automating security operations in aws
TRANSCRIPT
Automating Security Operations on AWS
Tim Prendergast CEO and Co-Founder at Evident.io
$6.53M
56% 70%Increase in theft of hard
intellectual property
Of consumers indicated
they’d avoid businesses
following a security breach
Average cost of a
data breach
Why?
https://www.csid.com/resources/stats/data-breaches/
http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.htmlhttps://www.csid.com/resources/stats/data-breaches/
What if I told you the Cloud is
SAFER than your datacenter?
Your Datacenter Team
Hates Me
How does your Datacenter compare?
Some API-enabled services
Disparate APIs
No true control plane
Physical concealments
Often co-habited
Fully API-enabled
API homogeneity
A “source of truth” control plane
Nowhere to hide
Nobody can “climb into” your account
Security Considerations on AWS:
#1 - Rate of Change (Dynamism)
Rate of Change
With the advent of CI/CD & DevOps,
rapid change is reality. Not the Enemy.
Security People be like
But it’s true — speed works both ways
Security scan runs at time (T)
Scan Node
Host NHost NHost NHost N
Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N
Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A
No unexpected results/changes
Security event at time (T+1)
Scan Node
Host NHost NHost NHost N
Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N
Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A
A user identity disabled MFA
Identity
Change
Security event at time (T+2)
Scan Node
Host NHost NHost NHost N
Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N
Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A
A new host running an unapproved image
appears
Malicious
Host
Security scan runs at time (T+3)
Scan Node
Host NHost NHost NHost N
Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N
Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A
Both malicious security events have exited
Scan looks clean
The RoC Question:
Who saw it?
Resources in AWS have dynamic lives…
measured in minutes, or years.
Automating Audit(s) to embrace RoC
Participants: Engineering, IT Security, Policy Makers
Activities:
Create Continuous Scanning capability
Populate with business-related Cloud Security policies/rules
Create reporting function and model
YouAWS
Automating Audit(s) (Example)
AWS
CloudTrail
All API feeds
AWS Config
App
Logs/Intellige
nce
Config Mgmt
Data
External
Threat Intel
Continuous
Monitoring &
Response
Engine
Alerting, Triggers, Humans
Automating Audit(s) (Example)
Automating Audit(s) (Example)
Automating Audit(s) (Example)
Automating Audit(s) (Example)
Automating Audit(s) (Example)
#2 - Distribution of Control
Distribution of Control/Responsibility
Firewalls
IDS/IPS
Network(s)
Legacy
Servers
Compliance
App Security
Distribution of Control/Responsibility
Firewalls
IDS/IPS
Network(s)
Legacy (normalized for reality)
Servers
Compliance
App Security
Distribution of Control/Responsibility
Firewalls
IDS/IPS
Network(s)
Modern (Cloud)
Servers
Compliance
App Security
+Engineering
Automating Enforcement
Participants: Code-capable staff
Activities:
Identify desired states
Create default remediation scripts
Attach workflow to trigger remediations
Log and review remediation histories
If you can’t articulate your security policy in plain
English*, you cannot codify it.
* (or your native language)
Automating Enforcement
Security Event
Match
Remediation
Execute Functional
Remediation
This can be done many ways…
here’s a fun example
#3 - Reaction Time
Reaction Time (Inequality thereof…)
Attackers (minutes) > Defenders (days)
Automating Containment
Participants: Code-capable staff, IT/Forensics Team
Activities:
Identify IoCs or “breach states”
Define containment timing(s) and plan(s)
Define chain-of-custody issues/strategy
Create containment actions (just like automated remediations)
Iterate actions and validate
Automating Containment
Instance
Compromised
Anomaly or
Suspicion
Immutable
redeployContainment
IR
Secure
Storage
Automating Forensics
Participants: Code-capable staff, IT/Forensics Team
Activities:
Create chain-of-custody+secure cloud account/space
Build automated test/investigation process
Enjoy!
Automating Forensics
Instance
Compromised
Anomaly or
Suspicion
Immutable
redeployContainment
IR
Secure
Storage
Process Results
Automating Forensics (AWS example)
Secure
StorageCreate VPC
Isolate Network
Summon Instance
Trigger ScanRe-snap instanceTo Human
Human
To Humans
Q&A — Ask away! (or @auxome)
Evident Security Platform (ESP)
Built by Cloud pioneers from Adobe,
AWS, and Netflix
Agentless deployment (<5 mins)
Continuously monitors security state to
drive automated audit, compliance,
and incident response.
The only platform solution that covers
50+ API-enabled AWS services
Leading the charge into a DevSecOps
world for cloud believers
Try it free - https://Evident.io
Visit Us at
Booth #601!
Thank You!
Visit Evident.io at Booth #601!