/or Alexa Skill Echo Lambda Function
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Example Activities • Audit (scanning, inventory, confirm configuration) • Remediation (patching, refresh) • Response (isolation, tagging, enforcement) • Analysis (forensics, log diving) • Reporting (event summary, output pivot)
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where / How to Pivot from Events • Amazon SNS notification • Use of tags • Look for tags • New work from event
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where / How to Pivot from Events • Amazon SNS notification • Use of tags • Look for tags • New work from event
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where / How to Pivot from Events • Amazon SNS notification • Use of tags • Look for tags • New work from event
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where / How to Pivot from Events • Amazon SNS notification • Use of tags • Look for tags • New work from event { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ ”ec2.amazonaws.com" ], "eventName": [ "CreateTags" ] } } CloudWatch Event Rule
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where / How to Pivot from Events • Amazon SNS notification • Use of tags • Look for tags • New work from event
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “I want to patch any instances running vulnerable software.”
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Systems Manager FTW State Manager Maintenance WindowInventory Automation Parameter Store Run Command Patch Manager
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo #2 Under The Hood Patch Manager webappdata AWS Lambda
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “I want to tag and isolate an abnormally acting instance.”
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo #3 Under The Hood AWS Lambda CloudWatch Event Rule
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo #3 Under The Hood AWS Lambda
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “I want to run forensics on an instance previously tagged as suspicious.”
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo #3 Under The Hood AWS Lambda
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Army of One, Yay! Interacting with Alexa to do things like … • Launch Amazon Inspector to identify instances with vulnerabilities • Patch instances with critical vulnerabilities • Isolate misbehaving instances and tag them for forensic analysis • Perform forensic analysis on implicated instances
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “I want to know what my awesome security team has done recently.”
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Other Resources • ThreatResponse, open source IR tools for AWS https://threatresponse.cloud • Netflix, “Security Monkey”, “Scumblr”, etc. https://netflix.github.io/ • NCC Group, “Scout2” https://nccgroup.github.io/Scout2/
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Partners
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Other Talks • SID301 - Using AWS Lambda as a Security Team • SID304 - SecOps 2021 Today: Using AWS Services to Deliver SecOps • SID319 - Incident Response in the Cloud • SID322 - The AWS Philosophy of Security • ALX326 - Applying Alexa's Natural Language To Your Challenges
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Other AWS Security Resources • Support https://aws.amazon.com/support • AWS Cloud Security https://aws.amazon.com/security • AWS Security Blog https://aws.amazon.com/blogs/security/ • Contact the AWS security team aws-security@amazon.com
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary • Automating security stuff with Alexa is not sci-fi • There is a wide variety of your activities that could benefit from and are ripe for Alexa • Empowering your security geeks to automate with Alexa pays dividends • There are plenty of resources to help you get started, and starting small/simple is A-OK • Go find some ugh and automate with Alexa today!
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×