SESSION ID: CMI-F03 Cloud Security Strategy - Adapt to Changes with Security Automation - Hayato Kiriyama Security Solutions Architect Amazon Web Services Japan K.K. @hkiriyam1
Agenda New Normal of Security Architecture Security Best-Mix to Adapt to Changes Security Automation as a New Solution 11
Agenda New Normal of Security Architecture Security Best-Mix to Adapt to Changes Security Automation as a New Solution 12
https://www.youtube.com/watch?v=d5-ifl7kj00
Cloud has become the New Normal. Companies of every size are deploying new applications to the cloud by default. Andy Jassy, Chief Executive Officer, Amazon Web Services AWS re:invent 2015 https://www.youtube.com/watch?v=d5-ifl7kj00
http://www.youtube.com/watch?v=nsstpwfycpc&t=28m40s
The only rational response to risk is to be proactive in how we engage with changes. If you are not disrupting your own markets, someone else will disrupt them for you. Eric Tucker, IT Chief Technology Officer, GE Global Research AWS Summit Tokyo 2016 http://www.youtube.com/watch?v=nsstpwfycpc&t=28m40s
IT in the Cloud Era Ownership Utilization Electric Power Private Electric Generator Electric Utility Provider Computing On-premise Servers Cloud Service Provider 17
IT Capacity (On-premise) Surplus Capacity Surplus Capacity Rapid Growth or M&A Unpredictable Peak Lack of Capacity = Opportunity Loss 18
IT Capacity (Cloud) Freedom from Surplus Capacity Freedom from Surplus and Lack of Capacity Rapid Growth or M&A Unpredictable Peak Freedom from Capacity Sizing 19
The Value of Cloud Improvement Easier, Faster, Cheaper Innovation Can do what we couldn t do 20
The Value of Cloud Improvement Easier, Faster, Cheaper Innovation Can do what we couldn t do Disruption Bring the old value to naught Normal to New Normal 21
Normal Security Issues Are current security measures effective? How much should we invest in security? Is ROI optimized? 22
Can We Calculate Security ROI? Return Protected amount of money applied by security measures Investment Pure cost of security measures 23
Can We Calculate Security ROI? NO! Return Direct Cost Incident Response Expenses Existing Customers Lost Measurable Indirect Cost Business Opportunity Lost Prospective Customers Lost Unmeasurable Investment IT Investment Facility Investment Training What is the percentage of Security? 24
Security Investment Can Not Be Unraveled Security is becoming a fabric item. It s woven through every major technical decision. Mark McLaughlin President & CEO, Palo Alto Networks Ignite 2015 https://www.youtube.com/watch?v=zuvcnitslma
Start with Risk (Risk-based Approach) NIST SP800-53 Security and Privacy Controls for Federal Information Systems and Organizations Select the appropriate security controls in accordance with the required security levels. Tailor security control baselines to achieve the needed level of protection in accordance with organizational assessments of risk. http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf 26
Security Risk Formula Threats Vulnerabilities Informational Assets Malware Targeted Attack DDoS Attack Security Hole Misconfiguration Psychological Corporate Confidential Personal Information Intellectual Property 27
Risks keep changing Threats Vulnerabilities Informational Assets Social Event Corporate News Corporate Reputation Asset Investment Organization Growth Hiring & Deployment Business Growth M&A/IPO Company Split-up 28
Adapt Security Level to Risk Changes Changing Security Risk 29
Adapt Security Level to Risk Changes Optimal Security Level Changing Security Risk 30
From ROI to Adaptiveness Normal New Normal What we look at Return On Investment (ROI) Adaptiveness to changes Increased Security Level Adapted Security Level What it looks like 0 1 2 3 4 Changing Security Risk 31
Agenda New Normal of Security Architecture Security Best-Mix to Adapt to Changes Security Automation as a New Solution 32
Categories by Adaptiveness Category Situational Security Adaptiveness High Usecases Incident response Forensics EDR UEBA Threat Intelligence Correlation Corporate Security Middle Access Control Vulnerbility Mngt. Encryption FW/IPS/IDS Data Protection Log Management Fixed Security Low Network Server Data Center Hypervisor Storage Facility 33
[REF] Electric Power Best Mix Electric Power Demand thermal electric power pumped-storage hydroelectric power nuclear electric power 0 6 12 18 24(H) 34
Security Best Mix Security Level Situational Security Adaptiveness High Cost High Corporate Security Middle Middle Fixed Security Low Low 35
Security Best Mix in the Cloud Era Security Level Situational Security (Security by the cloud) Corporate Security (Security in the cloud) Fixed Security (Security of the cloud) Power Source (Driver) Security Automation (Adaptability) Compliance as Code DevSecOps Based on regulatory compliance (Reusability/Repeatability) Economies of Scale by Cloud Service Provider (Cost) 36
Security Best Mix in the Cloud Era Security Level Situational Security (Security by the cloud) Corporate Security (Security in the cloud) Fixed Security (Security of the cloud) Power Source (Driver) Security Automation (Adaptability) What and How? Compliance as Code DevSecOps Based on regulatory compliance (Reusability/Repeatability) Economies of Scale by Cloud Service Provider (Cost) 37
Minimize the Gap to Adapt 1. Granular Response 2. Early Detection Security Level Adapted Security Level Changing Security Risk Time 38
Minimize the Gap to Adapt 1. Granular Response 2. Early Detection Many Small Services Independently Deployable Loosely Coupled Microservices Architecture 39
Minimize the Gap to Adapt 1. Granular Response 2. Early Detection Many Small Services Independently Deployable Loosely Coupled Microservices Architecture Massive Security Logs Threat Intelligence Event Driven / API Call Data Management Infrastructure 40
Minimize the Gap to Adapt 1. Granular Response 2. Early Detection Many Small Services Independently Deployable Loosely Coupled Microservices Architecture Massive Security Logs Threat Intelligence Event Driven / API Call Data Management Infrastructure Cloud Makes It Easier and Possible 41
Agenda New Normal of Security Architecture Security Best-Mix to Adapt to Changes Security Automation as a New Solution 42
Gartner s Adaptive Security Architecture Predict Proactive Exposure Assessment Harden and Isolate Systems Prevent Predict Attacks Divert Attackers Baseline Systems Remediate / Make Changes Continuous Monitoring and Analytics Prevent Incidents Detect Incidents Design / Model Changes Confirm and Prioritize Respond Investigate / Forensics Contain Incidents Detect
AWS Service Mapping Predict NACL SG Prevent Amazon Inspector 3 rd Party Data Feed AWS Config Amazon CloudFront AWS WAF Amazon CloudWatch AWS CloudTrail Amazon SNS AWS Lambda Amazon VPC flow logs 3 rd Party IDS Respond AWS CloudFormation Amazon EBS 44 Auto Scaling 3 rd Party SIEM Detect
Use Case: Mitigate External Attacks Predict NACL SG Prevent Amazon Inspector 3 rd Party Data Feed AWS Config Amazon CloudFront AWS WAF Amazon CloudWatch AWS CloudTrail Amazon SNS AWS Lambda Amazon VPC flow logs 3 rd Party IDS Respond AWS CloudFormation Amazon EBS 45 Auto Scaling 3 rd Party SIEM Detect
Automatic Update on WAF rule with IP Black List User Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Amazon EC2 Web servers Amazon RDS Database Attacker AWS WAF Web Application Firewall AWS WAF Security Automations https://aws.amazon.com/jp/answers/security/aws-waf-security-automations/
Automatic Update on WAF rule with IP Black List User Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Amazon EC2 Web servers Amazon RDS Database 1Execute hourly Attacker AWS WAF Web Application Firewall AWS Lambda Function as a Service Amazon CloudWatch Resource Monitoring AWS WAF Security Automations https://aws.amazon.com/jp/answers/security/aws-waf-security-automations/
Automatic Update on WAF rule with IP Black List User Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Amazon EC2 Web servers Amazon RDS Database 1Execute hourly Attacker AWS WAF Web Application Firewall AWS Lambda Function as a Service Amazon CloudWatch Resource Monitoring 3 rd party Reputation List AWS WAF Security Automations https://aws.amazon.com/jp/answers/security/aws-waf-security-automations/ 2Check for malicious IP addresses
Automatic Update on WAF rule with IP Black List User Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Amazon EC2 Web servers Amazon RDS Database 1Execute hourly Attacker AWS WAF Web Application Firewall AWS Lambda Function as a Service Amazon CloudWatch Resource Monitoring 3Add to an AWS WAF block list 3 rd party Reputation List AWS WAF Security Automations https://aws.amazon.com/jp/answers/security/aws-waf-security-automations/ 2Check for malicious IP addresses
Automatic Update on WAF rule with IP Black List User Attacker Amazon CloudFront Content Delivery Network 4Block the traffic from malicious IP addresses Elastic Load Balancing Load Balancer Amazon EC2 Web servers Amazon RDS Database 1Execute hourly AWS WAF Web Application Firewall AWS Lambda Function as a Service Amazon CloudWatch Resource Monitoring 3Add to an AWS WAF block list 3 rd party Reputation List AWS WAF Security Automations https://aws.amazon.com/jp/answers/security/aws-waf-security-automations/ 2Check for malicious IP addresses
Contain and Notify an Incident by Scale-out Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Auto Scaling Group Availability Zone 1a EC2 Instances Availability Zone 1b
Contain and Notify an Incident by Scale-out Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Auto Scaling Group Availability Zone 1a EC2 Instances Availability Zone 1b 1Massive traffic
Contain and Notify an Incident by Scale-out 2Automatic traffic distribution by scale-out Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Auto Scaling Group Availability Zone 1a EC2 Instances Availability Zone 1b 1Massive traffic
Contain and Notify an Incident by Scale-out 3Notify the scaling event 2Automatic traffic distribution by scale-out Amazon CloudFront Content Delivery Network Elastic Load Balancing Load Balancer Auto Scaling Group Availability Zone 1a Amazon SNS Notification Service EC2 Instances Availability Zone 1b 1Massive traffic
Contain and Notify an Incident by Scale-out 3Notify the scaling event 2Automatic traffic distribution by scale-out Amazon CloudFront Content Delivery Network 1Massive traffic Elastic Load Balancing Load Balancer EC2 Instances Auto Scaling Group Availability Zone 1a Availability Zone 1b Amazon SNS Notification Service AWS Lambda Function as a Service 4Call an arbitrary function
Use Case: Assess Risks to Manage Internal Endpoints Predict NACL SG Prevent Amazon Inspector 3 rd Party Data Feed AWS Config Amazon CloudFront AWS WAF Amazon CloudWatch AWS CloudTrail Amazon SNS AWS Lambda Amazon VPC flow logs 3 rd Party IDS Respond AWS CloudFormation Amazon EBS 56 Auto Scaling 3 rd Party SIEM Detect
Automate Quarantine and Backup AWS Lambda Function as a Service Amazon Inspector Security Assessment EC2 Instance Endpoint Amazon EBS Block Storage Security Group Stateful Firewall Network ACL Stateless Firewall
Automate Quarantine and Backup AWS Lambda Function as a Service 1Run a security assessment Amazon Inspector Security Assessment EC2 Instance Endpoint Amazon EBS Block Storage Security Group Stateful Firewall Network ACL Stateless Firewall
Automate Quarantine and Backup AWS Lambda Function as a Service 1Run a security assessment Amazon Inspector Security Assessment 2Vulnerability scan to endpoint EC2 Instance Endpoint Security Group Stateful Firewall Network ACL Stateless Firewall Amazon EBS Block Storage
Automate Quarantine and Backup AWS Lambda Function as a Service 1Run a security assessment Amazon Inspector Security Assessment Amazon SNS Notification Service 2Vulnerability scan to endpoint EC2 Instance Endpoint Security Group Stateful Firewall Network ACL Stateless Firewall Amazon EBS Block Storage 3Notify the scan results
Automate Quarantine and Backup AWS Lambda Function as a Service 1Run a security assessment Amazon Inspector Security Assessment 2Vulnerability scan to endpoint EC2 Instance Endpoint Security Group Stateful Firewall Amazon EBS Block Storage Amazon SNS Notification Service AWS Lambda Function as a Service 3Notify the scan results Network ACL Stateless Firewall 4Quarantine the endpoint by firewalls
Automate Quarantine and Backup AWS Lambda Function as a Service 1Run a security assessment 5Copy a disk image for backup Amazon Inspector Security Assessment 2Vulnerability scan to endpoint EC2 Instance Endpoint Amazon EBS Block Storage snapshot Security Group Stateful Firewall Amazon SNS Notification Service AWS Lambda Function as a Service 3Notify the scan results Network ACL Stateless Firewall 4Quarantine the endpoint by firewalls
Automate Quarantine and Backup AWS Lambda Function as a Service 1Run a security assessment 5Copy a disk image for backup Amazon Inspector Security Assessment 2Vulnerability scan to endpoint EC2 Instance Endpoint Amazon EBS Block Storage snapshot Security Group Stateful Firewall Amazon SNS Notification Service AWS Lambda Function as a Service 3Notify the scan results Network ACL Stateless Firewall 4Quarantine the endpoint by firewalls AWS CloudTrail Operation Log Service 6Record the backup log
The Value of Cloud Security Improvement Innovation Disruption Easier, Faster, Cheaper Earlier detection on data management infrastructure Can do what we couldn t do granular response through the microservices Bring the old value to naught ROI to Adaptiveness to changes 64
Summary Be adaptive to the changes of security risks Best-mix security by its adaptiveness Cloud makes it easy and possible with Security Automation 65
Apply Apply cloud technology to improve readiness and responsiveness. (e.g. AWS provides automated security) Mix different types of security in adaptiveness to attain the necessary security level. Recommend to use: security of cloud for fixed security security in cloud for corporate security security by cloud for situational security 66
Thank you!