Learn how Symantec uses AWS to provide complete, integrated security solutions that monitor and protect companies and governments from hackers. Hear about lessons learned from how Symantec scaled up its infrastructure to analyze billions of logs every day to detect the world’s most sophisticated cyber attacks, and you’ll see how Symantec integrates with native AWS services, like Amazon GuardDuty, AWS Lambda, and AWS Systems Manager, into its own security solutions to provide even better security in the cloud. This session is brought to you by AWS partner, Symantec Corporation.      

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS and Symantec: Cyber Defense
at Scale
S E C 3 1 1 - S
Clint Sand
VP Product
Symantec
Rich Vorwaller
Principal PM
Symantec
Scott Webster
Sr. Manager, InfoSec
LifeLock

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Headquarters
Data Center
Regional
Office
Roaming
Users
Delivering a Simplified Security Model for the Cloud Generation
Symantec Integrated Cyber Defense
Cyber Security Services

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Agenda
Scaling Next Generation SOC Technology1
RE:PLATFORM TO AWS
Security Analytics Research in the Cloud2
Integration with AWS4
RE:SECURE WITH AWS
Security Evolution to the Cloud3

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
re:Platform to AWS
Cyber Security Services
Clint Michael Sand
VP of Product, Cyber Security Services
@clintmsand

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Analysis Team
Validate, Classify,
Prioritize, Escalate,
Triage, Contain
Incident Response
3
Automated Enrichment
2
Intelligence
Business Context
Analytics Engine
Transforms log data into
security events
Applies intelligence /
business context
Endpoint
Firewall
Application Server
NIDS
Data Ingest
[Via API, syslog, file, JDBC, etc..]
1
Cloud
Log
Collection
Platform
Our Approach to Cyber Security Operations Automation

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Cloud Security Monitoring Capabilities
SYMANTEC CYBER SECURITY SERVICES
SOC Security Analysts Global Threat Intelligence LCP in AWS
Collectors
for SaaS
Collectors for
Symantec CASB
Collectors for On-Prem
Collectors
for AWS
Log Collection Platform

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Problem to Solve: Security Analysis at Scale
How do we stay ahead of attackers
as the amount of data to process
continues to grow?
0
50
100
150
200
250
1 2 3 4
YoY Per Day Processing Growth
~150Billion
Security Logs
Processed
~60,000 Security Incidents
Identified
~10,000 Security Incidents
Validated
~130 Security Incidents
Escalated
Averages over 24 hour period across cloud and on-prem sources
LogsinBillions
Year

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
How We Solved It: Using Serverless AWS for Scale

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
What We Learned
Proper partitioning and file formats are important
• Increased query performance and reduced costs by partitioning and using a
columnar file format such as Parquet
• Amazon Redshift Spectrum prefers large files; smaller files don’t allow it to take
advantage of columnar benefits
1
One Big or Many Small
• Multiple smaller Amazon Redshift clusters with a load balancer increase the number of
available query slots for concurrent queries
2
Flexibility and Portability
• Using the AWS Glue Catalog allows the same database, tables, and partitions to be
used from Amazon Redshift Spectrum and Amazon Athena
• Makes using these services situationally easy
3

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
What We’ve Observed: Understanding the Rhythm of the Cloud
• Datacenter systems usually
perform the same task in the
same way
• System criticality and security
relevance can generally
assumed to be static
On-Prem environments
are typically very
predictable
• DevOps workflows enable
continuous change in
infrastructure
• However, user account
usually performs the same
task in the same way
Cloud environments,
however, tend to be
dynamic
• Focus on user activity versus
system activity as a starting
point
• Create predictive indicators
of unusual cloud user
transactions
How can AWS services be
used to detect ripples in a
dynamic landscape?

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Exploring the Rhythm of Cloud
Rhythm Setting Process
CloudTrail logs streamed
to a Lambda function
1
Anomaly Detection Process
Tracks “Normal” rhythm for
accounts by anomaly
detection processor and
statistical analysis
3
GuardDuty determines
unknown IP address,
UnknownASNCaller event
triggered
4
CloudWatch rule triggered
based on UnknownASNCaller
5
Intelligence
Enrichment
Lambda function compares
user actions after GuardDuty
event to determine if actions
are normal rhythm
6
If Lambda determines user
actions outside of standard
rhythm, data is enriched
increase confidence/severity
7
Enriched data including
actions taken and
GuardDuty details are sent
to MSSP further analysis
and action
8
Cyber Security Services
Lambda tracks frequency
and last usage; stores data
in DynamoDB
2

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Visualize
USR_ADMIN_ROLE
Cloud Rhythm Anomaly Results Investigate

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Importance of Comprehensive Cloud Security Visibility
Research Findings in AWS Security Hub

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
re:Secure with AWS
Security Evolution to the Cloud
Rich Vorwaller
Principal PM, IaaS Security
@richvorwaller

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Journey to the Cloud
How do I take the
same security I
had on-prem to
the cloud?
How do I make my
security even better than
what I had on-prem?

17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Journey to the Cloud
How do I take the
same security I
had on-prem to
the cloud?
How do I make my
security even better than
what I had on-prem?

18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Frequent Customer Questions
Am I following AWS best practices?1
How can I deploy your solution?2
How does your product integrate with AWS security?3
?

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Building Visibility without Agents: APIs & CloudTrail
Role
Template
Query
Services
Establish a Baseline Track Changes

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Making Agent Installation Easier with AWS Systems Manager
Run command
Instances
Lambda
Function
Bucket
Lambda
Function
Customers AWS Account
Create X-acct IAM role
Lambda function for status
Creates S3 bucket &
uploads CWP agent
Run command to
install CWP agent
Upload install logs
Download&install
CWPagent
Lambda function &
Amazon SNS topic for status
CWP Service
Query Amazon EC2 for inventory

21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
LifeLock Test Case
AWS Security Hub & CWP
Scott Webster
Sr. Manager, InfoSecurity

22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Test Case: GuardDuty & CWP Before AWS Security Hub
Flow logs
CWP Events
Log Aggregation
Evaluate scan results
Repeat until
event remediated
CWP manually scan
EC2 Instance
Findings warrant
further investigation
Finding
Analyst Investigation Analyst Action

23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Automatic Scanning Based on GuardDuty Findings
AWS
Security Hub
CWP
CloudWatch
Event
FindingsFindings
File scan
Scan Results

24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
AWS Security Hub Findings

25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Symantec @ AWS re:Invent 2018

26. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.