© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Evident.io: John Martinez / Tim Prendergast

Ellie Mae: Anthony Johnson

November 30, 2016

SAC402

The AWS Hero’s Journeyto Achieving Autonomous, Self-Healing

Security

What to expect from the session

• Evident.io and programmatic security

• The journey to

security automation maturity

• CIS AWS foundations benchmark

• AWS security by design

• Evident.io custom signatures

• Exploiting the bots

• Taking stock of your environment

• The Ellie Mae journey

Anthony Johnson @ Ellie Mae

• Cloud Computing and Security

expert

• Works at Ellie Mae

• Previously at Nokia

• Extensive automation

experience

Introductions

John Martinez @ Evident.io

• I’ve worked “in the cloud” since

2010

• At Evident.io since early 2014

• Background in Unix wizardry

and all things related

• I love making latte art (or at

least trying!)

The Ellie Mae story

Evident.io and programmatic

security

Evident.io ESP and programmatic security

• Evident.io ESP is a new-generation security platform

designed in the cloud for the cloud

• All security data is derived from the AWS service APIs

and AWS CloudTrail

• Performs continuous security monitoring

• Provides continuous compliance testing and reporting

• Covers all AWS services

Evident.io ESP and programmatic security

API for

programmatic

access to both

control plane and

data plane

Evident.io ESP and programmatic security

Output integrations

for doing interesting

things with report

data

Amazon

SNSSlack

Jira Hip Chat Pager Duty

Webhook

Service Now

Evident.io ESP and programmatic security

Example API use case

• Automatically add new

AWS accounts to

Evident.io

https://github.com/EvidentSecurity/esp_sdk

Evident.io ESP and programmatic security

Example integration

use case:

Analyze ESP data in

Sumo Logic

http://docs.evident.io/#sumo

The journey to

security automation maturity

Security automation maturity

Proactive

CI/CD toolchain

AWS CloudFormation

templates

Code analysis and

review

Pre/post deploy

testing

Continuous

Infrastructure testing

and alerting

Application logging

Auto Scaling

HISA/NIDS

FIM

Config management

Self-healing

Auto-remediation via

AWS Lambda

Automatic rollback to

known good state

Automatic failover to

other regions

Security automation maturity

Proactive

CI/CD toolchain

AWS CloudFormation

templates

Code analysis and

review

Pre/post deploy

testing

Continuous

Infrastructure testing

and alerting

Application logging

Auto Scaling

HISA/NIDS

FIM

Config management

Self-healing

Auto-remediation via

AWS Lambda

Automatic rollback to

known good state

Automatic failover to

other regions

Most of us are here

Ellie Mae’s automation story

CIS AWS foundations

benchmark

CIS AWS Foundations Benchmark

• CIS AWS Foundations Benchmark is a great place to

start for automated infrastructure testing and alerting

• Benchmark is the result of months of hard work by AWS,

CIS, Evident.io, and a lot of other dedicated contributors

• Use the benchmark as a base set of controls to test and

use to enforce security of your AWS accounts

https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

CIS AWS Foundations Benchmark

Evident.io ESP

provides continuous

testing of CIS AWS

Foundations

Benchmark controls and

helps prevent security

“drift”

Included in all Evident.io ESP accounts

How Ellie Mae does compliance

AWS security by design

AWS security by design

• The AWS recommended approach to proactive security

in AWS

• Provides a practical approach to creating your security

controls matrix and enforcing those controls

• Heavy on the proactive automation via AWS

CloudFormation

https://aws.amazon.com/compliance/security-by-design/

AWS security by design

Avoid security

automation pitfalls

AWS security by design

Avoid security

automation pitfalls

Evident.io’s custom signatures

to the rescue

Custom signatures

• Evident.io’s platform includes checks of many different

AWS services, but you can extend with your own custom

signatures

• Check services on included

• Create conditional tests that make sense for your

environment

• Refine our built-in signatures

• If you can write it in the AWS Ruby SDK, it should work

Custom signatures

Example use cases:

• Enforcing tagging standards

• Checking corporate egress IP spaces in EC2 security

groups

• Enforcing ELB SSL ciphers

• Even useful for general operational automation

Open-source custom signatures repo:

https://github.com/EvidentSecurity/custom_signatures

Custom signatures

Example:

Checking for EC2

AMIs that are shared

publicly

How Ellie Mae is using

Evident.io for success

Exploiting the bots

Exploiting the bots

• Take advantage of AWS’ serverless compute

service, Lambda, to self-heal your environment

• Immediately react to changes in your

environment

• Auto-remediation of AWS resources by revoking

change or rolling back to a known good state

Exploiting the bots

Example:

Auto-remediating global

SSH port on an EC2

security group

https://github.com/EvidentSecurity/aws-

lambda/blob/master/autoremediate/autoremediate-EC2-002.py

Exploiting the bots

+

Evident.io

feeds the

bots

Exploiting the bots

Other areas to exploit:

• Automatic rollback

• Failover to other regions

• Automatic creation of quarantined environments

for forensic testing

Ellie Mae’s bots rising

Taking stock of your

environment

How would you rate yourself?

A great journey in the making:

Ellie Mae

Come see us at Evident.io booth #404!

anthony.johnson@elliemae.com

https://www.linkedin.com/in/antho

ny-johnson-566b356

john@evident.io

@johnmartinez

https://www.linkedin.com/in/johnm

artinez

https://github.com/EvidentSecurity/reinvent2016

Thank you!

Remember to complete

your evaluations!

Related sessions