Priyanka Aash, profile picture
Uploaded byPriyanka Aash
PDF, PPTX214 views

Pragmatic Security Automation for Cloud

The document discusses pragmatic security automation strategies for cloud environments, emphasizing the importance of cloud-native security practices. It outlines principles such as software-defined security, event-driven models, and the use of guardrails for managing cloud resources effectively. Recommendations for implementing automation include defining problems, building workflows, and using event-driven guardrails to enhance operational security and efficiency.

Embed presentation

Download as PDF, PPTX
SESSION ID: #RSAC Rich Mogull PRAGMATIC SECURITY AUTOMATION FOR CLOUD CSV-R04 Analyst/VP of Product Securosis/DisruptOPS rmogull@disruptops.com @rmogull
#RSAC Cloud is Fundamentally Different 2 Abstraction Automation
#RSAC Automation is Inherent 3 The NIST Model (courtesy the CSA)
#RSAC APIs are Ubiquitous 4 Cloud Security Alliance IaaS Reference Model }
#RSAC Cloud Security Must Be Cloud Native 5 Management Plane Volatility/Velocity Distribution/Segregation Account Virtual Network Subnet Security Group Virtual Network Subnet Security Group Account Virtual Network Subnet Security Group Virtual Network Subnet Security Group
#RSAC The Categories 6 Guardrails Workflows Orchestrations Continuously assess and enforce operational and security policies Streamline and accelerate IT operations and security through automated workflows Empower new capabilities through advanced orchestration of infrastructure, operations, and security Fix security group or S3 misconfigurations Incident response Automatic WAF insertion and configuration
#RSAC The Principles 7 Software Defined Security Stateless Security Event Driven Security Continuous Feedback Loops
#RSAC The Foundation 8 Cloud Service Provider Cloud Consumer (you) ‣ API and full administrative activity logging ‣ Events/triggers/rules ‣ Function as a Service (Serverless) ‣ Notification service ‣ Continuous Integration Pipeline ‣ Version control repository ‣ Full IAM access to accounts/subscriptions/ projects ‣ Security development team (person) Critical Capabilities
#RSAC The Process 9 Define Your Problem Eval FOSS/Existing tools Determine Tech Stack Build Initial Automations (Ops) Expand for Scale/Scope
#RSAC Things We Are Skipping (for time) 10 How to configure all the core monitoring/logging Setting up IAM and permissions The details of implementation on Azure and GCP We will list the core capabilities, but can’t cover all 3 with real examples in 45 minutes
#RSAC What’s a Guardrail? 11 Define and set limits Can be “allow” or “deny” Find deviations Assessment or event based Evaluate the issue Fix/remediate Automatically or manually depending on rules Find Eval Fix
#RSAC Example Guardrails 12 If you find a public S3 bucket, restrict it to our known network addresses Unless it is approved or tagged Don’t allow internal security groups with all ports and protocols open in Prod But allow in Dev Require MFA for API access for any user that needs MFA for console access Create our baseline IAM policies and roles for all new accounts Based on the environment Validate that monitoring and alerting is properly configured And fix if not Disable access keys that haven’t been used in 90 days Find instances with an IAM role that allows power user or greater access via API Restrict the privileges Identify all cross-network peering from accounts we don’t own Then check the security group permissions
#RSAC What Makes a Good Guardrail? 13 Accounts for different environments At least Dev vs. Prod Handles exceptions And is capable of remembering them Understands state and context Doesn’t bog down the alert queue Can remediate automatically Either completely, or after manual approval Ops communications/notifications Education, not Blamification
#RSAC Building a Guardrail 14 Define Criteria/Issues Add Filters Set Triggers Add Actions And Targets
#RSAC Our Guardrail 15 Criteria/Issues All instances with port 22 open to the 0.0.0.0/0 (the Internet) Filters Region is us-west-2p (could be VPC/tag/etc) Trigger Time = every 5 minutes Action Restrict to known IP range Demo
#RSAC Our Event-Driven Guardrail 16 Criteria/Issues New inbound security group rule added Filters IAM user, VPC, Tag Trigger API event (CloudTrail) Action Reverse + Notify Demo
#RSAC Expanding to Enterprise Scale 17 Hitting all 14 regions simultaneously Multiplex Central event stream Queues/SNS AuthN/AuthZ
#RSAC Building a Workflow 18 Define Steps Determine Inputs Choose Execution Model Modularize Code Can be built on Guardrails and support Orchestrations
#RSAC Our Workflow 19 Steps (Incident Response) Collect metadata (before we change it) Quarantine on the network and in AWS Snapshot all storage and attach for forensics Analyze Inputs Instance ID Execution Model Command line (container or remote) Modularize Code Classes for analyze vs. respond All methods reusable Demo
#RSAC Workflows Advice 20 Workflows are to speed up common, manual tasks Guardrails are for automated enforcement The line between a guardrail action and an Workflows is often thin Execution environment matters Lambda vs. containers vs. your laptop Use your pipeline Continuous integration servers (Jenkins) make great platforms for repeat automation, not just security testing Make a static console E.g. S3 + API Gateway + SQS
#RSAC Building a Orchestration 21 ID apps and APIs Locate SDK if available Consider flow/value Modularize Integrate in code
#RSAC Our Orchestration 22 Apps/API EC2 + Route 53 + Incapsula SDK AWS Ruby + REST client Flow/Value ID public web servers -> determine DNS -> check WAF -> add WAF Limit: default AWS domain names Modularize Find web instances, ELBs Change DNS, add Incapsula Integrate into code See video Demo
#RSAC Complexities 23 Account Virtual Network Subnet Security Group Virtual Network Subnet Security Group Account Virtual Network Subnet Security Group Virtual Network Subnet Security Group Scaling Multiple Accounts Multiple Providers Circuit Breakers
#RSAC Architecting For Enterprise Scale 24
#RSAC Where to Start 25 Start with something simple Build it in one account/subscription/project Event + Notification is super easy to start Then go with your first FaaS Desktop first, then FaaS for execution environment Build a library Experiment with execution environments, but standardize quickly Add enterprise scaling capabilities Will depend on your execution environment/model Build it in the cloud and leverage PaaS options Make sure you use CI/CD for long term management
SESSION ID: #RSAC Rich Mogull PRAGMATIC SECURITY AUTOMATION FOR CLOUD CSV-R04 Analyst/VP of Product Securosis/DisruptOPS rmogull@disruptops.com @rmogull

More Related Content

PDF
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
byPriyanka Aash
 
PDF
Corpsec: “What Happened to Corpses A and B?”
byPriyanka Aash
 
PDF
FIM and System Call Auditing at Scale in a Large Container Deployment
byPriyanka Aash
 
PDF
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
byPriyanka Aash
 
PDF
Building and Adopting a Cloud-Native Security Program
byPriyanka Aash
 
PDF
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
byPriyanka Aash
 
PDF
Office 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
byPriyanka Aash
 
PDF
Red Team vs. Blue Team on AWS
byPriyanka Aash
 
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
byPriyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
byPriyanka Aash
 
FIM and System Call Auditing at Scale in a Large Container Deployment
byPriyanka Aash
 
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
byPriyanka Aash
 
Building and Adopting a Cloud-Native Security Program
byPriyanka Aash
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
byPriyanka Aash
 
Office 365 Security: Top Priorities for 30 Days, 90 Days and Beyond
byPriyanka Aash
 
Red Team vs. Blue Team on AWS
byPriyanka Aash
 

What's hot

PDF
Cloud security : Automate or die
byPriyanka Aash
 
PDF
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
PDF
Beyond the mcse red teaming active directory
byPriyanka Aash
 
PPTX
Are You Ready for a Cloud Pentest?
by2nd Sight Lab
 
PDF
(SACON 2020) Adventures In SDN Security
byPriyanka Aash
 
PPTX
Alfredo Reino - Monitoring aws and azure
byDevSecCon
 
PDF
Serverless Security: What's Left To Protect
byGuy Podjarny
 
PDF
Defending Serverless Infrastructure in the Cloud RSAC 2020
byPuma Security, LLC
 
PDF
Dev secops on the offense automating amazon web services account takeover
byPriyanka Aash
 
PPTX
Serverless Attack Vectors
by2nd Sight Lab
 
PDF
AWS live hack: Docker + Snyk Container on AWS
byEric Smalling
 
PPTX
Stephen Sadowski - Securely automating infrastructure in the cloud
byDevSecCon
 
PPTX
Azure for Auditors
by2nd Sight Lab
 
PPTX
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
bySumo Logic
 
PPTX
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
byJeff Williams
 
PPTX
Packet Capture on AWS
by2nd Sight Lab
 
PDF
Managed Threat Detection and Response
byAlert Logic
 
PDF
[OPD 2019] Governance as a missing part of IT security architecture
byOWASP
 
Cloud security : Automate or die
byPriyanka Aash
 
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
Beyond the mcse red teaming active directory
byPriyanka Aash
 
Are You Ready for a Cloud Pentest?
by2nd Sight Lab
 
(SACON 2020) Adventures In SDN Security
byPriyanka Aash
 
Alfredo Reino - Monitoring aws and azure
byDevSecCon
 
Serverless Security: What's Left To Protect
byGuy Podjarny
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
byPuma Security, LLC
 
Dev secops on the offense automating amazon web services account takeover
byPriyanka Aash
 
Serverless Attack Vectors
by2nd Sight Lab
 
AWS live hack: Docker + Snyk Container on AWS
byEric Smalling
 
Stephen Sadowski - Securely automating infrastructure in the cloud
byDevSecCon
 
Azure for Auditors
by2nd Sight Lab
 
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
bySumo Logic
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
byJeff Williams
 
Packet Capture on AWS
by2nd Sight Lab
 
Managed Threat Detection and Response
byAlert Logic
 
[OPD 2019] Governance as a missing part of IT security architecture
byOWASP
 

Similar to Pragmatic Security Automation for Cloud

PDF
RSA 2015 Realities of Private Cloud Security
byScott Carlson
 
PDF
Aspirin as a Service: Using the Cloud to Cure Security Headaches
byPriyanka Aash
 
PDF
Pragmatic Cloud Security Automation
byCloudVillage
 
PPTX
API Security: Assume Possible Interference
byJulie Tsai
 
PDF
Secure Cloud Development Resources with DevOps
byCloudPassage
 
PPTX
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 
PDF
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
byPriyanka Aash
 
PDF
Hardening the cloud : Assuring agile security in high-growth environments
byPriyanka Aash
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PPTX
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
bySymantec
 
PDF
Cloud Security Enforcement First Meetup 10092025.pdf
bylior mazor
 
PDF
2024_USA24_CLS-W08_01_Breaking-the-Cloud-to-Rebuild-it-A-Tale-of-3-☁️-Breache...
byArvind Yadav
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
PPTX
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
PDF
Automating Security in Cloud Workloads with DevSecOps
byKristana Kane
 
PPTX
AWS Spotlight Series - Modernization and Security with AWS
byCloudHesive
 
PPTX
AWS Lambda Security Inside & Out
byPureSec
 
PDF
Cloud Security Summit - InfoSec World 2014
byBill Burns
 
PPTX
Integrating Security into DevOps
byCloudPassage
 
RSA 2015 Realities of Private Cloud Security
byScott Carlson
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
byPriyanka Aash
 
Pragmatic Cloud Security Automation
byCloudVillage
 
API Security: Assume Possible Interference
byJulie Tsai
 
Secure Cloud Development Resources with DevOps
byCloudPassage
 
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
byPriyanka Aash
 
Hardening the cloud : Assuring agile security in high-growth environments
byPriyanka Aash
 
DevSecOps in Baby Steps
byPriyanka Aash
 
DevSecOps in Baby Steps
byPriyanka Aash
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
bySymantec
 
Cloud Security Enforcement First Meetup 10092025.pdf
bylior mazor
 
2024_USA24_CLS-W08_01_Breaking-the-Cloud-to-Rebuild-it-A-Tale-of-3-☁️-Breache...
byArvind Yadav
 
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
Securing a great DX - DevSecOps Days Singapore 2018
byStefan Streichsbier
 
Automating Security in Cloud Workloads with DevSecOps
byKristana Kane
 
AWS Spotlight Series - Modernization and Security with AWS
byCloudHesive
 
AWS Lambda Security Inside & Out
byPureSec
 
Cloud Security Summit - InfoSec World 2014
byBill Burns
 
Integrating Security into DevOps
byCloudPassage
 

More from Priyanka Aash

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 

Recently uploaded

PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 

Pragmatic Security Automation for Cloud

  • 1.
    SESSION ID: #RSAC Rich Mogull PRAGMATICSECURITY AUTOMATION FOR CLOUD CSV-R04 Analyst/VP of Product Securosis/DisruptOPS rmogull@disruptops.com @rmogull
  • 2.
    #RSAC Cloud is FundamentallyDifferent 2 Abstraction Automation
  • 3.
    #RSAC Automation is Inherent 3 TheNIST Model (courtesy the CSA)
  • 4.
    #RSAC APIs are Ubiquitous 4 CloudSecurity Alliance IaaS Reference Model }
  • 5.
    #RSAC Cloud Security MustBe Cloud Native 5 Management Plane Volatility/Velocity Distribution/Segregation Account Virtual Network Subnet Security Group Virtual Network Subnet Security Group Account Virtual Network Subnet Security Group Virtual Network Subnet Security Group
  • 6.
    #RSAC The Categories 6 Guardrails WorkflowsOrchestrations Continuously assess and enforce operational and security policies Streamline and accelerate IT operations and security through automated workflows Empower new capabilities through advanced orchestration of infrastructure, operations, and security Fix security group or S3 misconfigurations Incident response Automatic WAF insertion and configuration
  • 7.
  • 8.
    #RSAC The Foundation 8 Cloud ServiceProvider Cloud Consumer (you) ‣ API and full administrative activity logging ‣ Events/triggers/rules ‣ Function as a Service (Serverless) ‣ Notification service ‣ Continuous Integration Pipeline ‣ Version control repository ‣ Full IAM access to accounts/subscriptions/ projects ‣ Security development team (person) Critical Capabilities
  • 9.
    #RSAC The Process 9 Define Your Problem EvalFOSS/Existing tools Determine Tech Stack Build Initial Automations (Ops) Expand for Scale/Scope
  • 10.
    #RSAC Things We AreSkipping (for time) 10 How to configure all the core monitoring/logging Setting up IAM and permissions The details of implementation on Azure and GCP We will list the core capabilities, but can’t cover all 3 with real examples in 45 minutes
  • 11.
    #RSAC What’s a Guardrail? 11 Defineand set limits Can be “allow” or “deny” Find deviations Assessment or event based Evaluate the issue Fix/remediate Automatically or manually depending on rules Find Eval Fix
  • 12.
    #RSAC Example Guardrails 12 If youfind a public S3 bucket, restrict it to our known network addresses Unless it is approved or tagged Don’t allow internal security groups with all ports and protocols open in Prod But allow in Dev Require MFA for API access for any user that needs MFA for console access Create our baseline IAM policies and roles for all new accounts Based on the environment Validate that monitoring and alerting is properly configured And fix if not Disable access keys that haven’t been used in 90 days Find instances with an IAM role that allows power user or greater access via API Restrict the privileges Identify all cross-network peering from accounts we don’t own Then check the security group permissions
  • 13.
    #RSAC What Makes aGood Guardrail? 13 Accounts for different environments At least Dev vs. Prod Handles exceptions And is capable of remembering them Understands state and context Doesn’t bog down the alert queue Can remediate automatically Either completely, or after manual approval Ops communications/notifications Education, not Blamification
  • 14.
    #RSAC Building a Guardrail 14 Define Criteria/Issues AddFilters Set Triggers Add Actions And Targets
  • 15.
    #RSAC Our Guardrail 15 Criteria/Issues All instanceswith port 22 open to the 0.0.0.0/0 (the Internet) Filters Region is us-west-2p (could be VPC/tag/etc) Trigger Time = every 5 minutes Action Restrict to known IP range Demo
  • 16.
    #RSAC Our Event-Driven Guardrail 16 Criteria/Issues Newinbound security group rule added Filters IAM user, VPC, Tag Trigger API event (CloudTrail) Action Reverse + Notify Demo
  • 17.
    #RSAC Expanding to EnterpriseScale 17 Hitting all 14 regions simultaneously Multiplex Central event stream Queues/SNS AuthN/AuthZ
  • 18.
    #RSAC Building a Workflow 18 DefineSteps Determine Inputs Choose Execution Model Modularize Code Can be built on Guardrails and support Orchestrations
  • 19.
    #RSAC Our Workflow 19 Steps (IncidentResponse) Collect metadata (before we change it) Quarantine on the network and in AWS Snapshot all storage and attach for forensics Analyze Inputs Instance ID Execution Model Command line (container or remote) Modularize Code Classes for analyze vs. respond All methods reusable Demo
  • 20.
    #RSAC Workflows Advice 20 Workflows areto speed up common, manual tasks Guardrails are for automated enforcement The line between a guardrail action and an Workflows is often thin Execution environment matters Lambda vs. containers vs. your laptop Use your pipeline Continuous integration servers (Jenkins) make great platforms for repeat automation, not just security testing Make a static console E.g. S3 + API Gateway + SQS
  • 21.
    #RSAC Building a Orchestration 21 IDapps and APIs Locate SDK if available Consider flow/value Modularize Integrate in code
  • 22.
    #RSAC Our Orchestration 22 Apps/API EC2 +Route 53 + Incapsula SDK AWS Ruby + REST client Flow/Value ID public web servers -> determine DNS -> check WAF -> add WAF Limit: default AWS domain names Modularize Find web instances, ELBs Change DNS, add Incapsula Integrate into code See video Demo
  • 23.
    #RSAC Complexities 23 Account Virtual Network Subnet Security Group Virtual Network Subnet Security Group Account VirtualNetwork Subnet Security Group Virtual Network Subnet Security Group Scaling Multiple Accounts Multiple Providers Circuit Breakers
  • 24.
  • 25.
    #RSAC Where to Start 25 Startwith something simple Build it in one account/subscription/project Event + Notification is super easy to start Then go with your first FaaS Desktop first, then FaaS for execution environment Build a library Experiment with execution environments, but standardize quickly Add enterprise scaling capabilities Will depend on your execution environment/model Build it in the cloud and leverage PaaS options Make sure you use CI/CD for long term management
  • 26.
    SESSION ID: #RSAC Rich Mogull PRAGMATICSECURITY AUTOMATION FOR CLOUD CSV-R04 Analyst/VP of Product Securosis/DisruptOPS rmogull@disruptops.com @rmogull