Learn what it takes to accomplish both security and speed in your AWS environment - beyond the basics. We will walk through real-world examples of contention and collaboration points common in organizations running continuous delivery models. Additionally, we’ll offer simple tips for auditing, monitoring and investigating suspicious activity across users, processes, network connections, and file access.
2. Agenda
● Quick Introduction
● Define the Problem We’re Solving For
● Framework for Thinking about Security and Operations
○ People
○ Process
○ Tools
2
3. 3
Security That Supports Your Organization’s
Business Objectives
4 hours to 4 minutes Real-time Alerting 1 Console for Complex
Environments
SOC 2, HIPAA, PCI,
HITRUST, SOX 404,
ISO 27001
Increased Velocity of
Your Security
Operations
Real-time Visibility
into Behavior
(Who, what, where, when?)
Continuous Security
Monitoring & Alerting Across
Your Environment
Continuous Compliance
(Automatic controls,
policies, & procedures)
4. Real-Time Host Monitoring
Behavior-based monitoring and detection of
suspicious events, featuring an out-of-the-box
ruleset of alerts for most common security
events.
4
Spanning your Data Center and Cloud
with One Platform
Vulnerability Monitoring
Detect systems and packages containing known
vulnerabilities and cross-reference against more
than two million identified CVEs, automatically
categorize them according to security risk.
Threat Intelligence Correlation
Continuously monitor connections to known
bad addresses and receive real-time alerts
when these connections occur.
Continuous Compliance
Achieve compliance criteria across HIPAA, PCI
DSS, SOC 2, ISO 27001, and SOX 404
regulations and regularly report/audit relevant
activity.
Configuration Auditing
Scan AWS configurations to ensure the proper
security settings have been selected and
enabled, while providing an accurate security
baseline.
Workflow Integrations
Increase efficiency with out-of-the-box
integrations with popular configuration
management and alerting tools, enabling easy
collaboration across security and DevOps
teams.
7. 7
About Security at Cogito
● Eliminating agent sprawl: one agent does the work of many
(compliance IS possible w/out agent sprawl!)
○ Behavioral intrusion detection
■ Prior research: “Engineering Challenges Doing
Intrusion Detection in the Cloud”
○ Data loss and malware detection
○ Each ruleset is between 24-36 rules
● Increasing Security Velocity
○ Slack, JIRA based alert handling
○ “Spacefolding” via pre-aggregated live response data
yields a 60-100x increase in velocity
14. Ops/DevOps/NoOps! Software Defined Everything!
● Security isn’t allowed to retreat to the perimeter any longer
○ Deployment model isn’t technically feasible
○ This model did very little to secure organizations even in the on prem data center
● Security relies on Operations for:
○ Installing continuous monitoring (agents, AWS IAM, etc.)
○ Remediating risks or active threats
● Operations relies on Security for:
○ Requirements and guidance on how to build secure systems
○ Feedback on where risks or active threats are, and how to remediate them
● This symbiotic relationship depends on a high velocity feedback loop
○ Requires trust, which often requires data
○ Requires organizational investment - often starts with the CEO
14
15. Ops/DevOps/NoOps! Software Defined Everything!
● Security isn’t allowed to retreat to the perimeter any longer
○ Deployment model isn’t technically feasible
○ This model did very little to secure organizations even in the on prem data center
● Security relies on Operations for:
○ Installing continuous monitoring (agents, AWS IAM, etc.)
○ Remediating risks or active threats
● Operations relies on Security for:
○ Requirements and guidance on how to build secure systems
○ Feedback on where risks or active threats are, and how to remediate them
● This symbiotic relationship depends on a high velocity feedback loop
○ Requires trust, which often requires data
○ Requires organizational investment - often starts with the CEO
15
EVERYONE CANNOT OWN SECURITY,
but everyone does have to play a role.
16. “
16
Focus on increasing time-to-exfiltration and
lowering time-to-discovery. By so doing,
hopefully you can stop incidents from becoming
breaches.
Verizon 2017 DBIR
30. What about incidents &
responding to them?!
30
Everything we’ve talked about supports incident response,
making it efficient and more effective.
31. If you think this is old hat and
that it can’t work because it has
never worked for you, then it
sounds like you’ve already made
up your mind and your current
employer is paying your past
employer’s debts.
31
32. Where did we land? We landed here
32
1. Leverage the rest of the organization as a force multiplier
2. Everything must be continuous and incremental, which
requires automation
3. Embrace the new facts like WAN-only and look for new
solutions within them
4. Write more code than policies - bonus points for turning
your policies into code
33. Want to chat some more?
33
Workshop later today
Find a Threat Stack team member around the Loft
www.threatstack.com
Sam @sbisbee
Craig @randomuserid
Enter to win a $100 amazon gift card at our table!!