pragmatic security automation for cloud · pragmatic security automation for cloud csv-r04 ......
TRANSCRIPT
SESSION ID:
#RSAC
Rich Mogull
PRAGMATIC SECURITY AUTOMATION FOR CLOUD
CSV-R04
Analyst/VP of ProductSecurosis/[email protected]@rmogull
#RSAC
Cloud is Fundamentally Different
2
Abstraction Automation
#RSAC
Automation is Inherent
3
The NIST Model (courtesy the CSA)
#RSAC
APIs are Ubiquitous
4
Cloud Security Alliance IaaS Reference Model }
#RSAC
Cloud Security Must Be Cloud Native
5
Management Plane Volatility/Velocity Distribution/Segregation
Account
Virtual Network
Subnet
Security
Group
Virtual Network
Subnet
Security
Group
Account
Virtual Network
Subnet
Security
Group
Virtual Network
Subnet
Security
Group
#RSAC
The Categories
6
Guardrails Workflows Orchestrations
Continuously assess and
enforce operational and
security policies
Streamline and accelerate
IT operations and security
through automated
workflows
Empower new capabilities
through advanced
orchestration of
infrastructure, operations,
and security
Fix security group or S3 misconfigurations
Incident responseAutomatic WAF insertion and
configuration
#RSAC
The Principles
7
Software Defined Security
Stateless Security
Event Driven Security
Continuous Feedback
Loops
#RSAC
The Foundation
8
Cloud Service Provider Cloud Consumer (you)
‣ API and full
administrative activity
logging
‣ Events/triggers/rules
‣ Function as a Service
(Serverless)
‣ Notification service
‣ Continuous Integration
Pipeline
‣ Version control
repository
‣ Full IAM access to
accounts/subscriptions/
projects
‣ Security development
team (person)
Critical
Capabilities
#RSAC
The Process
9
Define Your Problem
Eval FOSS/Existing tools
Determine Tech Stack
Build Initial Automations (Ops)
Expand for Scale/Scope
#RSAC
Things We Are Skipping (for time)
10
How to configure all the core monitoring/logging
Setting up IAM and permissions
The details of implementation on Azure and GCP
We will list the core capabilities, but can’t cover all 3 with real examples in 45 minutes
#RSAC
What’s a Guardrail?
11
Define and set limitsCan be “allow” or “deny”
Find deviationsAssessment or event based
Evaluate the issue
Fix/remediateAutomatically or manually depending on rules
Find
EvalFix
#RSAC
Example Guardrails
12
If you find a public S3 bucket, restrict it to our known network addresses
Unless it is approved or tagged
Don’t allow internal security groups with all ports and protocols open in Prod
But allow in Dev
Require MFA for API access for any user that needs MFA for console access
Create our baseline IAM policies and roles for all new accounts
Based on the environment
Validate that monitoring and alerting is properly configured
And fix if not
Disable access keys that haven’t been used in 90 days
Find instances with an IAM role that allows power user or greater access via API
Restrict the privileges
Identify all cross-network peering from accounts we don’t own
Then check the security group permissions
#RSAC
What Makes a Good Guardrail?
13
Accounts for different environmentsAt least Dev vs. Prod
Handles exceptionsAnd is capable of remembering them
Understands state and context
Doesn’t bog down the alert queue
Can remediate automaticallyEither completely, or after manual approval
Ops communications/notifications
Education, not Blamification
#RSAC
Building a Guardrail
14
Define Criteria/Issues
Add Filters
Set Triggers
Add ActionsAnd Targets
#RSAC
Our Guardrail
15
Criteria/IssuesAll instances with port 22 open to the 0.0.0.0/0 (the Internet)
FiltersRegion is us-west-2p (could be VPC/tag/etc)
TriggerTime = every 5 minutes
ActionRestrict to known IP range
Demo
#RSAC
Our Event-Driven Guardrail
16
Criteria/IssuesNew inbound security group rule added
FiltersIAM user, VPC, Tag
TriggerAPI event (CloudTrail)
ActionReverse + Notify
Demo
#RSAC
Expanding to Enterprise Scale
17
Hitting all 14 regions simultaneously
Multiplex
Central event stream
Queues/SNS
AuthN/AuthZ
#RSAC
Building a Workflow
18
Define Steps
Determine Inputs
Choose Execution Model
Modularize Code
Can be built on Guardrails and support Orchestrations
#RSAC
Our Workflow
19
Steps (Incident Response)Collect metadata (before we change it)
Quarantine on the network and in AWS
Snapshot all storage and attach for forensics
Analyze
InputsInstance ID
Execution Model
Command line (container or remote)
Modularize CodeClasses for analyze vs. respond
All methods reusable Demo
#RSAC
Workflows Advice
20
Workflows are to speed up common, manual tasksGuardrails are for automated enforcement
The line between a guardrail action and an Workflows is often thin
Execution environment mattersLambda vs. containers vs. your laptop
Use your pipelineContinuous integration servers (Jenkins) make great platforms for repeat automation, not just security testing
Make a static consoleE.g. S3 + API Gateway + SQS
#RSAC
Building a Orchestration
21
ID apps and APIs
Locate SDK if available
Consider flow/value
Modularize
Integrate in code
#RSAC
Our Orchestration
22
Apps/APIEC2 + Route 53 + Incapsula
SDKAWS Ruby + REST client
Flow/ValueID public web servers -> determine DNS -> check WAF -> add WAF
Limit: default AWS domain names
ModularizeFind web instances, ELBs
Change DNS, add Incapsula
Integrate into codeSee video
Demo
#RSAC
Complexities
23
Account
Virtual Network
Subnet
Security
Group
Virtual Network
Subnet
Security
Group
Account
Virtual Network
Subnet
Security
Group
Virtual Network
Subnet
Security
Group
Scaling Multiple Accounts Multiple Providers
Circuit Breakers
#RSAC
Architecting For Enterprise Scale
24
#RSAC
Where to Start
25
Start with something simpleBuild it in one account/subscription/project
Event + Notification is super easy to start
Then go with your first FaaS
Desktop first, then FaaS for execution environment
Build a libraryExperiment with execution environments, but standardize quickly
Add enterprise scaling capabilities
Will depend on your execution environment/model
Build it in the cloud and leverage PaaS options
Make sure you use CI/CD for long term management
SESSION ID:
#RSAC
Rich Mogull
PRAGMATIC SECURITY AUTOMATION FOR CLOUD
CSV-R04
Analyst/VP of ProductSecurosis/[email protected]@rmogull