2018 Secure360 Twin Cities · Security Monkey June 2014 & March 2017 AWS & GCP Monitoring and responding to misconfigurations, vulnerabilities, and other security issues Fully Integrated

Cloud Security: So Many Open Source Tools, So Little Time

Tuesday May 15, 2018

9:30-10:30 AM

2018 Secure360 Twin Cities

Matt Farrar

@secure360 facebook.com/secure360 www.Secure360.org

Cloud Security: So Many Open Source Tools, So Little Time

Presented by:

Matt Farrar


About Me

• Went to the University of Notre Dame

• Manager, Security & Privacy consulting with Protiviti

• 4+ years designing, implementing, and managing cloud environments, primarily in AWS & Azure (currently working on GCP environments)


Level Setting

• This talk is intended to introduce the concepts of open source cloud security tools

• This talk will not make you an expert, but provide additional options in the toolkit

• Survey of what is out there, certainly not comprehensive

Note: All resources will be linked or listed at the end of the talk


Key Questions

• What is this open source stuff I hear about?

• Why should I care?

• Can I do use these tools at my job, and how do I know my team is ready?

• How does it work?

• What are common challenges?

• Why don’t more people use OSS/FOSS?

• How can I use free tools to help advance my cloud security capabilities?


What Is Free Software?

Roughly, it means that the users have the freedom to run, copy, distribute, study, change and improve the software.

Thus, “free software” is a matter of liberty, not price. To understand the concept, you should think of “free” as in “free speech,” not as in “free beer”.

-This guy --->


The four essential freedoms:1. The freedom to run the program as you wish, for any purpose (freedom 0).2. The freedom to study how the program works, and change it so it does your

computing as you wish (freedom 1). Access to the source code is a precondition for this.

3. The freedom to redistribute copies so you can help others (freedom 2).4. The freedom to distribute copies of your modified versions to others (freedom 3). By

doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

Source: Free Software Foundation, What is free software?

Richard Stallman

https://www.gnu.org/philosophy/free-sw.html

What Is Open Source?The Open Source Initiative (OSI) was founded in 1998 to promote the spread of open-source principles.

OSI also developed the Open Source Definition—a list of ten principles which a software’s license must adhere to for it to be considered open-source:


1. Free Redistribution - The license shall not restrict any party from selling or giving away the software as a component of a larger software distribution containing programs from multiple sources.

2. Source Code - The program must include source code, and must allow distribution in source code as well as compiled form.

3. Derived Works - The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software.

4. Integrity of The Author's Source Code - The license may restrict source-code from being distributed in modified form only if the license allows the distribution of "patch files" with the source code for the purpose of modifying the program at build time.

5. No Discrimination Against Persons or Groups - The license must not discriminate against any person or group of persons.

6. No Discrimination Against Fields of Endeavor - The license must not restrict anyone from making use of the program in a specific field of endeavor.

7. Distribution of License - The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties.

8. License Must Not Be Specific to a Product - The rights attached to the program must not depend on the program's being part of a particular software distribution.

9. License Must Not Restrict Other Software - The license must not place restrictions on other software that is distributed along with the licensed software.

10. License Must Be Technology-Neutral - No provision of the license may be predicated on any individual technology or style of interface.

Source: Open Source Initiative

https://opensource.org/

https://opensource.org/osd

https://opensource.org/osd

FOSS (or FLOSS) vs. Open Source

“The two terms describe almost the same category of software, but they stand for views based on fundamentally different values.

Open source is a development methodology; free software is a social movement.“


Source: Richard Stallman, Why Open Source Misses the Point of Free Software

DISCLAMER: For simplicity, going to use them interchangeably in this talk…

https://www.gnu.org/philosophy/open-source-misses-the-point.html.en

Why Open Source?

Wisdom of Crowds


CostFlexibility & Freedom

FOSS is generally just as secure as proprietary systems.

Considerations for using open source tools

• Transparency: If flaw are exposed, everyone can see them.

• Accountability: There is no specific person or entity responsible for patching flaws.

• Reliability: When a patch is created and made available, there is no mandate that it be installed.

• Risk Management: There is no one who will indemnify victims of exploited flaws.

• Legal Challenges: If there are legal problems, such as infringement on a third party’s intellectual property, it can be difficult to find another party that is liable.

• Compliance: No specific entity or person is responsible for maintaining compliance of open-source software.


Source: Taylor Armerding, Open Source: Big Benefits, Big Flaws

https://www.csoonline.com/article/2935973/network-security/open-source-big-benefits-big-flaws.html

The State of Open Source Security 2017research by Snyk.io


Source: https://snyk.io/stateofossecurity/

https://snyk.io/stateofossecurity/

Open Source Tools = Puppies!



Open Source Tools = Puppies!


What does the security team want to do in the cloud?

• Extend the current control environment?

• Rebuild and/or refactor current capabilities?

• Build something new?


Pick a cloud security framework. Ex. Cloud Security Alliance CCM v4



Understand what you can control.

Use APIs!


Did we set up the environment correctly?Prowler

References: https://github.com/Alfresco/aws-cis-security-benchmark


Made to check the items from the CIS Amazon

Web Services Foundations Benchmark.

• Identity and Access Management (24 checks)• Logging (8 checks)• Monitoring (15 checks)• Networking (5 checks)• Forensics related group of checks• Misc. (23 checks)

https://github.com/Alfresco/aws-cis-security-benchmark

https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

How do I know configuration information?Scout2, G-Scout, & Azucar

References: https://nccgroup.github.io/Scout2/ & https://github.com/nccgroup/G-Scout & https://github.com/nccgroup/azucar


Scout2, G-Scout, and Azucar are tools built and

maintained by the nccgroup used to audit

AWS/GCP/Azure configurations. Automatically

gathers a variety of configuration data and

analyzes to determine security risks

https://nccgroup.github.io/Scout2/

https://github.com/nccgroup/G-Scout

https://github.com/nccgroup/azucar

Cloud Security Suite – cs-suite


References: https://github.com/SecurityFTW/cs-suite

“One stop tool” for auditing the security posture of AWS & GCP

Includes features from Scout2, G-Scout, Prowler, Lunar, and Lynis

https://github.com/SecurityFTW/cs-suite

Netflix OSS Tools

Source: A Brief History of Open Source from the Netfilx Cloud Security Team, Jason Chan


Tool Date Released Cloud Platform Description

Security Monkey June 2014 & March 2017

AWS & GCP Monitoring and responding to misconfigurations, vulnerabilities, and other security issues

Fully Integrated Defense Operation (FIDO)

May 2015 (deprecated)

AWS Automated security incident response

Lemur September 2015

AWS System to streamline and automate the management and monitoring of SSL/TLS certs

HubCommander February 2017 Slack Slack bot framework used for ChatOps-based management of Github organizations

Stethoscope February 2017 System that collects information about various end user-related security topics and provides clear and actionable advice for impriving

Repokid & Aardvark June 2017 AWS Tools that simplify and streamline the process of implementing least privilege for AWS IAM

https://medium.com/netflix-techblog/a-brief-history-of-open-source-from-the-netflix-cloud-security-team-412b5d4f1e0c

Netflix: Security Monkey


Features:

• Accesses AWS Cloud Resources through API calls and inspects them

• Notifies team of changes or issues found

• Maintains a history of settings

• Provides a user interface to view issues and history

• Allows for justification to be provided and tracked

• Supports creation of new rules

• Works across accounts

Resources: https://github.com/Netflix/security_monkey

https://github.com/Netflix/security_monkey

Netflix: Security Monkey

Resources: https://github.com/Netflix/security_monkey


https://github.com/Netflix/security_monkey

Netflix: Aardvark & Repokid

Source: OWASP, Mike Goodwin


• Aardvark is a multi-account AWS IAM Access Advisor API (and caching layer).

• Aardvark uses PhantomJS to log into the AWS Console and obtain access advisor data. It then presents a RESTful API for other apps to query.

• Repokid uses Access Advisor provided by Aardvark to remove permissions granting access to unused services from the inline policies of IAM roles in an AWS account.

+

https://github.com/Netflix-Skunkworks/aardvark

Netflix: Aardvark

Source: https://medium.com/netflix-techblog/introducing-aardvark-and-repokid-53b081bf3a7e


AWS provides a service named Access Advisor that shows all of the various AWS services that the policies of an IAM Role permit access to and when (if at all) they were last accessed.

Today Access Advisor data is only available in the console, so Neflix created Aardvark to make it easy to retrieve at scale and across multiple environments!

https://medium.com/netflix-techblog/introducing-aardvark-and-repokid-53b081bf3a7e

http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

Netflix: Repokid

Source: OWASP, Mike Goodwin


Old Strategy – wait until access certification period or review to remove permissions from users

New Strategy – understand usage of access permissions, turn access off, and adjust as needed

Log Collection and CorrelationELK Stack


"ELK" is the acronym for three open source projects: Elasticsearch, Logstash, and Kibana.

Elasticsearch:A search and analytics engine.

Kibana:Kibana lets users visualize data with charts and graphs in Elasticsearch.

Logstash:Logstash is a server-side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a "stash" like Elasticsearch.

Resources: https://www.elastic.co/elk-stack

https://www.elastic.co/elk-stack



Log Collection and CorrelationElasticsearch




Log Collection and CorrelationLogstash




Log Collection and CorrelationKibana


Security Onion

Resources: https://github.com/Security-Onion-Solutions/security-onion


Features:

• Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Squil,

Squert, NetworkMiner, etc.

https://github.com/Security-Onion-Solutions/security-onion

Incident Response & ForensicsAWS_IR & ThreatResponse Workbench

Resources: https://www.threatresponse.cloud/


Source: DerbyCon 6.0 - ThreatResponse

https://www.threatresponse.cloud/

https://www.youtube.com/watch?v=cmEUxxYFjK8

In Review

• Best Practices – Prowler

• Configuration Audit & Enforcement – Scout2, G-Scout, Azucar

• Security Monkey

• Enforce IAM – Aardvark & Repokid

• Log Collection & Correlation – ELK Stack

• Security Operations – Security Onion

• Incident Response & Forensics – AWS_IR & ThreatResponse Workstation


Concluding Thoughts

• Open source tools can be a useful, cost-effective way to manage risks in a cloud environment

• Carefully consider current skills and investment in current tool sets

• Requires attention; YMMV

• There are a multitude of tools out there to try – set up a POC environment and experiment for yourself


Resources

• Github!

• Blogs – AWS, Azure, GCP, Netflix, Spotify, etc.

• Twitter – follow security researchers to find out latest updates

• Reddit – r/netsec

• Conferences! ☺

• Contribute to the community!


Licensing Information

Open source licensing can be difficult to navigate for enterprise use. Reference the authoritative source for more information:

• Open Source Initiative

• GNU / Free Software Foundation


https://opensource.org/licenses/category

https://www.gnu.org/licenses/license-list.html

Questions?

• Best way to contact me: [email protected] – @mfarrar13

Github – haplessduke0

Thank You!


mailto:[email protected]

Documents

2018 Secure360 Twin Cities · Security Monkey June 2014 & March 2017 AWS & GCP Monitoring and responding to misconfigurations, vulnerabilities, and other security issues Fully Integrated