Agenda
Review of the AWS “Shared Security” Model
Implications on Threat Detection
Current state of Security in the Amazon AWS Cloud
Effective Security Monitoring in AWS
AW
S
APPLICATION
OPERATING SYSTEM
NETWORK
HYPERVISOR
PHYSICAL
User’s
Responsibility
Amazon’s
Responsibility
AWS: Who’s really responsible?
Plenty of advice on how to secure your AWS implementation:
• Secure the root credentials with a strong password and multi-factor
authentication
• Use Multi-Factor Authentication for all admin accounts
• AWS VPC security
• AWS EC2 security: Use roles with minimal permissions to make API
calls from within EC2.
• Use CloudTrail to track changes made to the environment via API
calls.
• Make use of intrusion detection and log analysis in your environment
• For more complex environments, use SAML to establish a single
sign-on (SSO) for your AWS management.
AWS: Shared Security Model
AW
S
APPLICATION
OPERATING SYSTEM
NETWORK
HYPERVISOR
PHYSICAL
AWS: Shared Security Model
AW
S
APPLICATION
OPERATING SYSTEM
NETWORK
HYPERVISOR
PHYSICAL
So how do you monitor your environment?
How do you detect the latest threats?
What we do know is if an environment can be
compromised, it WILL be compromised.
AWS: What is effective monitoring?
View user activity
Detect known malicious behavioral patterns
Identify anomalous activity
Audit best practices and secure configuration
Dynamically adapt to a changing environment
AW
S
APPLICATION
OPERATING SYSTEM
NETWORK
HYPERVISOR
PHYSICAL
Dynamic
environment
Restricted
Deployment
Monitoring in a shared world
New Features
In other words…
• What services are my users using?
• Who terminated my instance?
• Do any of my instances have known vulnerabilities?
• Has anyone updated my security groups?
• Do I have any of my services publicly accessible?
Failure to use Security Groups – more
than 20,000 databases are publically
accessible in one Amazon region alone.
(9 Regions total).
Failure to manage credentials –
unrestricted AWS credentials used in
deployments
Hackers are stealing compute power
with stolen AWS API credentials
Hackers are using stolen servers as
command and control servers.
AWS: The Current State Of Security
• Heavily Restricted Deployment Environment
• New Security Model With New Features
• Dynamic Environment
Online Retailer- “CloudTrail is a great start, but I need to understand what it is saying.”
“I just don’t have visibility into when Amazon’s security features are working.”
“The stuff I bought for my other datacenter just doesn’t work here.”
“I’m not sure if my developers are exposing the company to more risk.”
“It is my impression that this is not Amazon’s fault that these issues exist. Most of the
vulnerabilities this year are from misconfigurations or small things where the
developers working on applications made mistakes” – Andres Riancho @ BlackHat
The Security Problem Opportunity
What is effective monitoring in AWS?
Dynamically scalable monitoring
Visibility into the API activity
Assessment of the environment’s
configuration
AW
S
APPLICATION
OPERATING SYSTEM
NETWORK
HYPERVISOR
PHYSICAL
USM for AMAZON
Heavily Restricted Deployment
• Vulnerability Scanning
• API Audit Logs Analysis
New Security Model
• AWS Infrastructure Assessment
Dynamic Environment
• Log Management
• Asset Discovery
• CloudTrail Logs Integration
Native Cloud Features
• Horizontally scalable storage and correlation
• Automated Deployment in your environment from AWS
AUTOMATED ASSET DISCOVERY – Manage security the way your infrastructure is managed.
Automatically inventory running instances
Full visibility into AWS meta-data for forensics analysis
Map all security data back to Amazon instance-ID’s for real cloud forensics
AMAZON INFRASTRUCTURE ASSESSMENT – Double check use of AWS security primitives and detect changes.
Detect insecure configuration of network access controls
Remotely assessable service ports.
Remotely assessable management ports.
VPC subnet
Security Group
Security GroupSecurity Group
Core Features
LOG MANAGEMENT & CORRELATION – Monitor your applications & systems for compliance & security.
Monitor your applications to detect behavioral changes
Secure storage for compliance
S3 & CloudWatch Log integration for ease of management
CLOUDTRAIL MONITORING & ALERTING – Notification of environmental changes & abuse.
Monitor full API audit log
Monitor and alert on critical environment updates
Monitor and alert on malicious behavior
Core Features
VULNERABILITY ASSESSMENT – Stay ahead of vulnerabilities & understand your exposure.
Elastically assess your infrastructure
Auto-Notification of new instances
Secure, authenticated scans with low-overhead
ELASTIC SCALABILITYHorizontally scales as you grow.
CloudFormation templates for easy provisioning
Priced for elastic environments. Auto-Scaling Group
Core Features
888.613.6023
ALIENVAULT.COM
CONTACT US
Questions?
Download a Free 15-Day Trial
http://www.alienvault.com/free-trial
Check out our Solution Brief:
AlienVault Unified Security Management for AWS
http://www.alienvault.com/resource-center/solution-
briefs/alienvault-unified-security-management-for-aws
Reach out to us
• Twitter: @AlienVault