BERLIN - Amazon Web Servicesaws-de-media.s3. Summit Berlin 2015...آ  9141 days, 21:18:35 Initial report

  • View
    0

  • Download
    0

Embed Size (px)

Text of BERLIN - Amazon Web Servicesaws-de-media.s3. Summit Berlin 2015...آ  9141 days, 21:18:35 Initial...

  • BERLIN

  • Defending Your Workloads

    against the Next Zero-Day

    Vulnerability Udo Schneider Security Evangelist DACH

  • The Story

    More at aws.trendmicro.com

    2012 re:Invent

    SPR203 : Cloud Security is a Shared Responsibility http://bit.ly/2012-spr203

    2013 re:Invent

    SEC208: How to Meet Strict Security & Compliance Requirements in the Cloud http://bit.ly/2013-sec208

    SEC307: How Trend Micro Build their Enterprise Security Offering on AWS http://bit.ly/2013-sec307

    2014 re:Invent

    SEC313: Updating Security Operations for the Cloud http://bit.ly/2014-sec313

    SEC314: Customer Perspectives on Implementing Security Controls with AWS http://bit.ly/2014-sec314

  • Shared Responsibility Model

    AWS

    Physical

    Infrastructure

    Network

    Virtualization

    You

    Operating System

    Applications

    Data

    Service Configuration

    More at aws.amazon.com/security

  • Shared Responsibility Model

    AWS

    Physical

    Infrastructure

    Network

    Virtualization

    You

    Operating System

    Applications

    Data

    Service Configuration

    More at aws.amazon.com/security

  • Vulnerability Respond Repair

  • Vulnerability

    ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

  • by Andreas Lindh (@addelindh)

  • bash is a common command line interpreter

  • a:() { b; } | attack

    10 | 10 vulnerability. Widespread & easy to exploit

  • Shellshock Impact

  • 1989 Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline

  • "MicroTAC" by Redrum0486 at English Wikipedia

    12.3oz

  • Time Since Last Event Event Action Action Timeline

    1989-08-05 8:32 Added to codebase

    27 days, 10:20:00 Released to public

    9141 days, 21:18:35 Initial report React Clock starts

    1 day, 22:19:13 More details React

    2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

    5 days, 9:16:35 Limited disclosure :: CVE-2014-6271 React

    2 days, 4:37:25 More details React

    3:44:00 More details React

    0:27:51 Public disclosure React

    0:36:30 More details React

    0:34:39 Public disclosure :: CVE-2014-7169 React

  • Important Shellshock Events

    Time Since Last Event Event Action Action Timeline

    1989-08-05 8:32 Added to codebase

    27 days, 10:20:00 Released to public

    9141 days, 21:18:35 Initial report React Clock starts

    2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

    3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00

    3:15:00 Official patch :: CVE-2014-7186, CVE-2014-7187 Patch 4 days, 17:30:00

    1 day, 11:55:00 Official patch :: CVE-2014-6277 Patch 1 day, 11:55:00

    2 days, 20:24:00 Official patch :: CVE-2014-6278 Patch 2 days, 20:24:00

  • Respond

    ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

    Day 1

  • aws.amazon.com/architecture : Web application hosting

  • aws.amazon.com/architecture : Web application hosting

  • TCP : 443TCP : 443 TCP : 4433TCP : 4433

    Primary workflow for our deployment

  • AWS VPC Review

  • AWS VPC Checklist

    Review

    IAM roles

    Security groups

    Network segmentation

    Network access control lists (NACL)

    More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf

  • TCP : 443TCP : 443 TCP : 4433TCP : 4433

    Primary workflow for our deployment

  • HTTPSHTTPS

    Intrusion prevention can look at each packet and then take action depending on what it finds

  • aws.amazon.com/architecture : Web application hosting

  • Intrusion Prevention in Action

  • Review

    All instances covered

    Workload appropriate rules

    Centrally managed

    Security controls must scale out automatically with the deployment

  • Repair

    ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

    Day 2

  • aws.amazon.com/architecture : Web application hosting

  • All instances deployment from task-specific AMI

    TCP : 443TCP : 443 TCP : 4433TCP : 4433

  • Workflow should be completely automated

    Instantiate DestroyConfigure

    AMI Creation Workflow

    Bake Instantiate Test

  • AMI Creation

  • aws.amazon.com/architecture : Web application hosting

  • Instances tend to drift from the known good state, monitoring key files & processes is important

    AMI Instance

    AlertIntegrity Monitoring

  • Integrity Monitoring

  • Keys

    Respond

    Review configuration

    Apply intrusion prevention Repair

    Patch vulnerability in new AMI

    Leverage integrity monitoring

  • Keys

    Automation

  • Build With Confidence

  • aws.trendmicro.com

    BERLIN