Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security foundations for containers on AWS
Dan Pitman
D E M 5 4 - S
Principal Security Architect
Alert Logic, Inc.
Latest Research
A focus on security is vital
We’ll explore how AWS provides the tools for security success
£3 million
Primary contributor: Lost business
Cost of a breach
279 days
5% increase over 2018
Time to identify a breach is going up
51%of breaches
Also most expensive
Malicious attacks most common
Latest Research
Container use is up, and Kubernetes use is skyrocketing
SecDevOps over DevSecOps as a principle
>60%companies
Using or planning to use Amazon ECS or Amazon EKS
Container use is ever increasing
>40KContainer hosts foundaccessible on Shodan
Review of access is critical
Months Weeks Days Hours Minutes Minutes Hours Days Weeks Months
< Before the compromise After the compromise >Elapsed time
Two-thirds go undiscovered for months or more
Most compromises and data theft succeed in minutes or less
87%
68%
Co
mp
rom
ise
Breaches happen quickly and usually go undiscovered for months
There Is a Huge Upside to Getting It Right
Reduce Risk
Segregate containers: You can lower your overall risk exposure by establishing smaller groups of containers that don’t talk to one another
Limit host resources by container: A denial of service (DOS) attack on a container could deplete its host’s resources and consequently shut down the other containers supported by it
Remove static libraries and binaries: Be careful of containers that ship prepopulated with libraries and binaries you’ll never need to use—these can be used as a point of entry if you’re not careful
Increase Visibility
Map out container traffic: It’s important to start with a good understanding of the traffic you expect to see traveling North/South (from container to its host) and East/West (between containers) to help you better detect anomalies.
Monitor your traffic: Once you know what expected traffic looks like, you need a mechanism to monitor actual traffic so you can spot traffic mishaps. That’s where IDS comes in. When evaluating your options for a 3rd-party IDS solution, consider whether you need an integrated or sidecar solution.
IAM Policies & Roles
AWS Lambda function for DevOps release management modifying automatic scaling conditions
Auditor role with read-only rights
IAM roles for tasks in Amazon ECS
Amazon RDS logging permissions on Amazon S3
Use fine-grained IAM roles for service accounts in Amazon EKS
Tagging
Reliable tagging requires robust automation implementation to ensure actionable data
You can tag Amazon ECS tasks, services, task definitions, and clusters on creation, rolling them back if no tags were present
Use tagging to describe systems using version, business, and compliance–relevant taxonomy
Especially useful to create a fully managed, continuous deployment pipeline for container-based applications
AWSCodeCommit
Amazon Elastic Container Registry
AWSCodeBuild
AWS Lambda
Amazon Elastic Container Service
Developer
Logging & Audit
Many services, including Amazon ECS and Amazon EKS, log their actions to AWS CloudTrail, providing an effective real-time log of change and access
AWS CloudTrail and many other services send their logs to Amazon S3 or Amazon CloudWatch for analysis
Service APIs should be leveraged to provide inventory data
Put this data to work for threat detection and exposure management
TOOLING&
PROCESSES
Monitoring
Effective security monitoring depends on comprehensive network, system, and user visibility combined with expert curated content and adaptability of detection methods
Use the AWS security tooling and monitor AWS CloudTrail for threats against your environment
Use security technologies that understand containers and integrate natively where possible
Monitor intra-/inter-container traffic to get full visibility of threats
AWS Security Principles
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Keep people away from data
• Prepare for security events
Uniquely Bringing Together a Set of Capabilities
Threat Intelligence, Vulnerability Research
& Analytics
Dozens of security researchers, data scientists, and security
engineers
Over 30 petabytes of customer data collected and analyzed
Building on over 15 years of managing threat
intelligence data
Industry Experts
150+ trained SOC analysts
Proprietary internal training program • Organically grow entry-
level analysts to security experts
• Enabling scalability to support rapid growth
Twice the industry average for security analyst retention
Alert Logic’s Platform Fabric Coverage
Hybrid protection, bothon premises and in cloud
environments
Including network, log data, and endpoint telemetry