Building a Self-Defending Border. Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS

Transcription

1 Building a Self-Defending Border Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS #cloudsec

2 Building A Defending Borders Protect Your Web-facing Workloads With AWS Security Services SHANE BALDACCHINO 2018 MARCUS SANTOS 2018

3 Modern Business Challenges Increased Frequency Low Capital Investment Rules and Regulations Disparate Disconnected Systems

4 Threats facing online assets? There Are Many

5 OWASP Style Attacks Critical Web Application Security Risks

6 OWASP - Injection User Input Website Database User = "Shane" Pass = "XXXX" SELECT * FROM Users WHERE Name = "Shane" AND Pass = "XXXX" SELECT Statement

7 OWASP - Injection Malicious Actor Website Database User = " or ""=" Pass = " or ""=" SELECT * FROM Users WHERE Name ="" "Shane" or ""="" AND Pass = ="" "XXXX" or ""="" SELECT Statement

8 OWASP Style Attacks Critical Web Application Security Risks Hacktivists & Crime Syndicates External Threats

9 Botnets And DDoS Malicious Actor Control Server Victim Website Bots

10 How are we fighting these threats today? We Use Controls

11 Expensive Lack Automation False Positives CapEx Heavy Over Provisioning License Locked Integration Challenges With DevSecOps Models Content Changes Often Require New Rules

12 Let s make this real.

13 The Snowy Unicorn Elevator Company N-Tier Architecture ERP and CRM Integration Quickly Growing Limited IT resources

14 Online Architecture Bastion Host Application Load Balancer Application Load Balancer Amazon Route 53 EC2 instances Auto Scaling Group EC2 instances MySQL DB Availability Zone A MySQL DB Availability Zone B

15 Kali Linux Designed For Penetration Testing and Security Auditing Contains Several Hundred Tools Available in AWS Marketplace

16 Architecture Of Attacks - Discovery

17 Architecture Of Attacks - Crawl

18 Architecture Of Attacks - OWASP

19 Architecture Of Attacks - DOS

20 Architecture Of Attacks - Brute Force

21 Demo The Snowy Unicorn Elevator Company 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.

22 What s Wrong With Our Architecture? L7 Attacks Traditional security controls were ineffective Scale, Cost & Reputation ASG Elasticity Network Bandwidth Visibility Flew under the radar

23 We Need A Smarter Approach And New Tools

24 AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at No Additional Cost Paid service that provides additional, comprehensive protections from large and sophisticated attacks

25 Botnets And DDoS Malicious Actor Control Server Victim Website Bots

26 Botnets And DDoS Malicious Actor Control Server Victim Website Bots

27 AWS WAF Comprehensive API Integration Leverage IP Reputation Lists Mitigate OWASP Vulnerabilities

28 OWASP - Injection Malicious Actor Website Database User = " or ""=" Pass = " or ""=" SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="" SELECT Statement

29 OWASP - Injection Malicious Actor Website Database User = " or ""=" Pass = " or ""=" SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="" SELECT Statement

30

31 Self Defending Borders Putting the Dev in Security (DevSecOps)

32 Application Requests (Static + Dynamic) Application Load Balancer Amazon CloudFront AWS Shield OWASP Top 10 Protection HTTP Flood Protection AWS WAF IP Whitelist / Blacklist

33 Application Requests (Static + Dynamic) Access Logs Application Load Balancer Amazon CloudFront AWS Shield Amazon S3 Bucket OWASP Top 10 Protection HTTP Flood Protection AWS WAF IP Whitelist / Blacklist

34 Application Requests (Static + Dynamic) Access Logs Application Load Balancer Amazon CloudFront AWS Shield Honey Pot Endpoint Amazon S3 Bucket Amazon API Gateway OWASP Top 10 Protection HTTP Flood Protection AWS WAF IP Whitelist / Blacklist

35 Tight-knit API Driven Platform Amazon SQS Amazon CloudWatch AWS Step Functions Amazon SNS Fully managed message queue Monitoring for cloud resources Build distributed applications Highly scalable push messaging Amazon DynamoDB Amazon API Gateway Amazon S3 AWS Lambda NoSQL data store Create API s at scale Simple, durable object store Run code without servers

36 Application Requests (Static + Dynamic) Access Logs Application Load Balancer Amazon CloudFront AWS Shield Honey Pot Endpoint Amazon S3 Bucket Amazon API Gateway Bad Bot & Scraper Protection AWS WAF OWASP Top 10 Protection HTTP Flood Protection IP Whitelist / Blacklist AWS Lambda Access Handler AWS Step Functions

37 AWS Lambda Build and run applications without thinking about servers Availability and scalability is managed by AWS Not paying for idle time

38 AWS Step Functions Start FirstState ChoiceState FirstMatchState SecondMatchState DefaultState NextState End

39 Security State Machine Start Detected Attack New Attack Type Manual Approval Known Attack Blacklist Router Update WAF BadBot ACL Update EC2 Guest Firewall Update WAF Scraper ACL End

40 Security State Machine Start Detected Attack New Attack Type Manual Approval Known Attack Blacklist Router Update WAF BadBot ACL Update EC2 Guest Firewall Update WAF Scraper ACL End

41 Security State Machine Start Detected Attack New Attack Type Manual Approval Known Attack Blacklist Router Update WAF BadBot ACL Update EC2 Guest Firewall Update WAF Scraper ACL End

42 Security State Machine Start Detected Attack New Attack Type Manual Approval Known Attack Blacklist Router N function N function N function Update WAF BadBot ACL Update EC2 Guest Firewall Update WAF Scraper ACL End

43 Demo The Snowy Unicorn Elevator Company AWS WAF AWS Lambda Amazon API Gateway AWS Step Functions Amazon Dynamo DB 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.

44 Application Requests (Static + Dynamic) Access Logs Application Load Balancer Amazon CloudFront AWS Shield Honey Pot Endpoint Amazon S3 Bucket Amazon API Gateway AWS Guard Duty Bad Bot & Scraper Protection AWS WAF OWASP Top 10 Protection HTTP Flood Protection IP Whitelist / Blacklist AWS Lambda Access Handler AWS Step Functions Amazon CloudWatch Known Attacker Protection AWS Lambda Guard Duty and 3 rd Party IP Lists

45 AWS Guard Duty Generate findings through VPC Log Stream Queries to questionable domains AWS CloudTrail history of AWS calls and user activity

46 Automating Remediation Detection Report Act Amazon GuardDuty Amazon CloudWatch AWS Platform CloudWatch Event Amazon SNS Amazon SQS AWS Step Functions AWS Lambda

47 Demo The Snowy Unicorn Elevator Company AWS WAF Amazon API Gateway AWS Lambda AWS Guard Duty AWS Step Functions Amazon Dynamo DB 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.

48 Session Recap AWS WAF Amazon API Gateway AWS Lambda AWS Guard Duty AWS Step Functions Amazon Dynamo DB

49 How To Get Started AWS Lambda Product Details - Tutorial - AWS Automation WAF / Lambda Automation - Step Functions Workflow - AWS Step Functions Product Details - Tutorial -

50 Thank you! Shane Baldacchino Marcus Santos

51