Automating Security Operations on AWSPat McDowell Solutions Architect at AWSTim Prendergast CEO and Co-Founder at Evident.ioShannon Lietz DevSecOps Leader at Intuit

$6.53M 56% 70%Increase in theft of hard

intellectual property Of consumers indicated they’d avoid businesses

following a security breach

Average cost of adata breach

Your data and IP are your most valuable assets

https://www.csid.com/resources/stats/data-breaches/ http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html

https://www.csid.com/resources/stats/data-breaches/

In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How?

Automating logging and monitoring

Simplifying resource access

Making it easy to encrypt properly

Enforcing strong authentication

AWS can be more secure than your existing environment

AWS and you share responsibility for security

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability ZonesEdge Locations

Identity & Access Control

NetworkSecurity

Customer applications & content You get to define your controls ON the Cloud

AWS takes care of the security OF the Cloud

YouInventory & Config Data Encryption

Constantly monitoredThe AWS infrastructure is protected by extensive network and security monitoring systems:

• Network access is monitored by AWS security managers daily

• AWS CloudTrail lets you monitor and record all API calls

• Use VPC Flow Logs to monitor and analyze network traffic to your instances

Highly availableThe AWS infrastructure footprint protects your data from costly downtime:

• 33 Availability Zones in 12 regions for multi-synchronous geographic redundancy

• Retain control of where your data resides for compliance with regulatory requirements

• Mitigate the risk of DDoS attacks using services like AutoScaling, Route 53

Integrated with your existing resourcesAWS enables you to improve your security using many of your existing tools and practices:

• Integrate your existing Active Directory

• Use dedicated connections as a secure, low-latency extension of your data center

• Provide and manage your own encryption keys if you choose

Key AWS Certifications and Assurance Programs

+

Security Automation is a key differentiator for cloud companies

You are responsible for protecting your data/assetsCustomer Data

Applications Identity Access Management

OS Network Firewall

Client-side Encryption

Server-side Encryption

Network Traffic Protection

Compute Storage Networking

AWS Global Infrastructure (Regions, Azs, Edge Locations)

AWS: Security of the Cloud

Customer: Security on the Cloud

You have a huge quantity of intelligence to process

This is just a SUBSET of an average company’s data flows

Amazon Elasticsearch

The Human ChallengeHumans have finite scale…

…Then we turn to automation.

Security breach

Why automate Security?

We’re less than one million security professionals short of “equilibrium” and lagging…

No matter how good your process is, Alert Fatigue will trump it…

Why automate Security?Alert Psychology proves that fatigue destroys process

As infrastructure and software delivery accelerate, there is no alternative.

The fallacy of choice…

Security

DevOps

Trust

Security Automation is good for everyone DevOps builds Value Security builds Trust Customers / businesses need Trust and Value

Evident Security Platform (ESP) Built by cloud pioneers from Adobe,

AWS, and Netflix Agentless deployment (<5 mins) Continuous security scanning &

alerting across several AWS Services Aligns your Security and DevOps

teams on protecting cloud assets Tracks security state to support audit,

compliance, and incident response needs

Leader in Cloud SecurityAutomation & Innovation

Leader in DevSecOps

+

Evident & Intuit

Cloud Security Operations“boldly go where no human has gone before…”Shannon Lietz DevSecOps Leader at Intuit@devsecops

The Context… Cloud Security OperationsImagine: Software defined security Thousands of changes a day The biggest “big data” problem

Mea

n Ti

me

to R

esol

utio

n (M

TTR

)6 months

Fast MTTR…the final frontier

So what hinders “secure” innovation @ speed & scale?

1. Manual processes & meeting culture2. Point in time assessments3. Friction for friction’s sake4. Contextual misunderstandings5. Decisions being made outside of value creation6. Late constraints and requirements7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration10. Management and political interference (approvals, exceptions)

SECURITY IS LAST MINUTE

UNPLANNED, UNSCHEDULED

WORK… BUMMER!!!!

In the Cloud,

Everything is Code

Let’s switch some things around…Data Center

NetworkServers

Virtualization

Operations

Platforms

Buyer IdentifierCloud Account(s)

Virtual IP AddressesContainerization

Appliances

Storage

Security Features

ApplicationsEphemeral Instances

Scale on DemandIAAS, PAAS, SAAS

Resource TestingBuilt-In Security

Long-Term ContractsPartner Marketplaces

Slow-ish Decisions

Experiments

Software Defined Security Requires significant intimate knowledge, context &

understanding Critical Cloud Security Operations Elements:

– Zoning & Blast Radius Containment– Instrumentation & Monitoring to create the feedback loop– Security as Code Platform (Whitelisting, Encryption,

Authorization)– API Catalog & Testing for the Full Stack– Asset Inventory & Hardened Baselines [Software,

Services, Components, etc.]

The Basic Cloud ModelCloud Provider Network

Backbone

Cloud Platform (Orchestration)

Network Compute Storage

Cloud Account(s)

Load Balancers

ComputeInstances

VPCs

Block Storage

Object Storage

RelationalDatabases

NoSQLDatabases

Containers

ContentAcceleration

Messaging Email

Utilities

Key Management

API/Templates

Certificate Management

PartnerPlatformInternet

Backbone

Developers have lots of options…

Reality…

Data Center

Cloud Provider Network

Internet

Cloud Provider Network

Data Center

Cloud Provider Network

Cloud Provider Network

Cloud Provider Network

And Attackers also have lots of options…

Victims

Attackers

Shift controls & mindset

SecurityMonitoring

Cloud Security Operations in the Cloud…Monitor & Inspect Everything

insightssecurityscience

securitytools & data

Cloud accounts

S3

Glacier

EC2

CloudTrail

ingestion

threat intel continuous response

security feedback loop (speed matters)

What’s this look like in practice?

Etc…Etc…Etc…

Account Sharding is a new control! Splitting cloud workloads into

many accounts has a benefit. Accounts should contain less

than 100% of a cloud workload. Works well with APIs; works

dismal with forklifts. What is your appetite for risk?

Cloud Workload Templates

Cloud Provider Network

33 % 33 % 33 %

Attacker

Cloud Account

Cloud Account

Cloud Account

Long live APIs… Everything in the cloud should be an

API, even Security… Protocols that are not cloudy should not

span across environments. If you wouldn’t put it on the Internet then

you should put an API and Authentication in front of it:– Messaging– Databases– File Transfers– Logging

Cloud Provider Network

Tested machine image…Tested instances...Tested roles...Tested passwords...

New instance created…Instance 12345 changed…User ABC accessed Instance 12345...

B

User Routing

Data Replication

ApplicationGateway

File Transfers

Log Sharing

Messaging

My API

Host-Based Controls Shared Responsibility and Cloud

require host-based controls. Instrumentation is everything! Fine-grained controls require

more scrutiny and bigger big data analysis.

Agents & Outbound Reporting to an API are critical

Tested machine image…Tested instances...Tested roles...Tested passwords...

New instance created…Instance 12345 changed…User ABC accessed Instance 12345...

B

Instance

Cloud Provider Network

Instance

Don’t Hug Your Instances… Research suggests that you should replace your

instances at least every 10 days, and that may not be often enough.

Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching.

Make sure to keep a snapshot for forensic and compliance purposes.

Use config management automation to make changes part of the stack.

Refresh routinely; refresh often!

10 DAYS

Overcoming Inconvenience Use built-in transparent encryption

when possible. Use native cloud key management

and encryption when available. Develop back up strategies for

keys and secrets. Apply App Level Encryption to

help with SQL Injection and preserving Safe Harbor.

Use APIs to exchange data and rotate encryption.

Migrating Security to the Left where it can get built-in

design build deploy operate

How do I secure my app?

What component is

secure enough?

How do I secure secrets for the

app?

Is my app getting

attacked? How?

Typical gates for security

checks & balances

Mistakes and drift often happen after design and build phases that

result in weaknesses and potentially exploits

Most costly mistakesHappen during design

Security is a Design Constraint

faster security feedback loop

Use Cloud Native Security Features... Cloud native security features are

designed to be cloudy. Audit is a primary need! Configuration and baseline checks

baked into a Cloud Provider’s Platform help with making decisions and uncovering risks early in the Continuous Delivery cycle.

Be deliberate about how to use built-in security controls and who has access.

Secure Baselines & Patterns help a lot!

Security Monitoring

Egress Proxy CFn Template

Bastion CFn Template

Secure VPC CFn Template

CloudTrail CFn Template

SecretsBundle

MarketPlace

templates resourcespatterns services

Fanatical Security Testing

static

UX & Interfaces

Micro Services

Web ServicesCode

CFnTemplates

dynamic

BuildArtifacts

DeploymentPackages

Resources

Patterns &Baselines

run-time

SecurityGroups

AccountConfiguration

Real-Time Updates

Patterns &Baselines

Red Team, Security Operations & Science

API Key Exposure -> 8 hrs Default Configs -> 24 Hrs Security Groups -> 24 Hrs Escalation of Privs -> 5 D Known Vuln -> 8 Hrs

Cloud Security Disaster Recovery & Forensics is a different animal… Regional recovery is not enough

to cover security woes. Security events can quickly

escalate to disasters. Got a disaster recovery team? Multi-Account strategies with

separation of duties can help. Don’t hard code if you can help it. Encryption is inconvenient, but

necessary…

Cloud WorkloadTemplates

DisasterTemplates

Cloud Provider Network

50 % 50 %

Cloud Account Cloud Account Cloud Account

50 %

Cloud Account

50 %

Compliance Operations as Continuous Improvement

https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf

Code can solve the great divide Paper-resident policies do not

stand up to constant cloud evolution and lessons learned.

Translation from paper to code can lead to mistakes.

Traditional security policies do not 1:1 translate to Full Stack deployments.

Data Center

• Choose strong passwords• Use MFA• Rotate API credentials• Cross-account access

Page 3 of 433

Cloud Provider Network

• Lock your doors• Badge in• Authorized personnel only• Background checks

EVERYTHING AS CODE

Security Decision Support

Speed & Ease can increase security! Fast remediation can remove attack path

quickly. Resolution can be achieved in minutes

compared to months in a datacenter environment.

Continuous Delivery has an advantage of being able to publish over an attacker.

Built-in forensic snapshots and blue/green publishing can allow for systems to be recovered while an investigation takes place.

APP APP

DB DB

APP

DBATTACKED FORENSICSRECOVERED

This could be your MTTR…M

ean

Tim

e to

Res

olut

ion

(MTT

R)

6 months

Get Involved and Join the Community

devsecops.org @devsecops on Twitter DevSecOps on LinkedIn DevSecOps on Github RuggedSoftware.org Compliance at Velocity