2. Topics
• Introduction
• ExampleWorkload: End User Computing
• What can go wrong? Ransomware Incident Response in End User Computing
• End User Computing Security Best Practices
• Modernizing Security Controls
• NIST Cybersecurity Framework
• Adjacent Frameworks
• Public Cloud Services alignment to NIST Cybersecurity Framework
5. Users andVulnerable Software – Still a Challenge
Verizon 2021 Data Breach Investigations Report
https://www.verizon.com/business/resources/reports/2021-data-breach-investigations-report.pdfx
6. CustomerWorkload Personas – Growth inVariety
• Migrated
• Server Based
• Migrated & Optimized
• Blends of Server and Service Based
• Serverless/Native
• Service Based
• Orchestrated
• ECS, EKS, K8s
• Inherited
• Wildcard!
• Hybrid
• Wildcard!
7. Service Categories – Also Growth inVariety
• Analytics
• Application Integration
• AR &VR
• AWS Cost Management
• Blockchain
• Business Applications
• Compute
• Customer Engagement
• Database
• Developer Tools
• End User Computing
• GameTech
• Internet ofThings
• Machine Learning
• Management & Governance
• Media Services
• Migration &Transfer
• Mobile
• Networking & Content Delivery
• QuantumTechnologies
• Robotics
• Satellite
• Security, Identity, & Compliance
• Storage
11. What’s missing?
• Ingress Security Group toWorkspace
• Egress Security Group fromWorkspace to (Internet)
• Security Groups to/from other Services (AWS and On Premises)
• Security of the Workspace Environment
• Security of supporting servers (Active Directory)
• Security of other network-accessible resources (Web Servers)
• User Permissions (Non-Local Admin, Local Admin, Global Admin)
• Access of the Workspace (PKI Cert, PKI PIV, Network, MFA)
• The rest of the AWSAccount?The rest of the AWSAccount! (Services, APIs)
13. What could go wrong?
• Ingress Security Group toWorkspace
• Egress Security Group fromWorkspace to (Internet)
• Security Groups to/from other Services (AWS and On Premises)
• Security of the Workspace Environment
• Security of supporting servers (Active Directory)
• Security of other network-accessible resources (Web Servers)
• User Permissions (Non-Local Admin, Local Admin, Global Admin)
• Access of the Workspace (PKI Cert, PKI PIV, Network, MFA)
• The rest of the AWSAccount?The rest of the AWSAccount! (Services, APIs)
15. Overview
• Through the lens of the NIST Cybersecurity Framework we will look at frameworks developed
by, and services available onAWS.
• Cloud Services, such as those offered by AWS either/both play a supporting role in your security
posture, supporting both non-AWS resources andAWS resources alike but secure configuration
of AWS resources can also play a role in supporting your security posture.
• The NIST Cybersecurity Framework provides a policy framework of computer security guidance
for how private sector organizations in the United States can assess and improve their ability to
prevent, detect, and respond to cyber attacks.
16. The Cybersecurity Framework
Core
Desired cybersecurity outcomes organized in a hierarchy
and aligned to more detailed guidance and controls
Profiles
Alignment of an organization’s requirements and
objectives, risk appetite and resources using the desired
outcomes of the Framework Core
ImplementationTiers
A qualitative measure of organizational cybersecurity risk
management practices
17. The Cybersecurity Framework - Functions
• Identify
• Develop an organizational understanding to manage cybersecurity risk to systems, people, assets,
data, and capabilities.
• Protect
• Develop and implement appropriate safeguards to ensure delivery of critical services.
• Detect
• Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
• Respond
• Develop and implement appropriate activities to take action regarding a detected cybersecurity
incident.
• Recover
• Develop and implement appropriate activities to maintain plans for resilience and to restore any
capabilities or services that were impaired due to a cybersecurity incident.
18. An Excerpt from the Framework Core
5 Functions 23 Categories 108 Subcategories 6 Informative References
19. ImplementationTiers
1 2 3 4
Partial Risk Informed Repeatable Adaptive
Risk
Management
Process
The functionality and repeatability of cybersecurity risk
management
Integrated Risk
Management
Program
The extent to which cybersecurity is considered in
broader risk management decisions
External
Participation
The degree to which the organization:
• monitors and manages supply chain risk
• benefits my sharing or receiving information from
outside parties
20. CIS Controls & Benchmarks
• Controls
• Similar, though more prescriptive than NIST CSF
• Can be mapped to CSF
• Benchmarks
• Prescriptive steps to apply controls to specific technologies
• AWS
• Workspaces
• Windows/Linux
• Other Services
34. WAF – Lenses
• High Performance Computing (HPC)
• Serverless
• Internet ofThings (IOT)
• Financial Services Industry (FinServ)
• FoundationalTechnical Review (FTR)
• SaaS
• Streaming Media
• Machine Learning
• SAP
• DataAnalytics
• Games Industry
• Hybrid Networking
• Management and Governance –Well Aligned!
35. WAF – General Design Principals
• Stop guessing your capacity needs
• Test systems at production scale
• Automate to make architectural experimentation easier
• Allow for evolutionary architectures
• Drive architectures using data
• Improve through game days
36. WAF – Game Days
• Prepare
• Is the process/are the processes to be tested during the game day well defined? Is access in place? Has
training been performed?
• Define
• Workload, Personnel, Scenario, Environment, Schedule
• Execute
• Start, Middle, End
• Analyze
• Debrief, Examine, Document, Root Cause Analysis (RCA), Correction of Error (CoE)
37. WAF – Security Pillar
• Design Principles
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Keep people away from data
• Prepare for security events
• Best Practices
• Identity and Access Management
• Detection
• Infrastructure Protection
• Data Protection
• Incident Response
38. Let’s tie it all together…
https://aws.amazon.com/blogs/security/optimizing-cloud-governance-on-aws-integrating-the-nist-cybersecurity-framework-aws-
cloud-adoption-framework-and-aws-well-architected/
47. Detect
• Guard Duty
• Config: Point in time snapshots of configuration items, Exportable as JSON to
idempotent storage
• VPC: Flow Logs (NetFlow) + Port Mirroring
• CloudWatch Logs: OS and above log management
• CloudTrail: AuditTrail, Exportable as JSON to idempotent storage
• Cloudfront, ALB andWAF: All log (CloudFront and ALB in S3,WAF in Kinesis)
• S3/Glacier: File based storage with AAA, versioning, secure delete + policy based
retention + dedicated account
49. Respond
• Detective
• Disk Snapshots
• Don’t forget to remove from retention policy
• Automated withThreatResponse,GRR
• Memory Snapshots
• Automated withThreatResponse,GRR,Volatility, Rekall
• Logs
• Don’t forget to remove from retention policy
• Query and Correlate with Athena
• Measure
50. Recover
• Block Access (WAF, Security Group, ACL, IAM)
• Revert to Known Good State (Snapshots,Versioning)
• Identify/Correct Root Cause (Logs!)
• Rotate Credentials (people and things)
• Measure
51. Conclusion
• Iterate introduction of your security controls – some in the short term is better than none in the
long term.
• Detective Controls are just as important as Preventative Controls, they play a significant
response in incident detection and response.
• Whether your workload is onAWS or not,AWS services can be used to supplement your controls.
• There is no lack of frameworks – pick and choose from them to make a framework that works
best for your organization’s needs.