Defending Your Workloads

Against the Next Zero-Day Attack

DVO207

Mark Nunnikhoven, Trend Micro

October 2015

Mark Nunnikhovenhttps://markn.ca

@marknca

aws.trendmicro.com

2012 re:Invent

Cloud Security Is a Shared ResponsibilitySPR203 : http://bit.ly/2012-spr203

2013 re:Invent

How to Meet Strict Security & Compliance Requirements in the CloudSEC208: http://bit.ly/2013-sec208

How Trend Micro Build Their Enterprise Security Offering on AWSSEC307: http://bit.ly/2013-sec307

2014 re:Invent

Updating Security Operations for the CloudSEC313(R): http://bit.ly/2014-sec313

Customer Perspectives on Implementing Security Controls with AWSSEC314: http://bit.ly/2014-sec314

2015 re:Invent

Lessons from a CISO: How to Securely Scale Teams, Workloads, and

BudgetsDVO206: http://bit.ly/2015-dvo206

Defending Your Workloads Against the Next Zero-Day AttackDVO207: http://bit.ly/2015-dvo207

Resiliency

Even when there is patch, average time to deploy is 176 days

It’s a problem now

No long-term fix

Evolving situationZero-day

by Andreas Linch (@addelindh)

bash is a command line interpreter

10 | 10 vulnerability. Widespread & easy to exploit.

a:() { b; } | attack

[ your data ]

Event Timeline Event Action Action Timeline

1989-08-05 8:32 Added to codebase

+27 days, 10:20:00 Release to public

9141 days, 21:18:35 Initial report React Clock starts

1 day, 22:19:13 More details React

2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

5 days, 9:16:35 Limited disclosure :: CVE-2014-6271 React

2 days, 4:37 More details React

3:44:00 More details React

Event Timeline Event Action Action Timeline

1989-08-05 8:32 Added to codebase

+27 days, 10:20:00 Release to public

9141 days, 21:18:35 Initial report React Clock starts

2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00

3:15:00 Official patch :: CVE-2014-7186, CVE-2014-7187 Patch 4 days, 17:30:00

1 day, 11:55:00 Official patch :: CVE-2014-6277 Patch 1 day, 11:55:00

2 days, 20:24:00 Official patch :: CVE-2014-6278 Patch 2 days, 20:24:00

React

http://aws.amazon.com/architecture: Web application hosting reference architecture

http://aws.amazon.com/architecture: Web application hosting reference architecture

Primary traffic flow

TCP:443 TCP:443 TCP:443 TCP:443

More in the Auditing Security Checklist for Use of AWS

AWS

IAM roles

Security groups

Network segmentation

Primary traffic flow

TCP:443 TCP:443 TCP:443 TCP:443

Primary traffic flow

HTTPSHTTPSSSHHTTPSSQLi

http://aws.amazon.com/architecture: Web application hosting reference architecture

More in the Auditing Security Checklist for Use of AWS

You

All instances protected

Workload-specific rules

Centrally managed

Resolve

Primary traffic flow

TCP:443 TCP:443 TCP:443 TCP:443

Deploy all Amazon EC2 instances from base AMI or build on the fly

4. Destroy

1. Change

2. Test

3. Promote

[ Production ][ Production ]

http://aws.amazon.com/architecture: Web application hosting reference architecture

Integrity monitoring

Resiliency

Follow @marknca for more…

ResolveReact

Deploy green/blue

Integrity monitoring

Operational Technique

Real-time control

Review configuration

Intrusion prevention

Operational Technique

Real-time control

Follow @marknca for more…