Hackproof Your Cloud Responding to 2016 Threats

Similar documents
Understanding Perimeter Security

Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm

Getting Started with AWS Security

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Training on Amazon AWS Cloud Computing. Course Content

Amazon Web Services Training. Training Topics:

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

Network Security & Access Control in AWS

AWS Well Architected Framework

AWS Security. Stephen E. Schmidt, Directeur de la Sécurité

Creating your Virtual Data Centre

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

Amazon Web Services (AWS) Training Course Content

25 Best Practice Tips for architecting Amazon VPC

CogniFit Technical Security Details

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

Architecting for Greater Security in AWS

Enroll Now to Take online Course Contact: Demo video By Chandra sir

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

Introduction to Cloud Computing

Creating Your Virtual Data Center

Title: Planning AWS Platform Security Assessment?

Security Camp 2016 Cloud Security. August 18, 2016

AWS Solutions Architect Associate (SAA-C01) Sample Exam Questions

LINUX, WINDOWS(MCSE),

Additional Security Services on AWS

Getting started with AWS security

Standardized Architecture for PCI DSS on the AWS Cloud

NGF0502 AWS Student Slides

CLOUD WORKLOAD SECURITY

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

Cloud security 2.0: Joko nyt pilveen voi luottaa?

Who done it: Gaining visibility and accountability in the cloud

INTRO TO AWS: SECURITY

Monitoring Serverless Architectures in AWS

CIT 668: System Architecture. Amazon Web Services

About Intellipaat. About the Course. Why Take This Course?

Getting started with AWS security

AWS Landing Zone. AWS User Guide. November 2018

AWS Solution Architect Associate

Simple Security for Startups. Mark Bate, AWS Solutions Architect

Cloud Infrastructure Security Report. Prepared for Acme Corp

Security Aspekts on Services for Serverless Architectures. Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

ALIENVAULT USM FOR AWS SOLUTION GUIDE

How can you implement this through a script that a scheduling daemon runs daily on the application servers?

AWS Security Overview. Bill Shinn Principal Security Solutions Architect

SignalFx Platform: Security and Compliance MARZENA FULLER. Chief Security Officer

Amazon Virtual Private Cloud. Getting Started Guide

Cloud Security Strategy - Adapt to Changes with Security Automation -

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Exam Questions AWS-Certified- Developer-Associate

Make Cloud the Most Secure Environment for Business. Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks)

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Amazon Web Services Course Outline

BEST PRACTICES TO PROTECTING AWS CLOUD RESOURCES

Securing Microservices Containerized Security in AWS

Databricks Enterprise Security Guide

Community Edition Getting Started Guide. July 25, 2018

Creating an AWS Account: Beyond the Basics

CPM. Quick Start Guide V2.4.0

Overcoming the Challenges of Automating Security in a DevOps Environment

RED TEAM VS. BLUE TEAM ON AWS

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

S U M M I T B e r l i n

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

MyIGW Main. Oregon. MyVPC /16. MySecurityGroup / us-west-2b. Type Port Source SSH /0 HTTP

25 Best Practice Tips for architecting Amazon VPC. 25 Best Practice Tips for architecting Amazon VPC. Harish Ganesan- CTO- 8KMiles

Filters AWS CLI syntax, 43 Get methods, 43 Where-Object command, 43

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Securing Amazon Web Services (AWS) EC2 Instances with Dome9. A Whitepaper by Dome9 Security, Ltd.

Building a Self-Defending Border. Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS

OptiSol FinTech Platforms

AWS Data Security Security Update

8/3/17. Encryption and Decryption centralized Single point of contact First line of defense. Bishop

High School Technology Services myhsts.org Certification Courses

TestkingPass. Reliable test dumps & stable pass king & valid test questions

ForeScout Amazon Web Services (AWS) Plugin

Securing Your Amazon Web Services Virtual Networks

TIBCO Cloud Integration Security Overview

HashiCorp Vault on the AWS Cloud

Deep Freeze Cloud. Architecture and Security Overview

Security & Compliance in the AWS Cloud. Amazon Web Services

Amazon AWS-Solutions-Architect-Professional Exam

10 FOCUS AREAS FOR BREACH PREVENTION

Cloud Computing /AWS Course Content

Standardized Architecture for NIST-based Assurance Frameworks in the AWS Cloud

AWS Certifications. Columbus Amazon Web Services Meetup - February 2018

DreamFactory Security Guide

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

INTRODUCING CISCO SECURITY FOR AWS

Oracle WebLogic Server 12c on AWS. December 2018

Crear un centro de datos virtual en AWS

McAfee Cloud Workload Security Product Guide

AWS Solution Architect (AWS SA)

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

Transcription:

Hackproof Your Cloud Responding to 2016 Threats Aaron Klein, CloudCheckr Tuesday, June 30 th 2016 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Changing Your Perspective Moving to the Cloud = rethinking your perimeter security Old world: Set-up and audit perimeter security New world: Rethink security tasks: Network-based IPS/IDS Network scanning Penetration tests Vulnerability assessments Focus on securing cloud workloads Not on securing the cloud

AWS: What s Different? The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, auto-scaling infrastructure, you need to adapt your security architecture to meet both compliance and security threats. ~ Physical assets secured at the AWS availability zone ~ ~ Must guard the AWS API ~ ~ IAM Access is your new physical security ~

AWS and You Share Responsibility for Security You Network Security Customer Applications & Content Inventory & Config Data Security Access Control You get to define your controls IN the Cloud AWS Foundation Services Compute Storage Database Networking AWS takes care of the security OF the Cloud Availability Zones Edge Locations AWS Global Infrastructure Regions

Minimizing Attack Vectors Principles don t change Reduce your surface area! Defense-in-depth Patch all known vulnerabilities Configure and manage user privileges Remove unused user accounts Some attack vectors don t change Application level user-privilege escalation, web app vulns, XSS Operating system vulnerabilities Database vulnerabilities Remove unwanted services Security Hardening Close unused open network ports Some attack vectors change Homogeneous environment Polymorphic targets/mapping Reduced network sniffing Enforce password complexity & policies

Perimeter Assessments In the Cloud How do I assess the perimeter of my cloud? Give me your network block Let me see your configuration Nmap Port scans Ping sweeps Etc OLD WORLD NEW WORLD List of publicly-accessible resources Security groups (Amazon EC2- Classic, Amazon EC2-VPC, Redshift, RDS, etc ) Routing tables, Network ACL VPC, subnets Amazon S3 buckets and permissions IAM policies

Network Security in a VPC Network ACLs (NACLs) Virtual firewalls assigned to VPC/Subnets Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). Rules evaluated numerical ascending DENY can be overridden by ALLOW Watch for INEFFECTIVE rules Security Groups Host-based firewalls assigned to instances Stateful responses to allowed inbound traffic are not subjected to the rules for outbound traffic Rules are cumulative DENY always overrides ALLOW Assigning wrong security group to an instance exposes the entire VPC http://docs.aws.amazon.com/amazonvpc/latest/userguide/vpc_acls.html http://docs.aws.amazon.com/awsec2/latest/userguide/using-network-security.html

Complex Connections to Amazon EC2 Amazon EC2 instance can be run inside VPCs Amazon EC2 instance can be given 1 or more private IP addresses Amazon EC2 instance can be given 1 or more public IP addresses Amazon EC2 instance can be attached to an Elastic IP address (EIP) Legacy capability to run outside VPCs Instance ID: i-001bac39 Friendly name (implemented as a tag): ISS-V2-API1 For example: 172.12.6.186 This generates a DNS name ip-172-12-6-186.us-west- 2.compute.internal For example: 52.24.201.167 This generates a DNS name ec2-52-24-201-167.us-west- 2.compute.amazonaws.com For example: 107.20.135.132

Running VA in Cloud Environments How do I run Vulnerability Assessments? REGISTER YOUR SCAN! Gather the list of public IPs and EIPs of all resources Do I need to scan the private IP addresses and instances? Scanning an AMI Spin up a new instance, run a scan on the new instance Mark everything based on this AMI as scanned What about when an instance drifts from original AMI? Someone can reconfigure settings, install new software In an elastic, ephemeral, auto scaling environment clouds can have tens of thousands of instances

Patching Strategies for AWS No Patch Strategy Stay away from patching live systems Focus on patching templates/amis Deliver patches by redeploying workloads Dependent on adopting pure cloud architectures Look at AWS OS Templates Patched by Amazon Systematic Workload Reprovisioning Based on high-assurance repositories Effective battling Advanced Persistent Threats

Outside of your VPC: What are we missing? Don t assume attacks only happen against Amazon EC2 AWS is a complex system Over 30 different AWS services Many have unique access control systems You may have 100s of AWS accounts We need a complete inventory All publicly-accessible endpoints and resources Security breaches can happen with a single weak link

S3 (Simple Storage Service) Up to 1000 buckets in an account Unlimited number of objects (billions is not uncommon) Location Within a region, across multi-azs, not housed in a VPC Can t sit between client and storage Security Access control through IAM policies, bucket policies, ACLs, and query string authentication Server-side Encryption, HTTPS support Server-access logs (does not integrate with CloudTrail) Don t grant FULL_CONTROL, WRITE_ACP, WRITE bucket permissions to Everyone EVER!!! Create an inventory of your sensitive data

SQS (Simple Queuing Service) Where does SQS live? Within a region, not within a VPC Uses a URL such as: https://sqs.us-east-1.amazonaws.com/123456789012/mysqs Security based on policy documents: { "Version": "2008-10-17", "Id": "arn:aws:sqs:us-east-1:123456789012:mysqs/sqsdefaultpolicy", "Statement": [ { "Sid": "Sid1415217272568", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SQS:ReceiveMessage", "SQS:SendMessage" ], "Resource": "arn:aws:sqs:us-east-1:123456789012:mysqs" },

SNS (Simple Notification Service) SNS does not live inside your VPC Permissions based on topic policies:

Logs: Using AWS CloudTrail An AWS Service that records each time the AWS API is called Currently supports most AWS services http://docs.aws.amazon.com/awscloudtrail/latest/userguide/dochistory.html Conveniently everything in AWS goes through the API Even actions in the Management Console go through the API CloudTrail writes files into an Amazon S3 bucket Near real-time (every five minutes) Files are in JSON format Get started at http://aws.amazon.com/cloudtrail/

Using CloudWatch Logs Simple method of monitoring operating system logs Ship Windows event logs and syslogs to AWS CloudWatch Types of use-case: Account Login Failure, Account Login Success, New local account creation, Excessive Login Failure (Configurable) Unauthorized Windows Admin Logon, Windows Account Lockout Attempt, Windows Computer Account Changes Windows Audit Policy Changes, Windows Event Log Cleared Non-Windows - Account Locked Out, Non-Windows - Account Unlocked, Changes to System or Audit log Get started at: http://docs.aws.amazon.com/amazoncloudwatch/latest/developerguide/whatiscloudw atchlogs.html

Using Amazon VPC Flow Logs An AWS service that records each time packets enter or leave a VPC http://docs.aws.amazon.com/amazonvpc/latest/userguide/flow-logs.html Security team comes to you and says: We need logs going to instance 1-0123456 from IP address ranges 52.205.16.0-52.205.31.255 Monitor for DENY connections Gives you both security group and NACL denies Announcement: https://aws.amazon.com/about-aws/whats-new/2015/06/aws-launches-amazonvpc-flow-logs/

Tools For Configuring AWS Securely & Cost Effectively Generic tools fall short Purpose-built, not cloud-washed Make sure tools don t fall over in the cloud Tools have to understand dynamic, ephemeral IPs Need a deep understanding of AWS What does this means Context is important Actionable intelligence

CloudCheckr Unified Cost & Security Management What cloud users need Automated best practice checks covering security, availability, cost, and usage Simplified monitoring of changes in a cloud environment Actionable security and activity alerts Remediation and self-healing of security vulnerabilities Understand/Audit costs in the cloud»»»»» CloudCheckr provides Comprehensive visibility & control on security, availability, cost and usage with 350+ out-of-the-box best practice policy checks Automated reports, generated and updated daily, listing all additions, deletions, or modifications over the past 24 hours Over 100 out of the box alerts with endless customization opportunities Automation that allows users to receive alerts and delegate remediation to CloudCheckr Granular visibility to understand, deconstruct, and optimize cloud costs

Questions?

Thank You for Attending www.cloudcheckr.com Aaron Klein, Founder of CloudCheckr aaron.klein@cloudcheckr.com 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback