Uploaded byAlert Logic
#ALSummit: Architecting Security into your AWS Environment
The document outlines strategies for securing AWS environments against multi-layered attacks, emphasizing the importance of cloud-native security practices. It recommends measures such as securing AWS accounts, continuous monitoring, and implementing network and log visibility tools. Additionally, it highlights the need for strong access management, secure coding practices, and proactive identification of vulnerabilities.
More Related Content
Similar to #ALSummit: Architecting Security into your AWS Environment
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
#ALSummit: Architecting Security into your AWS Environment
- 1. RYAN HOLLAND Architecting Securityinto your AWS environment ALERT LOGIC DIRECTOR, CLOUD ARCHITECTURE
- 2. Attacks Happen atMultiple Layers of the Application Stack THE IMPACT • Every layer of the application stack is under attack • Attacks are multi-stage using multiple threat vectors • Web applications are #1 vector in the cloud • Security must be cloud-native, cover every layer of application stack, and identify attacks at every stage. SQL Injection Identify & Recon Comman d & Control Worm Outbreak Extract & Exfiltrate Malware Brute Force Identify & Recon
- 3. Relative Threats -Cloud vs On Premise Source: Alert Logic Cloud Security Report, 2015
- 4. Global Threats -Time to Exposure • Attacks against Microsoft DS accounted for over 51% of the overall attack vectors • Database services have been a consistent target • 14% of the malware loaded on the Honeypots was considered undetectable by AV
- 5. Attackers Are Focusedon Your Network, Hosts, and Apps • Secure coding and best practices • Software and virtual patching • Configuration management • Access management • Application level attack monitoring • Access management • Patch management • Configuration hardening • Security monitoring • Log analysis • Network threat detection • Security monitoring • Logical network segmentation • Perimeter security services • External DDoS, spoofing, and scanning prevented • Hardened hypervisor • System image library • Root access for customer PROVIDES • Configuration best practices
- 6.
- 7. First things first….startwith a strong foundation
- 8. Securing Your AWSAccount • Lock down the root account • Delete any root API keys • Enable Hardware MFA for the root account – define an auditable process for requesting the key • Follow least privilege for IAM Users and Roles • Avoid using “Admin” prebuilt policies unless absolutely necessary • Leverage CloudTrail Logs and IAM Access Advisor to help tune policies • Restrict SSH/RDP access for instances with IAM Roles • Enable a strong password policy and MFA requirement for IAM users • If users must have an API key ensure they are frequently rotated as well • Enable CloudTrail and AWS Config • Leverage the features to enable CloudTrail in all regions • Use Config Rules to identify out of policy changes • Not a one time activity – Continuously monitor for changes
- 9. Maintain Visibility intoYour Environment
- 10. Monitor Activity andIdentify Insecure Configurations • Inventory the services and regions you are using • What regions do you have VPCs and instances? • Which resources are accessible from the Internet? • Leverage CloudTrail to identify new VPCs or service usage • Define a consistent Tagging and Naming strategy for resources • Ensure the AWS Service you’re using remain securely configured • Disable non-secure ciphers on Elastic Load Balancers • Remove S3 bucket permissions that allow global write or read • Identify security groups or network ACLs that allow unrestricted access to sensitive ports • Identify and remediate vulnerabilities in AMIs • Patch your AMIs not your instances • Maintain a list of trusted AMIs, restrict users from launching non-trusted images • Scan instances frequently to identify new vulnerabilities
- 11. Implement Network andLog Visibility • Capture log data from instances in real time • Once an instance has been terminated you are unable to gather logs from it • Collect and maintain instances metadata with the logos. • Implement network intrusion detection • Analyze network traffic for all instance traffic and not just VPC ingress and egress • Look for Deny events in VPC Flow Logs to instances • Implement a Web Application Firewall • Inspection at layer 7 is required to identify application specific attacks • Ideally leverage positive and negative enforcement
- 12. How Cloud DefenderWorks in AWS AWS Service Log Collection Web and Network Security Events, Application & server logs Continuous Vulnerability Scanning Configuration Assessments, and Environment Visibility AWS SERVICES INSTANCES & APPLICATIONS Analytics Platform Threat Intel & Context Expert Analysis Threat Detection with Remediation Tactics YOUR TEAM Vulnerability & Configuration Issues
- 13.
Editor's Notes
- #3 And if we then take those stages we can see how they map to different parts of an application stack, from infrastructure, systems and applications. When we look at attacks in cloud environments while many of them focus on the application layer you do still need to have defenses in the other layers.
- #4 And on the topic of the types of threats one really interesting report that our Threat intelegence teams create every year is the Cloud Security Report, which looks at the types of threats we are seeing across both in our premise data centers and cloud environements. This data in this report is real-world data that’s collected and represents over 1Billion events and over 800,000 security incidents over a 12 month period. Whats interesting is you can see in the data that advisaries are adapting the types of attacks based on the environments and are especially focusing on Application attacks for cloud customers. You can get the full report at alertlogic.com/csr which gives much deeper into the data
- #5 One additional method we use to gather attack data is from our global honeynet network, its how quickly we begin to see attacks once a new honeynet node is activated. When we look at the tyype of attacks Microsfot Directory Services, database and administrative ports for SSH/RDP are consistant targets. Highest volume of attacks occurred in Europe Attacks against Microsoft DS accounted for over 51% of the overall attack vectors Database services have been a consistent target 14% of the malware loaded on the Honeypots was considered undetectable by AV Underscores the importance of a defense in depth strategy for the need to secure your enterprise and cloud infrastructure
- #6 Likely most everyone by now has at least heard of the shared responsibilty model, so I will cover this somewhat briefly. Under the SSR for infrastructure sevices like EC2 AWS is repsonsible to secure all of the infrastructure, networks and hosts all the way up to the hypervisor – which in a way is huge benefit to using AWS because for on-premise environments you would need to be responsible for these tasks this model allows you to leverage their expertise and focus on the part that you are repsonsible for. The data showing attacks focusing on applications and remote access through ssh and rdp shows us that attackers are wise to the fact they are not likely to be successful in attacking componets that AWS is securing and are focusing on areas where the customers are responsible. Attackers are wising up to the fact that businesses are not aware of the extent of their responsibilities – some of which may be beyond their existing capabilities They are focusing their attention on the areas that fall to the customer to address, in particular the web application layer where we have see a large increase in the number of targeted attacks **insert banner with Cloud Security report stats**
- #7 To helpsecure your AWS environement there are three tenents that we will focuson
- #8 Applications are often visualized as a stack and stacks like houses require a solid foundation otherwise bad things happen. So the first thing we’ll look at is shoring up the foundation which
- #13 Cloud Defender is doing two things: First it will scan you AWS services looking for any configuration issues. At the same time it scans your instances and applications looking for known vulnerabilities. That information gets passed back to your team in the form of prioritized remediation actions so you take focus on the issues that will have the biggest positive impact with regards to your risk. While that is happening Cloud Defender is also collecting logs from your servers, apps, and AWS services, as well as network, web app events. This information is fed into an analytics platform. This platform analyzes the data, eliminating irrelevant events, and then, by applying threat intelligence and context generates actionable security events. These events are then vetted by a team of security experts, who have access to both the raw data that generated the event as well as a library of threat research that enables them to provide you with the context you need to understand the threat. You are then contacted about the incident and provided remediation recommendations. This helps you focus on eliminating the issues without having to become an expert in any one specific threat vector. Cloud Defender is always on, always working for you.