More Related Content Similar to Secure and Automate AWS Deployments with Next Generation Security Similar to Secure and Automate AWS Deployments with Next Generation Security (20) More from Amazon Web Services More from Amazon Web Services (20) Secure and Automate AWS Deployments with Next Generation Security1. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Anshul Srivastava, Solutions Architect AWS MENA
RaEd Abudayyeh Cloud Security Lead (Palo Alto), Emerging Markets
Secure and Automate AWS
Deployments with Next Generation
Security
2. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Why is traditional threat detection so hard?
Skills shortageSignal to noiseLarge datasets
3. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Get the humans away from the data
4. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS CloudTrail
Track user activity
and API usage
Threat detection: Log data inputs
VPC Flow Logs
IP traffic to/from
network interfaces
in your VPC
CloudWatch Logs
Monitor apps using
log data, store &
access log files
DNS Logs
Log of DNS
queries in a VPC
when using the
VPC DNS resolver
5. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS CloudTrail
6. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Detect with VPC Flow Logs
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start & end time
Accept or
reject
7. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Amazon CloudWatch Logs subscriptions
• Real-time feed of log events
• Delivered to an AWS Lambda
function or Amazon Kinesis
Data Streams
• Supports custom processing,
analysis, loading into other
systems
• Cross-account data sharing for
centralized log processing
8. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Amazon
GuardDuty
Intelligent threat detection
and continuous monitoring to
protect your AWS accounts
and workloads
Threat detection: Machine learning
Amazon Macie
Machine learning−powered
security service to discover,
classify, & protect sensitive data
9. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
What can Amazon GuardDuty detect?
RDP brute
force
RAT installed
Exfiltrate
temp IAM
creds over
DNS
Probe API
with temp
creds
Attempt to
compromise
account
Malicious or
suspicious IP
Unusual ports
DNS exfiltration
Unusual traffic volume
Connect to blacklisted site
Recon
Anonymizing proxy
Temp credentials
used off-instance
Unusual ISP caller
Bitcoin activity
Unusual instance launch
10. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Amazon GuardDuty threat detection and
notification
11. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Detecting known threats
Threat intelligence
• Feeds:
o AWS Security
o Commercial - CrowdStrike, Proofpoint
o Open source
o Customer provided - "format":
"[TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE]",
• Known malware-infected hosts
• Anonymizing proxies
• Sites hosting malware and hacker tools
• Cryptocurrency mining pools and wallets
12. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Detecting unknown threats
Anomaly detection
• Algorithms to detect unusual behavior
o Inspecting signal patterns for signatures
o Profiling normal activity and looking at deviations
o Machine learning classifiers
13. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Finding types
Recon
• Port probe on unprotected port
• Outbound port scans
• Callers from anonymizing proxies
Backdoor
• Spambot or C&C activity
• Exfiltration over DNS channel
• Suspicious domain request
Trojan
• Domain generation algorithm (DGA)
domain request
• Blackhole traffic
• Drop point
Unauthorized Access
• Unusual ISP caller
• SSH/RDP brute force
Stealth
• Password policy change
• AWS CloudTrail logging disabled
• Amazon GuardDuty disabled in member
account
Cryptocurrency
• Communication with bitcoin DNS pools
• Cryptocurrency related DNS calls
• Connections to bitcoin mining pool
14. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Multi-account support
Account B Account C
Security team account
Account A
CloudWatch Events
Amazon
GuardDuty
Amazon
GuardDuty
Amazon
GuardDuty
Amazon
GuardDuty
15. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Visibility to answer the tough questions
• What data do I have in the cloud?
• Where is it located?
• Where does my sensitive data exist?
• What’s sensitive about the data?
• What PII/PHI is possibly exposed?
• How is data being shared and stored?
• How and where is my data accessed?
• How can I classify data in near-real time?
• How do I build workflow remediation for my security and compliance needs?
16. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Amazon Macie
Understand
your data
Natural language
processing (NLP)
Understand data
access
Predictive user
behavior analytics
(UBA)
17. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
PII and personal data
Source code
SSL certificates, private keys
iOS and Android app signing keys
Database backups
OAuth and cloud SaaS API Keys
Macie content classification
18. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
• Use behavioral
analytics to
baseline normal
behavior
patterns
• Contextualize
by value of data
being accessed
Macie user behavior analytics (UBA)
Large increase in viewed
content—possible
indicator of early stage
reconnaissance
19. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
0. Feature extraction
from event data
1. Map into user
time series
2. Cluster
peer groups
3. Predict user activity,
update models
4. Identify anomalies
5. Attempt to explain
statistically
6. Alert and
narrative
explanation
created
Normal accesses
Macie user behavior analytics (UBA)
20. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
• Works on Amazon S3 bucket and object policies
• Use AWS Lambda to approve or automatically
remediate overly permissive policies
o Delete the object
o Revoke access—bucket or object
o Update IAM policies
o Suspend user
• Prioritize by PII impact and data loss prevention (DLP) risk
Discover and alert on global permissions
21. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Threat detection: Triggers
Amazon CloudWatch
Events
Delivers a near real-time stream
of system events that describe
changes in AWS resources
AWS Config Rules
Continuously tracks your
resource configuration changes
and if they violate any of the
conditions in your rules
22. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS Config Rules
A continuous recording and assessment service
Changing resources
AWS Config
AWS Config Rules
History
snapshot
Notifications
API access
Normalized
• How are my resources configured over time?
• Is a change that just occurred to a resource, compliant?
23. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Amazon CloudWatch Events
{
"source": [
"aws.guardduty"
]
}
CloudWatch
Event
GuardDuty
findings
Lambda
function
24. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Threat remediation: Network
AWS Shield
Advanced
Managed service providing
DDoS protection against and
visibility into large, sophisticated
attacks, plus access to DDoS
experts
25. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
DDoS Targeted attacks
Reflection and
amplification Layer 3 & 4
floods
Slowloris
SSL abuse
HTTP floods
Bots and probes
SQL injection
XSS
RFI/LFI
Application
exploits
Certificate
hijacking
Spear
phishing
CSRF
Authorization
exploits
Web Application Firewall
AWS WAF
Amazon CloudFront
Elastic Load Balancing
AWS Shield
Amazon Inspector
Amazon Macie
AWS Certificate Manager
AWS Marketplace:
IDS/IPS, Anti-malware
Spectrum of attacks
26. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
DDoS
Response
Team
HTTP floods
Bad bots
Suspicious IPs
Border network
Network-layer
mitigations
AWS services
Web-layer mitigations
Customer resources
DDoS
Detect-
ion
Internet
Internet-
layer
mitigations
DDoS
SSL Attacks
Slowloris
Malformed HTTP
Large-scale attacks
SYN floods
Reflection attacks
Suspicious sources
Defense in depth
DDoS
response
team
(DRT)
Sophisticated Laye
7 attacks
27. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS Shield: DDoS attack detection
Data sources:
1. Network-layer
telemetry from routers
2. AWS services
• Amazon S3
• Amazon CloudFront
• Amazon Route 53
• AWS WAF
28. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Always-on monitoring and detection
Signature-based detection
Heuristics-based
anomaly detection
Baselining
29. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
• Inline inspection and scoring
• Preferentially discard lower priority (attack) traffic
• False positives are avoided and legitimate viewers are protected
Traffic prioritization based on:
High-suspicion
packets dropped
Low-suspicion
packets retained
Layer 3/4 infrastructure protection
31. PALO ALTO NETWORKS APPS 3rd PARTY APPS CUSTOMER APPS
SECURITY OPERATING PLATFORM
LOGGING SERVICE THREAT INTEL DATA
NETWORK ENDPOINT CLOUD
APPLICATION FRAMEWORK
32. LEADERSHIP IN CYBERSECURITY
63% of the Global 2K
are Palo Alto Networks customers
29% year over year
revenue growth*
85
of Fortune 100
rely on Palo Alto Networks
#1
in Enterprise
Security
54,000+
customers
in 150+ countries
Revenue trend
40% CAGR
FY14 - FY18
FY14 FY15 FY16 FY17 FY18
• Q4FY2018. Fiscal year ends July 31.
• Gartner, Market Share: Enterprise Network Equipment by Market Segment, Worldwide, 1Q18, 14 June 2018
35. AWS SECURITY = A SHARED RESPONSIBILITY
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Encryption Key
Management
Client & Server
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers are
responsible for
their security IN
the Cloud
AWS looks after
the security OF
the platform
38. “A Public Cloud Risk Model: Accepting Cloud Risk Is OK, Ignoring Cloud Risk Is Tragic,” Gartner, November 2, 2016
TRIVIA QUESTION!
95%
Through 2020
Of cloud security
failures will be the
customer fault
41. EV
WEB
Object Storage Caching Database
IaaS
PaaS
Web
Server
APP
App
Server
THREE KEY SECURITY ELEMENTS
INLINE
Protect and
Segment Cloud
Workloads
API
HOST
Secure OS
& App Within
Workloads
API
Continuous
Security &
Compliance
On-Premises
Virtual Private Cloud (VPC)
Evident
Traps
VM-Series
NGFW
42. WEB
Object Storage Caching Database
IaaS
PaaS
Web
Server
APP
App
Server
WEB
Object Storage Caching Database
IaaS
PaaS
Web
Server
APP
App
Server
WEB
Object Storage Caching Database
IaaS
PaaS
Web
Server
APP
App
Server
PROTECT AND SEGMENT CLOUD WORKLOADS
VM-SERIES
On-Premises
Application visibility and
workload segmentation
Auto-scale based
on triggers
Prevent outbound and
inbound attacks
Virtual Private Cloud (VPC)
43. CONTINUOUS MONITORING AND COMPLIANCE
EVIDENT
API
Is MFA Enabled?
Is any sensitive data exposed?
What services are running?
Who has access to this resource?
Evident
Discover and Monitor
Resources
Compliance
Reporting
Secure Storage
Services
EV
48. OUR APPROACH TO SAAS SECURITY
Remote Users
Branc
h
Headquarters
Unmanaged
Devices
Managed
Devices
GlobalProtect
Cloud Service
NGFW
Aperture
A
PI
Sanctioned
Tolerated
Unsanctioned
SaaS application
visibility and granular
enforcement delivered
inline
Monitor in-cloud
activity and protect
data with Aperture