AWS Loft presentation on 04/28/16. You’ve configured host and network based ACLs, enabled CloudTrail logging, encrypted all data at rest (EBS & S3), secured your AMIs, regularly patch EC2 instances, and locked down IAM roles. But are you secure? How do you know if/when a security incident has occurred, detect unauthorized access to data, identify vulnerabilities in your application, block online attacks in real-time, or certify your application as truly secure? Theodore Kim, VP of Technical Operations at Jobvite, and his team will present a holistic approach to securing your application environment hosted in AWS. Topics will include: - Do I need an Intrusion Detection/Prevention (IDS/IPS) System? - How to detect and block network/application intrusion attempts in real time. - Log file parsing/alerting via Security Information & Event Management (SIEM) systems to identify anomalous system activity. - An overview of penetration/vulnerability testing services. - Auditing your environment to identify security vulnerabilities and support compliance efforts. - How to incorporate security vulnerability scanning into the build and release process.

1. Jobvite:
Keeping You One Step Ahead
Theodore Kim, VP Technical Operations & Security
April 28th, 2016

2. EngageHire VideoEngage
2
About Us
© 2015-2016 Jobvite, Inc.
Leading
Recruiting
Platform
Founded in
2006
1900+
Customers
50 Million
Job Seekers
160+
Countries

3. Better Candidates Faster At Lower Cost
18%
increase in referral hiring(1)
27%
faster time-to-hire(2)
30%
lower candidate acquisition cost(3)
Average Jobvite Customer ROI
1) Source: Jobvite database, 2011 – 2015
2) Source: Jobvite database, 2011-2015
3) Source: Independent third party study conducted in April, 2015
© 2015-2016 Jobvite, Inc. 3

4. 4
Industry Awards and Recognition
© 2015-2016 Jobvite, Inc.
Jobvite was Named a Leader in
the Forrester Wave™ Report

5. We received top scores for both current offering
and strategy.
5
Jobvite Named a Leader in the Forrester Wave™
Key differentiators:
• Mobile recruiting
• Recruiting analytics
• Strong social recruiting tools
• Seamlessly integrated ATS and TRM
“…a cutting edge company leading the way in
the talent acquisition space.”
© 2015-2016 Jobvite, Inc.

6. 6
Jobvite Customers
© 2015-2016 Jobvite, Inc.

7. TECHNOLOGYPRESENTATION
Security:
A Holistic Approach

8. Presenters
Theodore Kim
Vice President,
DevOps & Security
Brian Morehead
Director,
DevOps

9. AWS Compliance & Certifications

10. So…My Application Is Certified, Right?
Nice TryNo

11. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN the
Cloud
AWS is
responsible for
the security OF
the Cloud

12. Your Applications
AWS Global Infrastructure
AWS Global Infrastructure
AWS Global Infrastructure
AWS Global Infrastructure
AWS Global Infrastructure
Regions Availability Zones Edge Locations
Foundation
Services
Application
Services
Deployment &
Management
Compute Storage Networking Databases
Content Delivery Applications Distributed Computing Libraries & SDK’s
EC2 S3 EBS Glacier Storage
Gateway
VPC Direct
Connect
ELB Route53 RDS ElastiCacheDynamo RedShift
CloudFront SES SNS SQS Elastic
Transcoder
CloudSearch SWF EMR
CloudWatch
Monitoring
BeanStalk OpsWorks Cloud
Formation
DataPipe
Deployment & Automation
IAM Federation
Identity & Access
Management
Console
Billing
Web Interface Human Interaction
Mechanical
Turk
AWS Global Infrastructure
Enterprise
Applications
Workspaces Zocalo
Virtual Desktop Document Collaboration
Overview of AWS Services

13. There Are Two Security Tracks
Compliance Security Headline Security

14. There’s a Big Gap Between Compliance &
Security
Compliance
Security

15. Security Lifecycle
Increased Velocity of Change Management
Agile Development Continuous Integration /
Continuous Delivery

16. Security Lifecycle
Increased Velocity of Change Management
Huge Security Headache

17. Security Lifecycle
• Security must be ongoing &
continuous
• Point in time security is virtually
useless

18. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
1. Disable root API access key and secret key.
2. Enable MFA tokens everywhere.
3. Reduce number of IAM users with admin rights.
4. Use roles for EC2.
5. Least privilege: limit what IAM entities can do with strong/explicit policies.
6. Rotate all the keys regularly.
7. Enable CloudTrail wherever available.
8. Use Auto Scaling to handle traffic spikes.
9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it.
10. Watch world-readable/listable S3 bucket policies.
(Based on our experience with Incident Response, top 10 to implement ASAP.)
Top 10 AWS security best practices

19. But are you really secure?

20. Advanced
Threat
Analysis
Application
Security
Identity and
AccessMgmt
SIEMEncryption Network
Security
Vulnerability
& Pen
Testing
Security Tool Chest
AWS Inspector
AWS IAM AWS KMS

21. Advanced Threat Analysis
• Build via Jenkins
• Invoke Evident API
• Invoke Checkmarx
• Threat Report
• Block Deployment or
• Note for Next Build
• Deploy
• QA
• Repeat
DevOps Continuous
Integration (CI)

22. Advanced Threat Analysis
AWS Inspector
• Near real-time security assessments
• Supports pre-defined Rules packages
• Requires installed agent
• Linux support only
• Mostly a compliance tool

23. Application Security
Web Application Firewalls
• Web Application Firewalls can
protect against most OWASP
Top-10 vulnerabilities.
• Most WAFs require in-line
deployment causing single
point of failure.
• When is AWS WAF going to
support ELB?
“A well written web
application should not
require a WAF.
Unfortunately, there
are very few examples
in the real world”

24. Identity Management
• Use IAM for central point of account
management (IAM/AD/LDAP
integration).
• Use roles for applications that run on
Amazon EC2 instances.
• Assign IAM group policies.
• Enable Multi-Factor Authentication
(MFA) instead of password aging.
• Restrict privileged access further with
policy conditions.

25. Encryption
• Encrypt all EBS/S3 data stores to
enforce data sovereignty.
• Enable encryption at rest for all
supported database stores (RedShift,
RDS).
• Manage encryption keys via KMS
• Software defined encryption
• API support
• Don’t hardcode keys!!!

26. Network Security
• Do I need a firewall in AWS? (Answer: maybe)
• Do I need separate IDS & IPS systems? (Answer: NO!)
• Do I need both a WAF and IDS/IPS systems? (Answer: maybe)
The dangers of
inline & clustered
network security
systems!

27. Security Information & Event Management
(SIEM)
• Quite possibly the least sexy & loved
security tool.
• And yet absolutely necessary for compliance
(PCI, SOC II, ISO 27001).
• Essential for security breach root cause
analysis.
• No one wants to pay for Splunk!!!
• Can you mangle your ELK stack into a
SIEM? (Answer: kinda)
Compliance
DevOpsSecurity
SIEM

28. Vulnerability & Penetration Testing
• Point in time testing is virtually
useless in today’s security
landscape.
• Chose a continuous scanning
solution.
• Don’t pay for expensive consulting
companies. Crowdsource through
bounty programs.

29. What problems did we face?

30. Floating Keys
• IAM Access Keys baked into your app configs and/or code.
• Keys needed to be rotated.
• Keys would end up in the log files.
• Keys could end up in config files.
• Keys could leak to unauthorized individuals.

31. Need for a Web Application Firewall & Threat Manager
• How can we create security detection/prevention rules for certain types of web requests?
• How can we block unauthorized traffic (SQLi, HTTP Host header attacks, XSS, etc)?
• How can we easily filter and visualize detection and prevention data?
• How can we ensure safety from latest CVEs?
AWS WAF Challenges
• AWS WAF only ties to CloudFront distributions.
• CloudFront has a 60 second timeout limitation.
• No L1 team to analyze and re-rule to reduce false alarms.
Jobvite VPC

32. A Sea of Logs
• Too many logs
• No central logging location
• No real plan of action

33. Rapid Infrastructure Changes
• Continuous rapid deployments introduce risk.
• Do you constantly invoke security scans?
• Who receives dangerous security events?
• Is there a plan when they’re received?

34. SOLUTIONS OVERVIEW
• Benefits of Instance profiles vs Access Keys
• Installed a 3rd Party WAF
• Detect and alert on events with a SIEM
• Introduce Infrastructure Security Scans into the build system

35. INSTANCE PROFILES
• Define roles and granular policies.
• Attach profiles to the EC2 and ASG.
• AWS SDKs and CLI support instance profiles.
• No more keys in the wild.
• Removed all API keys associated to IAM app users
• Enforced MFA on all remaining user accounts.
• Ensured IAM service was in scope of Evident.IO vulnerability scans.

36. IAM ROLES WITH POLICIES
• Default access denied
• Explicitly define which instances are allowed access to certain AWS resources.
• Explicit deny supersedes explicit allow.
• Roles
• Multiple policies can be applied to roles.
• Instance Profiles
• Assumes a role.
• Access key and temporary token are stored in instance metadata.
Role:
Prod-Hire
Policy: prod-platform
Policy: prod-hire
Hire Auto-
Scaling
Read access to s3://builds-bucket
Write Access to arn:aws:sqs:us-
east-1::hire-resumes

37. ALERT LOGIC WAF & THREAT MANAGER
• RPM based installation
• Dashboard View
• Managed L1 provider
Web request
S3://jobvite-repo/RPMS/
Puppet Master
Web/Proxy
Servers
Safe

38. Centralized Logging & Notifications
• Centalized logging via Logstash.
• Organization of logs (app, system security, service security, etc)
• Notification of security events via SIEM script on top ElasticSearch.

39. SECURITY INFORMATION AND EVENT MANAGEMENT
• Tomcats and IIS apps use log4J and log4net to send JSON formatted logs to Logstash.
• CloudTrail, rsyslog for login events, Windows event logs via nxlog are sent to Logstash.
• Logstash sends the filtered results into the Logstash ElasticSearch cluster.
• Our home grown check_siem script searches ElasticSearch for event counts hooked into Nagios.
• Conditional matches are sent to SNS where emails and Pager escalations are subscribed.
CloudTrail
Tomcat / IIS
Rsyslog/NXLOG
Proxy logs
Logstash ES Cluster
Kibana
SNS
Topic

40. SECURITY DASHBOARDS
• CloudTrail Events
• Login Events
• HTTP / TLS info
• Application Errors
• Vulnerability scans
• Build/Deploy

41. Security Testing
Introduce security API calls
Alert on critical
and high
Fail build on high
security issues

42. AWS RESOURCE SCANNING
+
1. Push

43. Q & A SESSION