![The easy (Vulnerabilities) matter
"[With] any large network, I will tell you that
persistence and focus will get you in, we'll achieve that
exploitation without the zero days," he says. "There's
so many more vectors that are easier, less risky and
quite often more productive that going down that
route." This includes, of course, known vulnerabilities
for which a patch is available but the owner hasn't
installed it.
- Rob Joyce NSA TAO @ Enigma 2016](https://image.slidesharecdn.com/patryansecurity-presentation-al-cssawspr-final2-160613201416/85/ALSummit-Alert-Logic-AWS-AWS-Security-Services-6-320.jpg)
Uploaded byAlert Logic
#ALSummit: Alert Logic & AWS - AWS Security Services
The document provides an overview of AWS security services, including network security primitives such as security groups and network access control lists (NACLs). It emphasizes the importance of continuous monitoring and vulnerability management through tools like Amazon Inspector and AWS WAF. Additionally, it discusses AWS Config rules for configuration changes and compliance, highlighting integration with remediation tasks and other platforms like Jira.
More Related Content
Similar to #ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
- 1. ©2015, Amazon WebServices, Inc. or its affiliates. All rights reserved AWS Security Services Deep Dive – Extended with Alert Logic Patrick McDowell – Partner Solutions Architect, AWS Ryan Holland - Cloud Platform Solution Director, Alert Logic
- 2. AWS Network SecurityPrimitives
- 3. Network Access Control •Security Groups provide Stateful firewalls around each Amazon EC2 Instance • NACLs provide stateless firewalls around subnets • VPC Flow Logs provide traffic visibility • No Broadcast, VIPs, Layer 2, or Network Taps
- 4.
- 5. More tools tomove fast and stay safe • Amazon Inspector • AWS WAF • AWS Config Rules
- 6. The easy (Vulnerabilities)matter "[With] any large network, I will tell you that persistence and focus will get you in, we'll achieve that exploitation without the zero days," he says. "There's so many more vectors that are easier, less risky and quite often more productive that going down that route." This includes, of course, known vulnerabilities for which a patch is available but the owner hasn't installed it. - Rob Joyce NSA TAO @ Enigma 2016
- 7. Amazon Inspector Features ConfigurationScanning Engine Activity Monitoring Built-in Content Library Automatable via API Fully Auditable
- 8. Amazon Inspector RuleSets CVE Security Best Practices Run Time Behavior Analysis CIS Operating System Security Configuration Benchmarks
- 9. Amazon Inspector andAlert Logic • Amazon Inspector makes it easy to do the right thing BEFORE your app goes into production • Pairs point-in-time, host-based scans with continous, whitelisted network scans • Layering AWS Inspector Assessments, Alert Logic Cloud Insight and Cloud Defender provides full spectrum security visibility and response
- 10. AWS WAF (WebApplication Firewall)
- 11. AWS WAF Features WebFiltering CloudFront Integration Centralized Rule Management Real-Time Visibility API Automation
- 12. AWS WAF Benefits IncreasedProtection Against Web Attacks Ease of Deployment and Maintenance Security Embedded in Development Process
- 13. AWS WAF inAction AWS Management ConsoleAdmins Developers AWS API Web App in CloudFront Define rules Deploy protection AWS WAF
- 14.
- 15. AWS Config &Config Rules AWS Config Amazon Config Rules Record configuration changes continuously Time-series view of resource changes Archive & Compare Enforce best practices Automatically roll-back unwanted changes Trigger additional workflow
- 16. AWS Config RulesBenefits Continuous monitoring for unexpected changes Shared Compliance across your organization Simplified management of configuration changes
- 17. AWS Config RulesFeatures Flexible Rules evaluated continuously and retroactively Dashboard and Reports for Common Goals Customizable Remediation API Automation
- 18. Advanced Compliance withConfig Rules • Open Source Rules – https://github.com/awslabs/aws-config-rules • Enforce encryption on all volumes • Ensure CloudTrail is enabled globally for bucket X • Confirm that no users have MFA disabled • Create a rule that no security group can permit 0.0.0.0/0 • No Root Access Keys or logins without MFA • All Instances Must be in VPC-ID X
- 19. AWS Config Rulesand Alert Logic • Lambda function used to add Config Rules violations to Cloud Insight platform as remediation tasks. • Tight integration with JIRA to allow automatic ticket routing to asset owner and validation when tickets are closed.
- 20.
Editor's Notes
- #7 Why we built Inspector What uses cases does it cover Makes it easy to do the very basics, which gives you a lot Easier Barrier to entry AL CI = Builds on top of basic primitives we offer
- #8 Checks both OS + Apps
- #9 CVE – Most Common Targets Security Best Practices – From AWS AppSec, e.g. SSH allows root logins Run Time Bheavior Analysis – Long Running Analysis, can affect the severity of the findings CIS – Industry Standard guide to hardening your OS, biggest customer ask we had
- #10 Emphasize dev-test AL is for prod AL also has IDS, no concept of IDS on AWS natively
- #13 Can Programmatically add rules from logs you mined # of 400 errors -> Bad Bot and you can automatically ingest those Bad Ips Sources from other Systems (E.g. FinServ) Make the ‘Rules’ Part of your ‘Infrastructure as Code’
- #14 AWS WAF can protect the edge, AL can do it at the origin ->Provides intelligence and complex rules/logic that our WAF does not come out of the box with ->Auto-Scales to meet your needs
- #16 Config: . It allows you to get an inventory of all resources in AWS, discover new and deleted resources, record those changes continuously, and get notified when configurations change. Author custom rules using AWS Lambda
- #17 Puts Guard Rails into place across the Enterprise/Production If something falls out of compliance, automatically, rolls back to compliance standards set You can not do this on premises.
- #18 Lambda Functions are the custom rules that get triggered Triggers are Time or Resource Based. Invoked automatically for continuous assessment (single pane of glass) Use dashboard for visualizing compliance and identifying offending changes
- #20 For the AWS Config Rules service we have created a custom Lambda function that allows Cloud Insight to ingest violations of rules that have been created and we present these as remediation tasks along side other remediations for a particular asset in AWS. One key part of how these remediations are presented is that the AWS metadata and other information we collect from the environment is used to help provide the best means for remediating a violation, for example if multiple instances are launched without a required tag or using encrypted volumes and they are all part of the same AutoScaling group by understanding the environment and maintaining a continuously updated asset model we direct the remediation to update that ASLC/G rather than the individual instances since in that case simply applying a fix to the instances will not fix the root of the issue. Also as I touched on previously our API and integrations with tools such as JIRA allows violations from Config Rules as well as any other remediations to be directed automatically to the owner of the instance through a ticket in JIRA and the plugin is bi-directional meaning that when the owner marks the ticket as closed we will go and validate that the remediation has actually been completed and if needed re-open the ticket. this automation means that your security teams don’t need to spend time tracking down who owns a particular instance and to perform manual validation of the fix once the tickets are marked complete.