Look Who s Hiring! AWS Solution Architect https://www.amazon.jobs/en/jobs/362237 AWS Cloud TAM https://www.amazon.jobs/en/jobs/347275 AWS Principal Cloud Architect (Professional Services) http://www.reqcloud.com/jobs/701617/?k=wxb6e7km32j+es2yp0jy3ikrsexr VGaOWIhaklSw9idiTA8gCkJ2cKsaJL40SLqgBI/yqgZ6WtJiObPVOM6A6g==&utm _source=linkedin&utm_campaign=reqcloud_jobpost
AWS & Alert Logic Minoo Duraipandy, Solution Architect, AWS David Hillock, Territory Manager, Alert Logic
Grab beer and food Introduction to AWS Security AWS Shared Security Model AWS & Alert Logic Top 13 must-do security hardening measures Show & Tell sessions (hopefully it will work!) AWS Network Security (will we have time to get here?) Leave you with reference docs and videos
Job Zero Physical Security Network Security Platform Security People & Procedures
constantly improving GxP ISO 13485 AS9100 ISO/TS 16949 AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Availability Zones Regions Edge Locations AWS is responsible for the security OF the Cloud
SHARED
Customers shared responsibility Customer applications & content Platform, Applications, Identity & Access Management Operating System, Network, & Firewall Configuration Client-side Data Encryption AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Server-side Data Encryption Availability Zones Regions Network Traffic Protection Edge Locations Customers have their choice of security configurations IN the Cloud AWS is responsible for the security OF the Cloud
ALERT LOGIC MANAGED SECURITY AS A SERVICE David Hillock Territory Manager
Leading Provider of Security & Compliance for the Cloud Providing fully managed and monitored security and compliance for cloud, hybrid, and on-premises infrastructure, with the benefits of deep insight, continuous protection, and lower costs Deep Security Insight Continuous Protection Lower Total Costs Revenue: $91M+/year Growth rate: 42% Customers: 3,600+ Founded: 2002 Employees: 650+ Headquarters: Houston, Texas INDUSTRY RECOGNITION and CERTIFICATIONS
Over 3,500 Organizations Worldwide Trust Alert Logic
CYBER SECURITY LANDSCAPE
Security Risks are Escalating Rapidly AT A GLANCE: CYBERCRIME TODAY $1.3 185 $158 205 MILLION MAJOR MILLION DAYS AVERAGE YEARLY SECURITY INCIDENTS DIRECT LOSSES ON AVERAGE BEFORE COST OF BREACHES PER ORGANIZATION (1) COMPANIES DEAL WITH EACH YEAR (1) FROM BREACH FOR TARGET DETECTION OF COMPROMISE (2) Sources: 1) IDC Cybercrime The Credentials Connection. 2014. 2) mtrends Threat Report 2015.
Today s Attacks are Becoming More Complex The Impact Identify & Recon Initial Attack Command & Control Discover & Spread Extract & Exfiltrate Financial loss Harm brand and reputation Scrutiny from regulators Attacks are multi-stage using multiple threat vectors Takes organizations months to identify they have been compromised 205 days on average before detection of compromise 1 Over two-thirds of organizations find out from a 3 rd party they have been compromised 2 1 IDC Worldwide Security and Vulnerability Management 2014 2018 Forecast 2 M-Trends 2015: A View from the Front Lines
Security in the Cloud is a Shared Responsibility Apps Secure coding and best practices Software and virtual patching Configuration management Access management Application level attack monitoring Hosts Hardened hypervisor System image library Root access for customer Access management Patch management Configuration hardening Security monitoring Log analysis Customer Responsibility Cloud Service Provider Responsibility Networks Logical network segmentation Perimeter security services External DDoS, spoofing, and scanning prevented Network threat detection Security monitoring Foundation Services Compute Storage DB Network
ALERT LOGIC: SECURITY PARTNER
Closing the Gap for Cloud Security Alert Logic Cloud Defender Review and Escalation by our Security Analysts Analytics Engine to find potential threats Real-time Security Monitoring of Network, Log, and Web App Traffic Research into known and emerging, as well as AWS-specific, threats Audit and Compliance reporting Alert Logic Cloud Insight Vulnerabilities on the Instances AWS Best Practices AWS Config Visibility of the AWS Environment AWS CloudTrail
How Cloud Defender Works A L E R T L O G I C C L O U D D E F E N D E R Network incidents Vulnerability Scans Web application events OS/App log data Big Data Analytics Platform Threat Intelligence & Security Content 24 x 7 Monitoring & Escalation Identify Attacks & Protect Customers Customer IT Environment AWS Log data Alert Logic ActiveAnalytics Alert Logic ActiveIntelligence Alert Logic ActiveWatch Cloud, Hybrid On-Premises
ActiveAnalytics: Security Analytics Big Data Grid Optimized for Large Scale Storage & Processing Collects, stores, and parses all data collected Optimized for scale more than 1000 processing cores Supports multiple workloads on shared infrastructure Real-time Processing & Analytics Platform Automated incident creation with actionable intelligence Removes false positives 3-tiered analysis: Real-time Monitoring Pre-cursor Deep Forensics Multi-Tier Security Content Identifies Hard to Detect Incidents Correlation rules Anomaly detection Threat intelligence Reputation-based Signature-based Vulnerability context
ActiveIntelligence: Threat Intelligence & Content Data Sources Honey Pot Network Flow based Forensic Analysis Security Operations Center 24/7 INCIDENTS Malware Forensic Sandboxing Intelligence Harvesting Grid Alert Logic Threat Manager Data Security Content Alert Logic Log Manager Data Alert Logic Web Security Manager Data INPUTS Applied Analytics Customer Alert Logic ScanWatch Data Threat Intelligence Asset Model Data Customer Business Data Research
ActiveWatch: 24x7 Security Monitoring 24x7 Security and Availability Coverage Expert review, investigation, and analysis by certified security experts Incident response, escalation, and recommendations for resolution NOC monitors all security infrastructure for availability Ongoing tuning delivers protection and application availability Tuning in response to changing attacks and customer application changes Identification of new attack patterns and creation of new security content Expert Certification
Compliance without Complexity Alert Logic Solution Alert Logic Web Security Manager Alert Logic Log Manager Alert Logic Threat Manager PCI DSS SOX HIPAA & HITECH 6.5.d Have processes in place to protect applications from common vulnerabilities such as injection flaws, buffer overflows and others 6.6 Address new threats and vulnerabilities on an ongoing basis by installing a web application firewall in front of public-facing web applications. 10.2 Automated audit trails 10.3 Capture audit trails 10.5 Secure logs 10.6 Review logs at least daily 10.7 Maintain logs online for three months 10.7 Retain audit trail for at least one year 5.1.1 Monitor zero day attacks not covered by anti-virus 6.2 Identify newly discovered security vulnerabilities 11.2 Perform network vulnerability scans quarterly by an ASV or after any significant network change 11.4 Maintain IDS/IPS to monitor and alert personnel; keep engines up to date DS 5.10 Network Security AI 3.2 Infrastructure resource protection and availability DS 5.5 Security Testing, Surveillance and Monitoring DS5.9 Malicious Software Prevention, Detection and Correction DS 5.6 Security Incident Definition DS 5.10 Network Security 164.308(a)(1) Security Management Process 164.308(a)(6) Security Incident Procedures 164.308 (a)(1)(ii)(d) Information System Activity Review 164.308 (a)(6)(i) Login Monitoring 164.312 (b) Audit Controls 164.308 (a)(1)(ii)(a) Risk Analysis 164.308 (a)(1)(ii)(b) Risk Management 164.308 (a)(5)(ii)(b) Protection from Malicious Software 164.308 (a)(6)(iii) Response & Reporting Alert Logic Security Operations Center providing Monitoring, Protection, and Reporting
Basic user and permission management Credential management Delegation
Basic user and permission management 0. Create individual users. Benefits Unique credentials Individual credential rotation Individual permissions
Basic user and permission management 1. Grant least privilege. Benefits Less chance of people making mistakes Easier to relax than tighten up More granular control
Basic user and permission management 2. Manage permissions with groups. Benefits Easier to assign the same permissions to multiple users Simpler to reassign permissions based on change in responsibilities Only one change to update permissions for multiple users
Basic user and permission management 3. Restrict privileged access further with conditions. Benefits Additional granularity when defining permissions Can be enabled for any AWS service API Minimizes chances of accidentally performing privileged actions
Basic user and permission management 4. Enable AWS CloudTrail to get logs of API calls. Benefits Visibility into your user activity by recording AWS API calls to an Amazon S3 bucket
It s really easy to set it up! Turn AWS CloudTrail On Apply to all AWS Regions Price = $0.00002/event Or $2 for 100,000 events
That brings us to our 1 st Show & Tell Price = $0.00002/event Or $2 for 100,000 events
Credential management 4. Enable AWS CloudTrail to get logs of API calls. 5. Configure a strong password policy. Benefits Ensures your users and your data are protected
Credential management Benefits Normal best practice 4. Enable AWS CloudTrail to get logs of API calls. 6. Rotate security credentials regularly.
Credential management Benefits Supplements user name and password to require a one-time code during authentication 4. Enable AWS CloudTrail to get logs of API calls. 7. Enable MFA for privileged users & root user.
Delegation 4. Enable AWS CloudTrail to get logs of API calls. 7. Enable MFA for privileged users & root user. 8. Use IAM roles to share access. Benefits No need to share security credentials No need to store long-term credentials Use cases - Cross-account access - Intra-account delegation - Federation
IMPORTANT: Never share security credentials
More Show & Tell!
Delegation 4. Enable AWS CloudTrail to get logs of API calls. Benefits Easy to manage access keys on EC2 instances Automatic key rotation Assign least privilege to the application AWS SDKs fully integrated AWS CLI fully integrated 7. Enable MFA for privileged users & root user. 9. Use IAM roles for Amazon EC2 instances.
Delegation Benefits Reduce potential for misuse of credentials 4. Enable AWS CloudTrail to get logs of API calls. 7. Enable MFA for privileged users & root user. 10. Reduce or remove use of root.
Turning MFA on AWS Root Acct
Benefits Automates security controls Streamlines auditing 4. Enable AWS CloudTrail to get logs of API calls. 7. Enable MFA for privileged users. 11. Use Config & Config Rules
Enabling AWS Config
Setting up Config Rules
Setting up Config Rules
Benefits Automates security controls Streamlines auditing 4. Enable AWS CloudTrail to get logs of API calls. 7. Enable MFA for privileged users. 11. Use Config & Config Rules 12. Have EC2 SSH key diversity
13 0. Users 1. Permissions 2. Groups 3. Conditions 4. Auditing 5. Password 6. Rotate 7. MFA 8. Sharing 9. Roles 10. Root 11. Use Config & Config Rules 12. Have EC2 SSH key diversity
NETWORK
Availability Zone A Availability Zone B AWS Virtual Private Cloud Provision a logically isolated AWS network security AWS network will prevent spoofing and other common section of the AWS cloud You choose a private IP range for your VPC Segment this into subnets to deploy your compute instances layer 2 attacks You cannot sniff anything but your own EC2 host network interface Control all external routing and connectivity
Web App Web DB
Web App Allow Web Deny all traffic DB
Web Port 443 App Port 443 Web DB
PUBLIC PRIVATE Web PRIVATE App Web DB REPLICATE ON-PREM
Big Data Analytics Digital Websites AWS VPC Peering Enterprise Apps Common Services Route traffic between VPCs in private and peer specific subnets between each VPC Even between AWS accounts
resiliently and directly Digital Websites Dev and Test AWS Internet VPN Big Data Analytics Enterprise Apps YOUR AWS ENVIRONMENT AWS Direct Connect YOUR PREMISES
Physical Data Center AWS VPC VLANs/Subnets Subnets Routers Route Tables Stateful Firewalls Security Groups Stateless Firewalls or Network ACLs Network ACLs Network Interface Card Elastic Network Interface (ENI) Web Application Firewall AWS WAF or other products (like Alert Logic) Internet Connection Internet Gateway (IGW) NAT (probably on firewall) NAT Gateway Service or NAT Instance Inter Datacenter connectivity IPSec VPN, OpenVPN (for users), Direct Connect Private IP (RFC 1918) Private IP (RFC 1918) persistent for the life (EC2) Public/External IP Public IP (dynamic), Elastic IP (static) Network based IDS/IPS Host based IPS/IDS DHCP Server Managed DHCP Service (DHCP Options Set) DNS Server Managed or self-hosted DNS (DHCP Options Set) Intra-Network Isolation or Connectivity VPC Peering
http://media.amazonwebservices.com/aws_security_best_practices.pdf http://docs.aws.amazon.com/iam/latest/userguide/best-practices.html http://docs.aws.amazon.com/iam/latest/userguide/cloudtrailintegration.html http://docs.aws.amazon.com/iam/latest/userguide/id_credentials_delegatepermissions_examples.html
https://youtu.be/fch4r3s4thq https://youtu.be/5_bq6dgk6k8 https://youtu.be/ykmqjgldml4 https://youtu.be/3qln2u1vr2e https://youtu.be/_wigpbqgcju