Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Using Security to Build with Confidence in AWS - Trend Micro

1,317 views

Published on

Using Security to Build with Confidence in AWS - Trend Micro
Singapore
Presented by Sasha Pavlovic
Director, Cloud and Datacenter Security | APAC

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Using Security to Build with Confidence in AWS - Trend Micro

  1. 1. Using Security To Build With Confidence In AWS Sasha Pavlovic Director, Cloud and Datacenter Security | APAC
  2. 2. The Story More at aws.trendmicro.com 2012 re:Invent SPR203 : Cloud Security is a Shared Responsibility http://bit.ly/2012-spr203 2013 re:Invent SEC208: How to Meet Strict Security & Compliance Requirements in the Cloud http://bit.ly/2013-sec208 SEC307: How Trend Micro Build their Enterprise Security Offering on AWS http://bit.ly/2013-sec307 2014 re:Invent SEC313: Updating Security Operations for the Cloud http://bit.ly/2014-sec313 SEC314: Customer Perspectives on Implementing Security Controls with AWS http://bit.ly/2014-sec314
  3. 3. Shared Responsibility Model AWS Physical Infrastructure Network Virtualisation You Operating System Applications Data Service Configuration More at aws.amazon.com/security
  4. 4. Shared Responsibility Model AWS Physical Infrastructure Network Virtualisation You Operating System Applications Data Service Configuration More at aws.amazon.com/security
  5. 5. Vulnerability Respond Repair
  6. 6. Vulnerability ©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved
  7. 7. by Andreas Lindh (@addelindh)
  8. 8. bash is a common command line interpreter
  9. 9. a:() { b; } | attack 10 | 10 vulnerability. Widespread & easy to exploit
  10. 10. Shellshock Impact
  11. 11. 1989 Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline
  12. 12. "MicroTAC" by Redrum0486 at English Wikipedia 12.3oz
  13. 13. Time Since Last Event Event Action Action Timeline 1989-­‐08-­‐05  8:32   Added  to  codebase   27  days,  10:20:00   Released  to  public   9141  days,  21:18:35   Ini?al  report   React   Clock  starts   1  day,  22:19:13   More  details   React   2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25 5  days,  9:16:35   Limited  disclosure  ::  CVE-­‐2014-­‐6271   React   2  days,  4:37:25   More  details   React   3:44:00   More  details   React   0:27:51   Public  disclosure   React   0:36:30   More  details   React  
  14. 14. Important Shellshock Events Time Since Last Event Event Action Action Timeline 1989-­‐08-­‐05  8:32   Added  to  codebase   27  days,  10:20:00   Released  to  public   9141  days,  21:18:35   Ini?al  report   React   Clock  starts   2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25 3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00 3:15:00 Official  patch  ::  CVE-­‐2014-­‐7186,  CVE-­‐2014-­‐7187   Patch   4  days,  17:30:00   1 day, 11:55:00 Official  patch  ::  CVE-­‐2014-­‐6277   Patch   1  day,  11:55:00  
  15. 15. Respond ©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Day 1
  16. 16. aws.amazon.com/architecture : Web application hosting
  17. 17. aws.amazon.com/architecture : Web application hosting
  18. 18. TCP : 443TCP : 443 TCP : 4433TCP : 4433 Primary workflow for our deployment
  19. 19. AWS VPC Review
  20. 20. AWS VPC Checklist Review IAM roles Security groups Network segmentation Network access control lists (NACL) More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf
  21. 21. TCP : 443TCP : 443 TCP : 4433TCP : 4433 Primary workflow for our deployment
  22. 22. HTTPSTPS Intrusion prevention can look at each packet and then take action depending on what it finds
  23. 23. aws.amazon.com/architecture : Web application hosting
  24. 24. Intrusion Prevention in Action
  25. 25. Review All instances covered Workload appropriate rules Centrally managed Security controls must scale out automatically with the deployment
  26. 26. Repair ©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved Day 2
  27. 27. aws.amazon.com/architecture : Web application hosting
  28. 28. All instances deployment from task-specific AMI TCP : 443TCP : 443 TCP : 4433TCP : 4433
  29. 29. Workflow should be completely automated Instantiate DestroyConfigure AMI Creation Workflow Bake Instantiate Test
  30. 30. AMI Creation
  31. 31. aws.amazon.com/architecture : Web application hosting
  32. 32. Instances tend to drift from the known good state, monitoring key files & processes is important AMI Instance AlertIntegrity Monitoring
  33. 33. Integrity Monitoring
  34. 34. Keys Respond Review configuration Apply intrusion prevention Repair Patch vulnerability in new AMI Leverage integrity monitoring
  35. 35. Keys Automation
  36. 36. Safe. Easy. Fast.™ MatchMove Wallet’s Cloud journey Presented by: Paul Hidalgo Cloud Architect, MatchMove Pay Pte Ltd
  37. 37. Safe. Easy. Fast.™ •  Founded  in  2009   •  Investors  are  Vickers   Group,  Credit  Saison  and   GMO   •  6  Countries  in  ASEAN   •  PAAS  /  Gaming  Company  
  38. 38. Issuer of American Express and MasterCard across Asia www.mmvpay.com
  39. 39. Secure Payment Accepted Everywhere Good for small/micro-transactions
  40. 40. No Age Limit No Minimum Income No Risks of overspending
  41. 41. Loyalty Deals Remittance
  42. 42. View Card3 minute Sign Up Easy Top-Up Transactions
  43. 43. NotificationsEasy Menu Promotions AML/Compliance (KYC)
  44. 44. B2B Model
  45. 45. Safe. Easy. Fast.™ Promo •  First 50 Signups from this event will get $5 worth of top-up Free. •  You can use this to pay your AWS Bills! No Bill Shock!
  46. 46. Safe. Easy. Fast.™ How ? •  Sign up on this URL: •  matchmove.cards/paul5
  47. 47. Safe. Easy. Fast.™ Our Journey
  48. 48. Safe. Easy. Fast.™ Our challenge •  Industry  Credibility   •  Scalability   •  World  Class  Security   •  Cost   •  Delivery  Speed  
  49. 49. Safe. Easy. Fast.™ Our Plan •  All-­‐Cloud   •  PCI-­‐DSS     •  Automated  Security   •  Modular    
  50. 50. Safe. Easy. Fast.™ Our ecosystem MatchMove Network Banks Regulatory and Compliance Payment Providers Processor
  51. 51. Safe. Easy. Fast.™ Cloud design AWS cloud / VPC Internetinstances
  52. 52. Safe. Easy. Fast.™ What we Needed •  Our instances needs to get the latest updates without going online •  Anti-Malware Patching •  New Configurations •  New Threats •  Centralized Security Logging
  53. 53. Safe. Easy. Fast.™ Our implementation VPC InternetWeb Servers Private Subnet Public Subnet Deep Security Manager
  54. 54. Safe. Easy. Fast.™ Compliance • 33/202 •  PCI-DSS 3.0 Requirements
  55. 55. Safe. Easy. Fast.™ Not Just AV/IPS/Malware •  Source Code Monitoring •  Configuration File Monitoring •  Log Checks
  56. 56. Safe. Easy. Fast.™ Not Just AV/IPS/Malware •  Logins •  Web 500 Errors •  Memory Issues
  57. 57. Safe. Easy. Fast.™ Automated Testing •  Weekly Scans even we are not on audit period
  58. 58. Safe. Easy. Fast.™ Shared Security Infrastructure Level! DDOS  &  DDOS   Security  Groups  (Firewall)   CPU  Usage   Memory   Cloud  Logs   MatchMove   Trend  Micro   AWS     OS And Application Level! Malware   File  Integrity   Server  Hardening   VPN  and  Encryp?on   Vulnerabili?es     MatchMove   Trend  Micro   AWS    
  59. 59. Safe. Easy. Fast.™ Shared Security User Access Controls and Security! Access  Responsibility   2FA   Secure  Passwords   User  Data  Encryp?on   MatchMove   End  User   Partner   Monitoring and Alerts! Vigilante   24/7  Monitoring   Cloud  /  Intrusion  Alerts     MatchMove   Trend  Micro   AWS   Partner  
  60. 60. Safe. Easy. Fast.™ Instant-on Security Web Server Web Servers Elastic Load Balancing Web Servers Web Servers Deep Security Manager
  61. 61. Safe. Easy. Fast.™ Continuous Security Testing DSM MySQL Production DSM MySQL Policies Rules Rollouts
  62. 62. Safe. Easy. Fast.™ Real Life ddos AnalysisDetection Location
  63. 63. Safe. Easy. Fast.™ lessons •  We saved money and time because instead of hiring a security team •  We didn’t know attacks happen THAT frequently even on our test environments
  64. 64. Safe. Easy. Fast.™ lessons •  Building a secure cloud infrastructure can be challenging to begin with but it all works out in the end •  Cloudformation / Opsworks / Beanstalk is your friend •  Better know Account Limits (ie LB) so you can better plan ahead
  65. 65. Safe. Easy. Fast.™
  66. 66. aws.trendmicro.com Singapore

×