.
Cloud Security for AWSPreventing the Vicious Cycle of Security Failure
Protecting Your Cloud from Advanced Targeted Attacks
Andrew Hurren, Senior Regional Solution Architect, ANZ, Intel Security
.
2
Data Center Client Wearables/IoT
Intel’s VisionIf it is smart and connected, it is best with Intel
.
• Creating differentiated and open platforms for innovation
• Protecting digital identities for personal and transaction security
• Delivering Security Connected at optimal TCO
• Safeguarding our operations, our products and our customers
Consumer Endpoint Corporate Endpoint Network Security Management/Analytics
Network &
Gateway Security
Consumer
EndpointCorporate
Endpoint
Management/Analytics
Intel Security GroupDelivering ubiquitous security to individuals and business on all computing devices
.
The Need for EfficiencyThe fundamental security challenge
Time Imperative Resource ConstraintsIncreasing Complexity
Resolve more risk, faster and with fewer resources
Growing IoT Devices, Cloud Adoption and Evolving Threats
.
Threat Defense LifecycleContinuous, Automated, and Shared Threat Intelligence
Detect – Illuminate low-threshold maneuvering through
advanced intelligence and analytics.
Protect – Stop pervasive attack vectors while also
disrupting never-before-seen techniques and payloads.
Adapt – Apply insights immediately throughout an
integrated security system.
Correct – Improve triage and prioritize response as part of
a fluid investigation.
Cloud Security is a Shared Responsibilityhttps://aws.amazon.com/security/sharing-the-security-responsibility/
.
.
McAfee Management Platform
On-premises security Private cloud security Public cloud security
Protection and Detection Controls
Security Analytics and Corrective Controls
Scalable, Comprehensive, Easy-to-use SolutionConsolidated Management and Security Tools
Intel Security
Architecture
.
Neutralize Emerging Threats
Safeguard Vital Data Optimize Security Operations
Fortify Critical Environments
Intel Security: Capability Offerings
Endpoint Protection
Network Security
Data Security
Web Security
Security Management
Endpoint Detection &
Response
Server Security
Threat Sandboxing
Security Services
Threat Intelligence
.
Visibility into Cloud Infrastructure
• Gain insights of cloud infrastructure
• Manage cloud and on-premises security needs from one console
• Identify and respond to security issues
• Save time with automated workflows
• AWS hierarchy of systems are logically grouped under region
.
Comprehensive Host-Based Security Controls
DevOps-friendly deployment
INTEGRITY MONITORING
ENCRYPTION MANAGEMENT
APPLICATION WHITELISTING
INTRUSION PREVENTION
HOST FIREWALL
ANTI MALWARE
THREAT INTELLIGENCE
EXCHANGE
For Windows and Linux
.
Reduce Operational Overhead in Orchestrated Environment
Dynamic Application Whitelisting
Locked down with
Whitelisting
Whitelist automatically
updated
Trusted
Processes
Trusted
Directories
Trusted
Certificates
Trusted
Users
RA
M
Rated #1 capability in
ASD Top 4 Mitigation
Strategies
.
Intel Security on AWS Marketplace
https://aws.amazon.com/marketplace
Flexible Licensing
Models
• $ per hr
• BYOL
.
????
Traditional Endpoint Protection Approaches
BlacklistingKnown bad files
Anti-virus technology
Intelligence is global
Daily updates
WhitelistingKnown good files
Application whitelisting
Intelligence is manual
Ad-hoc updates
What about
everything else?
.
Advanced Reputation-Based Inspection
Unknown
Author? Suspicious attributes?
Global, local, 3rd
party knowledge?Connected
countermeasures?
Endpoint, Network, Gateway, Cloud
McAfee or3rd Party
Connected countermeasures?
Known Bad Known Good
File Is New
Packed Suspiciously
Low Prevalence
!
.
McAfeeTIE Endpoint
Module
McAfeeTIE Endpoint
Module
McAfeeATD
McAfeeWeb Gateway
Enhanced Protection for Workloads
Data Exchange
Layer
McAfeeGlobal Threat
Intelligence
3rd PartySolutions
McAfeeTIE Server
File age hidden
Signed with a revoked certificate
Created by an untrusted process
Trust Level: Low
Action: Block
Threat Intelligence Exchange (TIE)
.
McAfeeESM
McAfeeTIE Endpoint
Module
McAfeeTIE Endpoint
Module
McAfeeePO
Advanced Threat Defense
Data Exchange
Layer
McAfeeMOVE
McAfeeApplication
Control
McAfeeDLP Endpoint
McAfeeGlobal Threat
Intelligence
Unknown files are sent
to ATD for static and
dynamic analysis
Updated file
information is shared
instantly to all
connected solutions,
providing real-time
protection
McAfeeATD
McAfeeWeb Gateway
McAfeeNSP
3rd PartySolutions
McAfeeTIE Server
ATD determines
file to be malicious
Other Solutions
Other Solutions
Value of TIE + ATD
.
A challenging and stressful environment
Security’s Perfect Storm
*Source: SANS IR Survey, August 2015
Many Tools and
Limited Expertise
Masses of
Security Data1010
1110
0010
0110
1110
0010
1011
0101
1100
010
Time to Detect
and Respond1
1
0
0
0
1
0
1
0
0
0
1
0
1
0
1
1
0
1
1
0!
Just how mature are security operations teams today?
Over 44% say they are immature, sharing incident response teams with IT and having limited tools.
Another 24.6% say they are still maturing, but at least they have a full SOC and expansive tools.
.
Identity Hidden Threats across Multiple Vectors
Value of Log Analysis
• Turn Security Data into Actionable Intelligence
• REDUCE Detection Time
• Identify Malware, Malicious Activity, Unauthorised behaviour, Fraud…
• Correlation and Patterns
• Behavioural Baselines and Anomalies
• Risk Correlation
• Address Agentless / Server-Less Environments
Masses of
Security Information1010
1110
0010
0110
1110
0010
1011
0101
1100
010
.
Real Time Advanced AnalyticsAutomated rule, risk/behavior, and statistical correlation
Threat PrioritizationTurns billions of “so what” events into actionable information
INTELLIGENT
Optimized threat and compliance management
Intel Security SIEM Solutions
INTEGRATED
ACTIONABLE
Comprehensive Security
Broad data collection of devices, including cloud support
Security Connected integrations to enable efficient and effective response
Active and Customizable DashboardsMake threat investigation and response easy
High Performance Data Management EngineFast response to data collection, analytics, and threat analysis
Ease of Operation
Hundreds of out-of-the-box rules & reports; A unified compliance framework
!
.
Integrate with Logging Services
Amazon
CloudWatch
AWS
CloudTrail
AWS
Config
McAfee
AWS Infrastructure Log Sources
EC2 Instance Log Sources
Log Indexing LayerAutomate
Control
Enforcement
Security Event
Collection
instances
• ESM Collection Agent
• Native Capabilities – SYSLOG, SNMP…
Other…
Leveraging SIEM for AWS
.
Centralise Security Analysis – Collect at the Source
McAfee ESM
Components
AWS Service Log Sources
Private, Cloud and Hybrid Deployment Models
• ESM Management
• ESM Log Collectors
• ESM Advanced Correlation Engine
• ESM Raw Log Storage
McAfee ESM
Components
On-Premise/Private Log Sources
• ESM Management
• ESM Log Collectors
• ESM Advanced Correlation Engine
• ESM Raw Log StorageAmazon
EC2Physical and/or Virtual
corporate data center AWS cloud
Direct Connect/VPN
.
Incident Identification, Forensics and Response
Use Cases
• Detect a slow bruteforce of a web application user account
• Identify the geo-location of the adversary and reputation of their source network
• Identify all subsequent activities carried out by that user throughout your environment
• Identify any risky or anomalous behaviour associated with that user, or the assets that that user has interacted with
• REACT and block associated indicators such as geo-location, user, process, network… directly from the SIEM platform
• Create watchlists (alerts) for similar behaviours
.
Fewer resource
constraints
Integrate, streamline, and
automate processes to
improve operational
efficiency.
Solving security’s most acute pain points
Delivering Business and Security OutcomesP
roble
mS
olu
tion
Complexity Time Constraints
Respond
rapidly
Deliver automated
detection and
correction; operate
as a security system.
Resolve more threats
Extend beyond discrete and
siloed security. Move to a
cohesive threat lifecycle
defense; “Cloudify,” and
“mobilize” protection.