Automating Security Operations on AWS

Tim Prendergast CEO and Co-Founder at Evident.io

$6.53M

56% 70%Increase in theft of hard

intellectual property

Of consumers indicated

they’d avoid businesses

following a security breach

Average cost of a

data breach

Why?

https://www.csid.com/resources/stats/data-breaches/

http://www.pwc.com/gx/en/issues/cyber-

security/information-security-survey.htmlhttps://www.csid.com/resources/stats/data-breaches/

What if I told you the Cloud is

SAFER than your datacenter?

Your Datacenter Team

Hates Me

How does your Datacenter compare?

Some API-enabled services

Disparate APIs

No true control plane

Physical concealments

Often co-habited

Fully API-enabled

API homogeneity

A “source of truth” control plane

Nowhere to hide

Nobody can “climb into” your account

Security Considerations on AWS:

#1 - Rate of Change (Dynamism)

Rate of Change

With the advent of CI/CD & DevOps,

rapid change is reality. Not the Enemy.

Security People be like

But it’s true — speed works both ways

Security scan runs at time (T)

Scan Node

Host NHost NHost NHost N

Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N

Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A

No unexpected results/changes

Security event at time (T+1)

Scan Node

Host NHost NHost NHost N

Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N

Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A

A user identity disabled MFA

Identity

Change

Security event at time (T+2)

Scan Node

Host NHost NHost NHost N

Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N

Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A

A new host running an unapproved image

appears

Malicious

Host

Security scan runs at time (T+3)

Scan Node

Host NHost NHost NHost N

Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N

Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A

Both malicious security events have exited

Scan looks clean

The RoC Question:

Who saw it?

Resources in AWS have dynamic lives…

measured in minutes, or years.

Automating Audit(s) to embrace RoC

Participants: Engineering, IT Security, Policy Makers

Activities:

Create Continuous Scanning capability

Populate with business-related Cloud Security policies/rules

Create reporting function and model

YouAWS

Automating Audit(s) (Example)

AWS

CloudTrail

All API feeds

AWS Config

App

Logs/Intellige

nce

Config Mgmt

Data

External

Threat Intel

Continuous

Monitoring &

Response

Engine

Alerting, Triggers, Humans

Automating Audit(s) (Example)

Automating Audit(s) (Example)

Automating Audit(s) (Example)

Automating Audit(s) (Example)

Automating Audit(s) (Example)

#2 - Distribution of Control

Distribution of Control/Responsibility

Firewalls

IDS/IPS

Network(s)

Legacy

Servers

Compliance

App Security

Distribution of Control/Responsibility

Firewalls

IDS/IPS

Network(s)

Legacy (normalized for reality)

Servers

Compliance

App Security

Distribution of Control/Responsibility

Firewalls

IDS/IPS

Network(s)

Modern (Cloud)

Servers

Compliance

App Security

+Engineering

Automating Enforcement

Participants: Code-capable staff

Activities:

Identify desired states

Create default remediation scripts

Attach workflow to trigger remediations

Log and review remediation histories

If you can’t articulate your security policy in plain

English*, you cannot codify it.

* (or your native language)

Automating Enforcement

Security Event

Match

Remediation

Execute Functional

Remediation

This can be done many ways…

here’s a fun example

#3 - Reaction Time

Reaction Time (Inequality thereof…)

Attackers (minutes) > Defenders (days)

Automating Containment

Participants: Code-capable staff, IT/Forensics Team

Activities:

Identify IoCs or “breach states”

Define containment timing(s) and plan(s)

Define chain-of-custody issues/strategy

Create containment actions (just like automated remediations)

Iterate actions and validate

Automating Containment

Instance

Compromised

Anomaly or

Suspicion

Immutable

redeployContainment

IR

Secure

Storage

Automating Forensics

Participants: Code-capable staff, IT/Forensics Team

Activities:

Create chain-of-custody+secure cloud account/space

Build automated test/investigation process

Enjoy!

Automating Forensics

Instance

Compromised

Anomaly or

Suspicion

Immutable

redeployContainment

IR

Secure

Storage

Process Results

Automating Forensics (AWS example)

Secure

StorageCreate VPC

Isolate Network

Summon Instance

Trigger ScanRe-snap instanceTo Human

Human

To Humans

Q&A — Ask away! (or @auxome)

Evident Security Platform (ESP)

Built by Cloud pioneers from Adobe,

AWS, and Netflix

Agentless deployment (<5 mins)

Continuously monitors security state to

drive automated audit, compliance,

and incident response.

The only platform solution that covers

50+ API-enabled AWS services

Leading the charge into a DevSecOps

world for cloud believers

Try it free - https://Evident.io

Visit Us at

Booth #601!

Thank You!

Visit Evident.io at Booth #601!