Cloud Security Strategy - Adapt to Changes with Security Automation -

Transcription

1 SESSION ID: CMI-F03 Cloud Security Strategy - Adapt to Changes with Security Automation - Hayato Kiriyama Security Solutions Architect Amazon Web Services Japan

2 Agenda New Normal of Security Architecture Security Best-Mix to Adapt to Changes Security Automation as a New Solution 11

3 Agenda New Normal of Security Architecture Security Best-Mix to Adapt to Changes Security Automation as a New Solution 12

4

5 Cloud has become the New Normal. Companies of every size are deploying new applications to the cloud by default. Andy Jassy, Chief Executive Officer, Amazon Web Services AWS re:invent

6

7 The only rational response to risk is to be proactive in how we engage with changes. If you are not disrupting your own markets, someone else will disrupt them for you. Eric Tucker, IT Chief Technology Officer, GE Global Research AWS Summit Tokyo

8 IT in the Cloud Era Ownership Utilization Electric Power Private Electric Generator Electric Utility Provider Computing On-premise Servers Cloud Service Provider 17

9 IT Capacity (On-premise) Surplus Capacity Surplus Capacity Rapid Growth or M&A Unpredictable Peak Lack of Capacity = Opportunity Loss 18

10 IT Capacity (Cloud) Freedom from Surplus Capacity Freedom from Surplus and Lack of Capacity Rapid Growth or M&A Unpredictable Peak Freedom from Capacity Sizing 19

11 The Value of Cloud Improvement Easier, Faster, Cheaper Innovation Can do what we couldn t do 20

12 The Value of Cloud Improvement Easier, Faster, Cheaper Innovation Can do what we couldn t do Disruption Bring the old value to naught Normal to New Normal 21

13 Normal Security Issues Are current security measures effective? How much should we invest in security? Is ROI optimized? 22

14 Can We Calculate Security ROI? Return Protected amount of money applied by security measures Investment Pure cost of security measures 23

15 Can We Calculate Security ROI? NO! Return Direct Cost Incident Response Expenses Existing Customers Lost Measurable Indirect Cost Business Opportunity Lost Prospective Customers Lost Unmeasurable Investment IT Investment Facility Investment Training What is the percentage of Security? 24

16 Security Investment Can Not Be Unraveled Security is becoming a fabric item. It s woven through every major technical decision. Mark McLaughlin President & CEO, Palo Alto Networks Ignite

17 Start with Risk (Risk-based Approach) NIST SP Security and Privacy Controls for Federal Information Systems and Organizations Select the appropriate security controls in accordance with the required security levels. Tailor security control baselines to achieve the needed level of protection in accordance with organizational assessments of risk. 26

18 Security Risk Formula Threats Vulnerabilities Informational Assets Malware Targeted Attack DDoS Attack Security Hole Misconfiguration Psychological Corporate Confidential Personal Information Intellectual Property 27

19 Risks keep changing Threats Vulnerabilities Informational Assets Social Event Corporate News Corporate Reputation Asset Investment Organization Growth Hiring & Deployment Business Growth M&A/IPO Company Split-up 28

20 Adapt Security Level to Risk Changes Changing Security Risk 29

21 Adapt Security Level to Risk Changes Optimal Security Level Changing Security Risk 30

22 From ROI to Adaptiveness Normal New Normal What we look at Return On Investment (ROI) Adaptiveness to changes Increased Security Level Adapted Security Level What it looks like Changing Security Risk 31

23 Agenda New Normal of Security Architecture Security Best-Mix to Adapt to Changes Security Automation as a New Solution 32

24 Categories by Adaptiveness Category Situational Security Adaptiveness High Usecases Incident response Forensics EDR UEBA Threat Intelligence Correlation Corporate Security Middle Access Control Vulnerbility Mngt. Encryption FW/IPS/IDS Data Protection Log Management Fixed Security Low Network Server Data Center Hypervisor Storage Facility 33

25 [REF] Electric Power Best Mix Electric Power Demand thermal electric power pumped-storage hydroelectric power nuclear electric power (H) 34

26 Security Best Mix Security Level Situational Security Adaptiveness High Cost High Corporate Security Middle Middle Fixed Security Low Low 35

27 Security Best Mix in the Cloud Era Security Level Situational Security (Security by the cloud) Corporate Security (Security in the cloud) Fixed Security (Security of the cloud) Power Source (Driver) Security Automation (Adaptability) Compliance as Code DevSecOps Based on regulatory compliance (Reusability/Repeatability) Economies of Scale by Cloud Service Provider (Cost) 36

28 Security Best Mix in the Cloud Era Security Level Situational Security (Security by the cloud) Corporate Security (Security in the cloud) Fixed Security (Security of the cloud) Power Source (Driver) Security Automation (Adaptability) What and How? Compliance as Code DevSecOps Based on regulatory compliance (Reusability/Repeatability) Economies of Scale by Cloud Service Provider (Cost) 37

29 Minimize the Gap to Adapt 1. Granular Response 2. Early Detection Security Level Adapted Security Level Changing Security Risk Time 38

30 Minimize the Gap to Adapt 1. Granular Response 2. Early Detection Many Small Services Independently Deployable Loosely Coupled Microservices Architecture 39

31 Minimize the Gap to Adapt 1. Granular Response 2. Early Detection Many Small Services Independently Deployable Loosely Coupled Microservices Architecture Massive Security Logs Threat Intelligence Event Driven / API Call Data Management Infrastructure 40

32 Minimize the Gap to Adapt 1. Granular Response 2. Early Detection Many Small Services Independently Deployable Loosely Coupled Microservices Architecture Massive Security Logs Threat Intelligence Event Driven / API Call Data Management Infrastructure Cloud Makes It Easier and Possible 41

33 Agenda New Normal of Security Architecture Security Best-Mix to Adapt to Changes Security Automation as a New Solution 42

34 Gartner s Adaptive Security Architecture Predict Proactive Exposure Assessment Harden and Isolate Systems Prevent Predict Attacks Divert Attackers Baseline Systems Remediate / Make Changes Continuous Monitoring and Analytics Prevent Incidents Detect Incidents Design / Model Changes Confirm and Prioritize Respond Investigate / Forensics Contain Incidents Detect

35 AWS Service Mapping Predict NACL SG Prevent Amazon Inspector 3 rd Party Data Feed AWS Config Amazon CloudFront AWS WAF Amazon CloudWatch AWS CloudTrail Amazon SNS AWS Lambda Amazon VPC flow logs 3 rd Party IDS Respond AWS CloudFormation Amazon EBS 44 Auto Scaling 3 rd Party SIEM Detect

36 Use Case: Mitigate External Attacks Predict NACL SG Prevent Amazon Inspector 3 rd Party Data Feed AWS Config Amazon CloudFront AWS WAF Amazon CloudWatch AWS CloudTrail Amazon SNS AWS Lambda Amazon VPC flow logs 3 rd Party IDS Respond AWS CloudFormation Amazon EBS 45 Auto Scaling 3 rd Party SIEM Detect

37 Automatic Update on WAF rule with IP Black List User Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Amazon EC2 Web servers Amazon RDS Database Attacker AWS WAF Web Application Firewall AWS WAF Security Automations

38 Automatic Update on WAF rule with IP Black List User Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Amazon EC2 Web servers Amazon RDS Database 1Execute hourly Attacker AWS WAF Web Application Firewall AWS Lambda Function as a Service Amazon CloudWatch Resource Monitoring AWS WAF Security Automations

39 Automatic Update on WAF rule with IP Black List User Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Amazon EC2 Web servers Amazon RDS Database 1Execute hourly Attacker AWS WAF Web Application Firewall AWS Lambda Function as a Service Amazon CloudWatch Resource Monitoring 3 rd party Reputation List AWS WAF Security Automations 2Check for malicious IP addresses

40 Automatic Update on WAF rule with IP Black List User Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Amazon EC2 Web servers Amazon RDS Database 1Execute hourly Attacker AWS WAF Web Application Firewall AWS Lambda Function as a Service Amazon CloudWatch Resource Monitoring 3Add to an AWS WAF block list 3 rd party Reputation List AWS WAF Security Automations 2Check for malicious IP addresses

41 Automatic Update on WAF rule with IP Black List User Attacker Amazon CloudFront Content Delivery Network 4Block the traffic from malicious IP addresses Elastic Load Balancing Load Balancer Amazon EC2 Web servers Amazon RDS Database 1Execute hourly AWS WAF Web Application Firewall AWS Lambda Function as a Service Amazon CloudWatch Resource Monitoring 3Add to an AWS WAF block list 3 rd party Reputation List AWS WAF Security Automations 2Check for malicious IP addresses

42 Contain and Notify an Incident by Scale-out Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Auto Scaling Group Availability Zone 1a EC2 Instances Availability Zone 1b

43 Contain and Notify an Incident by Scale-out Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Auto Scaling Group Availability Zone 1a EC2 Instances Availability Zone 1b 1Massive traffic

44 Contain and Notify an Incident by Scale-out 2Automatic traffic distribution by scale-out Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Auto Scaling Group Availability Zone 1a EC2 Instances Availability Zone 1b 1Massive traffic

45 Contain and Notify an Incident by Scale-out 3Notify the scaling event 2Automatic traffic distribution by scale-out Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Auto Scaling Group Availability Zone 1a Amazon SNS Notification Service EC2 Instances Availability Zone 1b 1Massive traffic

46 Contain and Notify an Incident by Scale-out 3Notify the scaling event 2Automatic traffic distribution by scale-out Amazon CloudFront Content Delivery Network 1Massive traffic Elastic Load Balancing Load Balancer EC2 Instances Auto Scaling Group Availability Zone 1a Availability Zone 1b Amazon SNS Notification Service AWS Lambda Function as a Service 4Call an arbitrary function

47 Use Case: Assess Risks to Manage Internal Endpoints Predict NACL SG Prevent Amazon Inspector 3 rd Party Data Feed AWS Config Amazon CloudFront AWS WAF Amazon CloudWatch AWS CloudTrail Amazon SNS AWS Lambda Amazon VPC flow logs 3 rd Party IDS Respond AWS CloudFormation Amazon EBS 56 Auto Scaling 3 rd Party SIEM Detect

48 Automate Quarantine and Backup AWS Lambda Function as a Service Amazon Inspector Security Assessment EC2 Instance Endpoint Amazon EBS Block Storage Security Group Stateful Firewall Network ACL Stateless Firewall

49 Automate Quarantine and Backup AWS Lambda Function as a Service 1Run a security assessment Amazon Inspector Security Assessment EC2 Instance Endpoint Amazon EBS Block Storage Security Group Stateful Firewall Network ACL Stateless Firewall

50 Automate Quarantine and Backup AWS Lambda Function as a Service 1Run a security assessment Amazon Inspector Security Assessment 2Vulnerability scan to endpoint EC2 Instance Endpoint Security Group Stateful Firewall Network ACL Stateless Firewall Amazon EBS Block Storage

51 Automate Quarantine and Backup AWS Lambda Function as a Service 1Run a security assessment Amazon Inspector Security Assessment Amazon SNS Notification Service 2Vulnerability scan to endpoint EC2 Instance Endpoint Security Group Stateful Firewall Network ACL Stateless Firewall Amazon EBS Block Storage 3Notify the scan results

52 Automate Quarantine and Backup AWS Lambda Function as a Service 1Run a security assessment Amazon Inspector Security Assessment 2Vulnerability scan to endpoint EC2 Instance Endpoint Security Group Stateful Firewall Amazon EBS Block Storage Amazon SNS Notification Service AWS Lambda Function as a Service 3Notify the scan results Network ACL Stateless Firewall 4Quarantine the endpoint by firewalls

53 Automate Quarantine and Backup AWS Lambda Function as a Service 1Run a security assessment 5Copy a disk image for backup Amazon Inspector Security Assessment 2Vulnerability scan to endpoint EC2 Instance Endpoint Amazon EBS Block Storage snapshot Security Group Stateful Firewall Amazon SNS Notification Service AWS Lambda Function as a Service 3Notify the scan results Network ACL Stateless Firewall 4Quarantine the endpoint by firewalls

54 Automate Quarantine and Backup AWS Lambda Function as a Service 1Run a security assessment 5Copy a disk image for backup Amazon Inspector Security Assessment 2Vulnerability scan to endpoint EC2 Instance Endpoint Amazon EBS Block Storage snapshot Security Group Stateful Firewall Amazon SNS Notification Service AWS Lambda Function as a Service 3Notify the scan results Network ACL Stateless Firewall 4Quarantine the endpoint by firewalls AWS CloudTrail Operation Log Service 6Record the backup log

55 The Value of Cloud Security Improvement Innovation Disruption Easier, Faster, Cheaper Earlier detection on data management infrastructure Can do what we couldn t do granular response through the microservices Bring the old value to naught ROI to Adaptiveness to changes 64

56 Summary Be adaptive to the changes of security risks Best-mix security by its adaptiveness Cloud makes it easy and possible with Security Automation 65

57 Apply Apply cloud technology to improve readiness and responsiveness. (e.g. AWS provides automated security) Mix different types of security in adaptiveness to attain the necessary security level. Recommend to use: security of cloud for fixed security security in cloud for corporate security security by cloud for situational security 66

58 Thank you!