Automating Event Driven Security in the AWS Cloud

Automating Security in the AWS Cloud

Copyright 2017 Trend Micro Inc.2
ContainersCloudVirtualPhysical Serverless
101
010
SecondsMinutesDaysWeeks ImmediateTime to deploy
Deep Security
Protecting the server compute evolution
Teams: SecOps to DevSecOps
Applications: Changing more frequently, shorter lifespan
Threat Sophistication: Known Threats to Unknown, Targeted Threats
Licensing & Procurement: Static to Consumption-based, cross-environment
Protecting the Compute Evolution

Deep Security vs. Point Solutions over the
Evolving Server Threat Landscape
Firewall
Intrusion
Prevention
Application
Control
Sandbox
Analysis
Web
Reputation
Log
Inspection
Anti-Malware
File Integrity
Virtualization
Optimized
Machine
Learning
ThreatSophistication
“History has clearly shown that no single approach will be successful for thwarting all types of malware
attacks. Organizations and solution providers have to use an adaptive and strategic approach to malware
protection.” - Gartner EPP MQ 2016 quote

Anti-Malware & Web Reputation
Intrusion Prevention (IPS) & Firewall
Integrity Monitoring & Log Inspection
Application Control
Safe files &
actions allowed
Malicious files &
actions blocked
LEGEND
Known
Good
Known
Bad
Unknown
Machine Learning
Behavioral Analysis
Custom Sandbox Analysis
Cross-generational Blend of
Threat Defense Techniques
SOON!
NEW!
NEW!
NEW!

Threat Researchers
• 450 researchers
• Threat lifecycle and
distribution research
• 3k+ external vulnerability &
exploit researchers (ZDI)
Algorithm Accuracy Determined by Quality &
Volume of Training Data from SPN
Global Threat Intelligence
• 100 TB analyzed daily
• 500k new threats daily
• 800M+ good file whitelist
• 100s of millions of sensors

Network Based Security is Great
• It can be really expensive in
the beginning of operations
• Throughput is capped by
appliance
• Network Re-Configuration is
required

East-West Traffic80% of Network Traffic is East-West

Defend Against
Network & App
Threats
Response &
Containment
Intrusion
Prevention
Integrity
Monitoring
Anti-Malware &
Content Filtering
Machine
Learning
SOON!
Sandbox
Analysis
NEW!
Behavioral
Analysis
NEW!
Application
Control
NEW!

Threat Sophistication
Evolving Infrastructure
Speed of App Changes
IT Dynamics
Hybrid Cloud Security Challenges
Customer Pain
Lack of resources, need to
simplify
Threat protection & audit
Performance across hybrid
cloud
Overwhelmed
Incompatible
Audit
TooMany Tools
ZeroDay
ScanStorm

Customized views with Smart Folders
• Different teams have different requirements
• The security team is responsible for protecting
the computers within that infrastructure
• The infrastructure team is usually responsible for deploying computers
and ensuring the infrastructure remains stable and reliable
• Deep Security Smart Folders allow Security Administrators to arrange computers in a way that
makes sense from a security perspective – regardless of where the infrastructure team has
provisioned them
• Security Administrators can specify criteria that will dynamically populate the smart folder

Customized View of Computers and Workloads
1. Create your Smart Folder 2. Define filter rules based on Computer Properties
3. Custom organized
system-wide view of Data
Center and Cloud
workloads

AWS Simple Notification Service (SNS) Integration
• Send key events to the right system or team
via SNS topic
• Create automated responses to security
events
– Anti-malware events
– Web reputation events
– Firewall events
– Intrusion prevention events
– Integrity events
– Log inspection events

Block unknown software from running
on Protected Servers
• When enabled, Application Control will scan
servers and create a whitelist of approved
software
• Administrator defined rules can block all
unknown software (not included in the whitelist)
until explicitly allowed
– Effectively “locks down” servers to
significantly reduce its attack surface
• Real-time protection against unknown software
• Included with the System Security License (along
with Integrity Monitoring and Log Inspection)
Application
Control
Many ways for malware to install on your servers
• Intrusions
• Lateral Movement
• Human Error
• Authorized users installing custom/personalized tools

Administrator Control See how many unknown
software events occurred
hourly, daily, monthly or in
total
Customize view by File or
Computer
Lockdown Servers
across the Hybrid
Cloud even when
workloads are elastic
Choose ”Allow” to add
software to whitelist
Choose ”Block” to exclude
from whitelist
List view of all unknown
software events
Share rulesets with
other computers
Detailed view shows who
changed the file

Application Control CI/CD Integration
Build Software
Notify Deep
Security - New
Software
Deploy Software
Notify Deep
Security -
Deployment
Complete
Analyze,
Detect,
and
Prevent
Use Deep Security API's to
notify DS that new software
will be deployed to host
Use Deep Security API's to
notify DS that the deployment
is complete
OR
Application
Control

16
Trend Micro Control Manager
Detect, analyze and contain suspicious document files
ANALYZE DETECT
PREVENTRESPOND
Insight & Control
Deep Security
Deep Security receives updated
signature and policy (eg. Quarantine)
Suspicious files are detected
by Deep Security and
submitted to Deep
Discovery Analyzer
Sandbox analysis results are sent to
Trend Micro Control Manager where
remediation actions are set
Suspicious objects are analyzed in a
closed sandbox environment – to confirm
Ransomware attack
Deep Discovery Analyzer

Intelligent Detection and Protection against
Ransomware attacks
Deep Security Anti-
malware is protecting
server
Anti-malware
Behavior Monitoring
Unknown
Ransomware finds
server host and
starts legitimate
looking process
Deep Security detects and
monitors suspicious behavior
and begins backing up files
Deep Security determines behavior
to be a Ransomware Attack > Stops
process and quarantines file
Deep Security restores
original unencrypted files to
directory and logs event
Ransomware begins
encrypting files

Deep Security
Agent (DSA) Application
Container
(e.g. MySQL)
Application
Container
(e.g. NGINX)
Docker Engine
Operating SystemDS Kernel
Modules
Real-Time
Anti-Malware (AM)
Policy Enforcement (Containers)
Policy Enforcement (Host)
Intrusion Prevention /
Virtual Patching (IPS)
Runtime Protection for Docker Deployments
• Intrusion Prevention /
Virtual Patching (IPS)
• Anti-Malware (AM)
• Application Control
• Host Firewall, WRS
DSA is installed directly on
the Docker Host
• Docker Host visibility
reported to DSM
• Log inspection
• Integrity Monitoring

Submitting Suspicious Files
on a Cloud Instance

This is What Happened?
Attacker
Bad File
Upload
Affected
ECS Host
Detect and
Report
Deep Security
Manager
Trigger
Lambda Function
Affected
ECS Host
Terminate
Snapshot for
Investigation
Add More
Hosts
Create
Snapshot
Auto Scaling
Group

Shielding Vulnerabilities
on a Cloud Instance

This is what happened?
Attacker
Run
Exploit
EC2 Instance
Via Beanstalk
Deep Security
Manager
Prevent
And Report
Trigger
via SNS
Lambda Function
Database
Snapshot
Create
RDS DB Snapshot

XGen Approach to Hybrid Cloud Security
We have seen How To:
• Protect on-premises Datacenter Servers, Virtual or Cloud Instances using techniques such as
Advance Malware Protection, Vulnerability Shielding
• Central visibility, in built automation to scale up / down your security deployment and policy
assignments on public cloud platforms
• Automate threat response to on-premises DC server farms, Virtual and Cloud workloads
Key Benefits:
• Cross generational approach provides maximum protection against all types of threats
• Allows scalability without increasing complexity of management
• Helps customers with fastest Time to Protect
• Single pane visibility with actionable intelligence leads to better incident response

Confidential © 2017 Trend Micro Inc.
Gartner Magic Quadrant for
Endpoint Protection Platforms
January 2017
This graphic was published by Gartner, Inc. as part of a larger research document and
should be evaluated in the context of the entire document. The Gartner document is
available upon request from
https://resources.trendmicro.com/Gartner-Magic-Quadrant-Endpoints.html
Gartner does not endorse any vendor, product or service depicted in its research
publications, and does not advise technology users to select only those vendors with the
highest ratings or other designation. Gartner research publications consist of the opinions
of Gartner's research organization and should not be construed as statements of fact.
Gartner disclaims all warranties, expressed or implied, with respect to this research,
including any warranties of merchantability or fitness for a particular purpose.

Market Leadership Position
The market leader
in server security
for the 7th straight year
Highest and Furthest to the Right in
the Leader’s Quadrant in the Gartner
Magic Quadrant for Endpoint
Protection Platforms, Jan 2017
#1 in protection and performance
• Source: IDC, Securing the Server Compute Evolution: Hybrid Cloud Has
Transformed the Datacenter, January 2017 #US41867116
• NSS Labs Breach Detection Test Results (2014-2016);
NSS NGIPS Test Results, 2016
• http://www.trendmicro.com/us/business/cyber-security/gartner-idps-report/
• https://resources.trendmicro.com/Gartner-Magic-Quadrant-
Endpoints.html
• av-test.org (Jan 2014 to Dec 2016)
Recommended Breach Detection System
for 3 straight years, and
Recommended Next-generation IPS
Leader in Gartner Magic Quadrant for
Intrusion Detection and Prevention
Systems, January 2017

Automating Event Driven Security in the AWS Cloud

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Automating Event Driven Security in the AWS Cloud

Similar to Automating Event Driven Security in the AWS Cloud (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Automating Event Driven Security in the AWS Cloud