Meeting Enterprise Security Requirements with AWS Native Security Services (SEC319) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Meeting Enterprise Security Requirements
With AWS Native Security Services
S E C 3 1 9
Saurabh Saxena
Principal TAM
AWS
Thomas Wold
Principal Architect
GE
David Strum
Sr. Staff Incident
Responder
GE

Agenda
• Challenges and Objectives you Face Everyday
• Security of and in the Cloud
• Overview of AWS Security Services
• Automating Asset Identification in the cloud
• Proactive Protection
• Operationalizing Threat Detection
• Incident Response

Key takeaways
Understanding security of your AWS environment … & security of your
workloads
Understanding how to gain visibility into your environment and make use
of it
How to automate threat detection and incident response

The AWS shared responsibility model
Server-side encryption
(file system and/or
data)
Network traffic
protection (encryption/
integrity/identity)
Customer data
Platform, applications,
identity, & access management
Operating system, network, &
firewall configuration
Client-side data
encryption & data
integrity authentication
DatabaseStorageCompute Networking
Edge
locations
Regions
Availability Zones
AWS global
infrastructure
Customers are
responsible for security
‘in’ the cloud
AWS is responsible for
security ‘of’ the cloud

AWS Identity and
Access Management
(IAM)
AWS Organizations
Amazon Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
Amazon Virtual Private
Cloud (Amazon VPC)
flow logs
Amazon EC2
Systems Manager
AWS Shield
AWS WAF
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (AWS KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate
Manager (ACM)
Server side encryption
AWS Secrets Manager
AWS Config rules
AWS Lambda
Amazon EC2 Systems
Manager
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions

Aligning to AWS services
Identify
Protect
DetectRespond
Recover
What processes and
assets need
protection?
What
safeguards are
available?
What techniques can
identify incidents?
What techniques can
contain impacts of
incidents?
What techniques can
restore capabilities?

Identify
Amazon
CloudWatch
Amazon EC2
Systems Manager
AWS
CloudTrail
AWS
Config
Amazon
Inspector
Amazon
Macie
AWS Shield
Amazon VPC
flow logs
Amazon
GuardDuty

Protect
Network access control list
Security groups
AWS Shield
Amazon EC2
Systems Manager
AWS WAF
AWS Certificate
Manager
Amazon
CloudFront
IAM Amazon
VPC*
Amazon
EC2

Detect
Amazon
CloudWatch
Amazon EC2
Systems Manager
AWS
CloudTrail
AWS
Config
Amazon
Inspector
Amazon
MacieAWS Shield
Amazon VPC
flow logsAmazon
GuardDuty
Event
(event-
based)
Amazon SNS
email
notification
HTTP
notification

Respond
Rule
AWS
Config
Amazon
CloudWatch
Event
(event-
based)
State
manager
Maintenance
windows
InventoryAutomation documents
Parameter
store
Run
command
Patch
manager
Amazon EC2
Systems Manager
AWS WAF
filtering rule
AWS Shield
Advanced
Lambda
function
Lambda
function
Lambda function
Amazon
GuardDuty
Lambda
function

Recover
AWS Step
Functions
Amazon
SNS
email
notification
HTTP
notification
AWS
Lambda
Lambda f(n)
Amazon
CloudWatch
Event
(event-
based)
Lambda f(n)
Lambda f(n)
Lambda f(n)

Enterprise Scale Defined

Our cloud journey
Factors that drove our requirements
Tenancy model
Shared responsibility model across many teams
SLA’s
Must be self service – Tickets are a defect
Compliance Requirements
Industry, Company and Customer specific
Invisibility Ubiquitous
Lightweight, bias towards native tooling

Our tenancy model

Automated deployment of AWS Native Services
AWS STS MFA token Role Customer
gateway
Internet
gateway
Network
access
control list
Route table

GE shared services
Some of the services built with AWS Native Services
Account Provisioning – consistency at scale
Asset Management (CMDB) – near real time collection of global AWS resources
Bots – event driven configuration management and real time remediation
Version Control – IAM SoT for admin resources
Chaos Engineering – continuous monitoring ensures resiliency and protects control plane

CloudTrail deployment

CloudTrail deployment cont’d

GuardDuty deployment
// Create detector in member account.
api.CreateDetector(region,roleName,
sessionName, message)
// Invite member to master account.
api.InviteMember(region, roleName,
// Accept invitation in member account.
api.AcceptInvitation(region, roleName,
// Update status in dynamo table.
api.UpdateItem(dynamoTable, dynamoRegion,
message)

Identity services
Organizations
Aligned to our product strategy
Be deliberate
IAM
Delegated Admin
Abstracted Source of truth
IAM-the-truth, resource-assassin
Sophisticated tooling to manage admin resources

Organizations SCP

Identify
☑
Protect
☑
DetectRespond
Recover
What processes and
assets need
protection?
What
safeguards are
available?
What techniques can
identify incidents?
What techniques can
contain impacts of
incidents?
What techniques can

Our ^ Cloud Journey at GE
We do not know what we do not know
What am I defending, exactly?
What threat scenarios to I care about?
Account compromise, Instance compromise, Network tunneling, Data exfiltration
What is my visibility?
Platform – Instance – Network – Identity
What services are available? (1300+ new services and updates)
What access do we need for triage and incident response?
What skills do we lack?
Bolt-ons and lift and shifts --> embedded in ecosystem
Enterprise agents
Network DPI, IDS and NSM?
Pcap collection
Secure

Cloud native incident detection
GuardDuty
Early adoption (Nov ‘17) scaled across 500+ accounts and 14 regions
Operationalizing Guard Duty findings
Establish a findings alert pipeline
Learn baseline patterns
Tune and filter on what matters with Cloudwatch and Lambda
Design finding type based incident response playbooks with Cloudwatch, Lambda/Step
Functions
Integrate internally vetted IP threat intel list using S3 and Guard Duty

Exporting GuardDuty findings
AWS
GD Member Account
CloudWatch
Event Bus
Lambda
Function
Lambda
Function
Parsed GD
Findings
Raw GD
Findings
SNS
Topic
SQS
Queue
GD Master Account
US-East-1
Guard Duty
Findings
US-West-2
Guard Duty
Findings
CA-Central-1
Guard Duty
Findings
External
Destination

Incident detection
Cloudtrail
Configured central multi-region logging to S3 at account build time.
Export to external “Eyes on Glass” for alerting / 24x7 monitoring
Lambda based, specific platform level detection ”signatures”
Alert enrichment
Automated authoritative account lookup (we like names not numbers)
Account number, alias, VPC ID, region, business
True source IP identification
Bind server logs (Kinesis/Firehose/Lambda/S3/Glue/Athena)
IP/Domain intelligence

Incident response
Containment
Prevent access, lateral movement or data exfiltration by limiting:
Network connectivity
API and instance level authentication
Alteration of instance
Authentication to services
Logons to compromised accounts
Actions that can be taken with a compromised account
Executed as stand alone script or lambda function
Ad-hoc surgical containment
Automated response via Cloudwatch and Lambda for high fidelity events

Incident response
Live Response (LR) collection
Instance level access (SSM)
Collection tool suite transport (Snapshots, Volumes, Lambda, SSM)
Custom script execution (SSM)
LR output data transport (Snapshots, Volumes, Lambda, SSM)
Live Response processing
Forensic analysis EC2 instance
Execute forensic analysis framework
Export results
Analyze forensic data

Incident response
1. Python containment script
executed locally or lambda.
2. Analysis server launched from
custom image, via containment
script or manual AWS CLI
command
3. LR collection script executed
on analysis server, data
collected over SSH
4. Collection script executes build
script to build LiME kernel
module and Volatility profile, if
necessary
5. (not shown) Data to preserve is
pushed to regional S3 buckets
with lifecycle policies attached

Incident response
AWSome_IR
EC2 and IAM containment
lr-collect-linux
Linux LR collection and orchestration script
Build LiME KO and Volatility profile on temp EC2 instance
Volatility, strings, & bulk_extractor against memory image
log2timeline & bulk_extractor against volume
Archive specified LR file(s) in S3
lr-collect-windows
Self-contained package of tools and scripts to collect artifacts and memory
Executed on the target host

Incident response

Identify
☑
Protect
☑
Detect
☑
Respond
☑
Recover
What processes and
assets need
protection?
What
safeguards are
available?
What techniques can
identify incidents?
What techniques can
contain impacts of
incidents?
What techniques can

What's next?
Complete Cloud Ecosystem Monitoring
Ecosystem == complex and interconnected
Threat detection and response is more embedded, less bolted on
Everything is a sensor
Connect more data sets together:
Change Management
Vulnerability Scanning
Threat Intelligence
Threat detection
Container threat detection/IR
CI/CD pipeline threat detection/IR (Pipeline poisoning)
IR as code

Thank you!

Time: 15 minutes after this session
Location: Speaker Lounge (ARIA East, Level 1, Willow Lounge)
Duration: 30 min.

Meeting Enterprise Security Requirements with AWS Native Security Services (SEC319) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Meeting Enterprise Security Requirements with AWS Native Security Services (SEC319) - AWS re:Invent 2018

Similar to Meeting Enterprise Security Requirements with AWS Native Security Services (SEC319) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Meeting Enterprise Security Requirements with AWS Native Security Services (SEC319) - AWS re:Invent 2018