Users are increasingly adopting AWS Cloud for their IT strategy to drive digital transformation. Securing clouds requires shared security responsibility. In this session, learn about the inherent threats and solutions needed to secure your entire cloud stack, from infrastructure to applications. Learn the importance of total visibility across your public clouds, and how to set up security for workloads from both internal and in the perimeter. Avoid issues such as data leaks and crypto-mining attacks through your cloud infrastructure with continuous security monitoring. Learn best practices from real-world examples of customers transparently orchestrating security into their practices and DevOps pipelines. This session is brought to you by AWS partner, Qualys.
A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) - AWS re:Invent 2018
1. QUALYS SECURITY CONFERENCE 2018
Total Visibility and Comprehensive Security for AWS Cloud Workloads and
Infrastructure
Hari Srinivasan
Director, Product Management, Qualys, Inc.
Sean Nicholson
Security Solution Architect, Qualys, Inc.
Alex Mandernack
Security Solution Architect, Qualys, Inc.
A 360˚ Cloud Native Approach to
Secure your AWS Cloud Stack
2. Agenda
• “Shift Left” migration & requirements
• Your responsibility in cloud security
• Customer case studies
• Qualys security for hardening and
standardizing workloads
• Qualys security for infrastructure
• Use cases & demo
• Q&A
AWS re:Invent 20182 28 November 2018
3. SECURITY AT DEVELOPMENT
Static Code Analysis
BUILD
DEPLOY
MONITOR
DEVELOPERS
SECURITY
OPERATIONS
Vulnerability Management
Compliance Checks
Configuration Assessments
Web Application Scanning
Web Application Firewalls
SECURITY AFTER DEPLOYMENT
Vulnerability Management
Web Application Scanning
Compliance Checks
Configuration AssessmentsSECURE
CI/CD
MONITOR
The Big Migration… in security, it is happening…
Continuous Secure Development and Deployment
AWS re:Invent 20183 28 November 2018
4. DevOps/DevSecOps Requirements…
AUTOMATION & ACTIONABLE DATA …
DEVELOPERS
Responsible for
automating security
checks and remediating
viable security threats in
development/
deployment practices
DevSecOps Engineer
AWS re:Invent 20184
Amazon ECS
28 November 2018
5. The New IT - Hybrid, with increasing
cloud deployments
ON-PREMISES* PUBLIC CLOUD
AWS re:Invent 20185 28 November 2018
6. Cloud Security with Qualys
Secure any infrastructure, any scale, on-premises and in cloud
Single Pane View
Same Security Standards
Same Security Processes
ON-PREMISES*
CLOUD
*Support includes private cloud platforms like Hyper V,
Open Stack, VMware, etc.
AWS re:Invent 20186 28 November 2018
7. Varies by service
(Iaas, PaaS, SaaS)
Shared Responsibility Model
are responsible for securing
your data and workloads
You
AWS re:Invent 20187 28 November 2018
9. Qualys Sensors for AWS
9AWS re:Invent 20189
VIRTUAL
SCANNER
APPLIANCES
CLOUD
AGENTS
CLOUD
CONNECTORS
INTERNET
SCANNERS
WEB
APPLICATION
FIREWALLS
Remote scan across
your networks –
hosts and
applications
Continuous Security
View and platform for
additional security
solutions
Sync cloud instances
and their metadata
Perimeter scan for
edge facing
Instances/Host and
URLs
Actively defend
intrusions and secure
applications
28 November 2018
11. Securing your
Public Cloud
Using Qualys
Customer Case Studies
Reduced application
releases from 2 weeks to
24 hrs by automating
security with Qualys into
DevOps
Moving towards a “Security
as a Service” model with
approved AMI marketplace
“Just in time” security
approvals with end-to-end
integration of Qualys Scan
and Reports with
ServiceNow
A SOFTWARE
MAKER
AWS re:Invent 201811 28 November 2018
12. Capital One
Before: Lack of Security Automation Delays
Release
Two weeks until the Image (AMI) is certified for production
Vulnerability
Management Teams
Machine
Builders VM SCAN/REPORT
48 HOURS
VM SCAN/REPORT
48 HOURS
AWS re:Invent 201812 28 November 2018
13. Public
Custom
OS GOLD IMAGE
and
AMAZON MACHINE
IMAGE (AMI)
Approved
Gold Image
and AMI
APPROVE and
PUBLISH
CI/CD PIPELINE
Bake
QUALYS ASSESS
ON DEV
INSTANCES
OS
Qualys
Scanner
Identify
Vulns.
& Config.
Issues
Live Instances
Qualys
Agent
Qualys
Scanner
HARDENDED
INSTANCES
OS
Fix &
Verify
Qualys
Agent
Bakery process happens within 24 hrs
Capital One
Introducing Security at the Source Bake
Qualys Security into Gold Images and AMI
AWS re:Invent 201813 28 November 2018
14. Amazon VPC
Company Profile
Makes software for architecture,
engineering, construction, and media
INDUSTRY: Software, Media,
Manufacturing
REGION: USA
CLOUD: AWS
DEPLOYMENT REGION: US
SERVICES USED:
Amazon EC2, Amazon S3, Amazon
RDS, Amazon EMR, Amazon EBS,
Containers
QUALYS USAGE:
Vulnerability Mgmt., Asset View,
Network Scanner Appliances
Business Drivers
• Migrating data centers to AWS, establishing security processes for cloud
• Keeping up with security of “just in time” projects, with multiple teams
submitting requests for spinning up infrastructure
Requirements
• Automate Vulnerability Mgmt. from Connectors, Scans, and to Results
• Integrate into ServiceNow for end to end invocation
Solution
“Security as Service”
Integration between ServiceNow and Qualys
AWS re:Invent 201814 28 November 2018
15. Cloud Inventory &
Security Posture
Dashboard New!!
Visibility into your cloud instances
inventory
Identify your security coverage
View security posture
15 AWS re:Invent 2018 28 November 2018
16. Detect Vulnerabilities – Internal and External
Comprehensive vulnerability posture
16AWS re:Invent 201816 28 November 2018
17. Detect External
Vulnerabilities with Cloud
Perimeter Scan
Launch DNS-based scans on
public instances auto selected
from your account via connectors
Add Elastic Load Balancer DNS
Generate results with external only
remote check vulnerabilities
Auto selects
Public Instances.
Add Load
Balancer’s DNS
AWS re:Invent 201817 28 November 2018
19. Qualys can help you with GDPR
AWS re:Invent 201819
How Qualys Can Help with GDPR
1. Automate Assessment
& Data Gathering
2. Identify & Track Assets
3. Protect Systems against
Compromise
4. Validate Security
Controls & Compliance
5. Manage Vendor Risk
QSC 20 18: Virtual Edition27 28 November 2018
20. Scan your Web Applications
Scan external sites for malware
Supports REST API Vulnerability checks
DevOps support with Plug-ins and APIs
New!!! Browser Recorder Chrome
extension
Web Application Scanning
AWS re:Invent 201820
Source: Open Web Application Security Project
A1 Injection
A2 Broken Authentication
A3 Sensitive Data Exposure
A4 XML External Entities (XXE)
A5 Broken Access Control
A6 Security Misconfiguration
A7 Cross-Site Scripting (XSS)
A8 Insecure Deserialization
A9 Using Components with Known Vulns
A10 Insufficient Logging & Monitoring
28 November 2018
21. Cloud Workload Security with Qualys
IaaS
PaaS*
* PaaS – Cloud Database Scanning (Amazon RDS) – Roadmap 1H ‘19
AWS re:Invent 201821
PUBLIC CLOUD
28 November 2018
22. Integrating within the process and response
pipeline with Partners
Securing by Micro segmentation and
segregation
Configuration and Change
Management
Keeping track of assets (CMDB)
Pumping data into SIEM for analysis
AWS re:Invent 201822 28 November 2018
23. Qualys Cloud Apps
in AWS
Marketplace
Vulnerability Mgmt.,
Policy Compliance,
Web Application Scanning
Soon…
Web Application Firewall
Cloud Security Assessment
Container Security
File Integrity Monitoring
Indication of Compromise
AWS re:Invent 201823 28 November 2018
24. Works with AWS Security Hub
Get Insights into Vulnerability,
Compliance, and Configuration
Assessment data
Identify:
• Misconfigured Amazon EC2
instances with high severity
vulnerability that are missing
patches, vulnerable to unauthorized
access, open to public, etc…
• Compliance mapping to mandates
• Misconfigurations of infrastructure
like security groups
Open for Public Preview now!!
24 28 November 2018AWS re:Invent 2018
26. AWS sent a notice of compromised keys attempting to
create multiple accounts in EU
Company Profile
Largest provider of Auto and
Agriculture insurance
INDUSTRY: Insurance
REGION: Australia
Use Case
Identify the resources in EU region, find the Amazon S3
buckets which are open to public and have the keys stored
Requirement
• Identify where the deployments are located
• Identify Amazon S3 buckets that are public and fix it
• Ensure best practices are followed by IAM users of the
account
CLOUD: AWS
DEPLOYMENT REGION:
Australia
SERVICES USED:
Amazon EC2, Amazon S3,
Amazon RDS, Amazon
EMR, Amazon CloudFront
Australian Insurance Company
Visibility of deployments stop misuse of
keys
AWS re:Invent 201826 28 November 2018
28. Unparalleled Visibility and
Continuous Security
Monitoring across public cloud
infrastructure
Cloud Inventory Cloud
Security
Assessment
Qualys Cloud
Inventory and
Security
Assessments
AWS re:Invent 201828 28 November 2018
29. DEMO
What is my public cloud usage?
What is my security posture?
Do I have any publicly accessible security accounts?
Are my security groups opening unauthorized access to internet?
Is logging enabled for my cloud infrastructure?
Cloud Inventory
Cloud Security Assessment
30. ARN based
ConnectorView into
• Resource Distribution by Type
• Resources by Region
Personalize and add custom widgets
Use Case #1
Visibility into your
public cloud
AWS re:Invent 201830 28 November 2018
31. Use Case #2
Identify
misconfigured
S3 buckets
Misconfigured S3 buckets may
lead to unintentional data access
attempts
Check the S3 Bucket Access
Permissions Regularly
• Review Access Control List
• Check Bucket Policy
AWS re:Invent 201831 28 November 2018
32. Use Case #3
Detect compromised
IAM users
Check for:
• Configure Strong Password Policy for
Account
• Enforce MFA for Console Users
• Rotate IAM Access Keys Every 90 Days
• Remove Unnecessary Credentials
• Audit Process
• Create separate user for console & API access
(segregation of duty)
• Track password age
• Deactivate unused keys
AWS re:Invent 201832 28 November 2018
33. AWS sent a notice of compromised keys attempting to
create multiple accounts in EU
Company Profile
Largest provider of Auto and
Agriculture insurance
INDUSTRY: Insurance
REGION: Australia
Solution
With Qualys Cloud Inventory and Assessment
Gain visibility into the global deployments
Identify Amazon S3 buckets that are public and
require fixing
Identify the IAM users and their security posture
CLOUD: AWS
DEPLOYMENT REGION:
Australia
SERVICES USED:
Amazon EC2, Amazon S3,
Amazon RDS, Amazon
EMR, Amazon CloudFront
Australian Insurance Company
Visibility of deployments stop misuse of
keys
AWS re:Invent 201833 28 November 2018
34. CloudView
A FREE inventory and monitoring
service for your public cloud
Visibility – Get started with a FREE
service
* FREE version is for Cloud Inventory, defaults to 3 accounts per
cloud, can be extended further
35. Use Case #4
Misconfigured
Security Groups
Security Groups with default
rule, allowing access on port 22,
3389
With Qualys Vulnerability Mgmt.
- Identify Security Groups
exposing vulnerable instances
AWS re:Invent 201835 28 November 2018
36. Actionable insight &
threat prioritization
Prioritize by
understanding
association with
exposures linked to
vulnerable instances,
network placement.
Monitor against security
standards. Identify threats
from misconfigurations.
Continuous security
monitoring
Get topographic view of
your cloud inventory.
Visibility into your public
cloud
Qualys Cloud Inventory
and Security Assessment
Key Capability
AWS re:Invent 201836 28 November 2018
37. Use Cases
Security Groups allowing access
on the same ports where
network vulnerabilities have
been identified
Vulnerable Amazon EC2
Instances with Instance profiles
accessing Amazon S3 buckets
Coming Dec. 2018
Threat Analysis
Correlating Vulnerability data to provide risk insights
AWS re:Invent 201837 28 November 2018
38. Integration into Qualys
Cloud View (Coming in
Q1’2019)
• Collect evaluation results
• Execute update
permissions
Remediation
Automate in real time actions to protect against risks
Lambda function that reads
the state of the S3 bucket,
updates to make bucket and
its objects private.
AWS re:Invent 201838 28 November 2018
39. Cloud Infrastructure Reports
Generate reports for CIS
Benchmarks, mandates like
PCI, HIPAA, ISO27001,
NIST 800-53…
Configure for specific
accounts, and regions
Schedule reports for daily,
weekly or monthly
Coming Jan. 2019
AWS re:Invent 201839 28 November 2018
42. Build Ship Run
What’s in the images?
Container Images Container Registry
Container Instances
Infrastructure
Vulnerabilities?
OSS license exposure?
Solution disruptive to my
CI Pipeline?
Registry scanning?
Enforce compliance?
Vulnerability, package
and license-based rules?
How to protect host?
Container engine configured
correctly?
Container orchestration
configured correctly?
Runtime app visibility?
Runtime app protection?
Scanning report integrated with
bug tracking?
Vulnerability impact
notifications?
Container Lifecycle Challenges
28 November 2018AWS re:Invent 201842
43. Build Ship Run
Software Composition
Container Images Container Registry
Container Instances
Infrastructure
Vulnerability Analysis
OSS License Analysis
Integration with CI
Pipelines
Registry Scanning
Compliance Controls
Vulnerability, Package
and License-based Rules
Host Protection
Container Engine
Benchmarking
Container Orchestration
Benchmarking
Deep Runtime Visibility
Runtime Protection
Bug Tracking Integration
Real-time Vulnerability
Impact Notifications
Qualys Container Security
28 November 2018AWS re:Invent 201843
44. Protection for container
infrastructure stack
Accurate insight and control
of container images
Automated analysis and
enforcement of container behavior
Host Protection CIS Benchmarks
Scanning & Compliance
Visibility & Protection
Qualys Container Security
28 November 2018AWS re:Invent 201844
47. QUALYS SECURITY CONFERENCE 2018
Thank You
Hari Srinivasan
hsrinivasan@qualys.com
Sean Nicholson
snicholson@qualys.com
Alex Mandernack
amandernack@qualys.com