Advanced Security Automation Made Simple Mark Nunnikhoven Vice President, Cloud Research at Trend Micro @marknca
The goal of cybersecurity Make sure that systems work as intended
The goal of cybersecurity Make sure that systems work as intended …and only as intended only as intended
The Shared Responsibility Model Data Data Data Data Application Application Application Application OS OS OS OS Virtualization Virtualization Virtualization Virtualization Infrastructure Infrastructure Infrastructure Infrastructure Physical Physical Physical Physical On-premises Infrastructure Container Abstract (Traditional) (IaaS) (PaaS) (SaaS) Service configuration Your responsibility AWS’ responsibility
Security Operations Development
Solving Problems For Customers
The Well-Architected Framework Cost Operational Performance Security Reliability Optimization Excellence E ffi ciency
Automate
Restrict Permissions
The principle of least privilege Grant only those privileges which are essential to perform the intended function
User Aurora MQ Permission Role Notebook S3 Bucket
The steps 1. In an isolated test environment , apply a FullAccess policy or the permissions you believe are required 2. Complete the desired tasks 3. Compare against CloudTrail logs to verify actual permissions used 4. Use new policy to enforce the principle of least privilege 5. Repeat as code changes
Many approaches… Console CloudTrail
Many approaches… Console CloudTrail Lambda Policy
Many approaches… Console CloudTrail Lambda Policy Lambda Athena S3 Bucket GitHub CloudWatch Slack Event
Monitor S3 Exposure
The principle of the face palm Do not make that which is secure, insecure
{ Amazon S3 AWS IAM Service Amazon Macie Warnings AWS Trusted Advisor AWS Well-Architected Tool
ACL * S3 Bucket CloudWatch Lambda Event
Track Production Logins
The DevOps principle Systems, not users access production systems
CloudWatch Instance User Logs Lambda Slack
The steps 1. Push critical system and application events to CloudWatch Logs 2. Subscribe to various log filters via AWS Lambda 3. Run security playbook automatically
Forensic Isolation
The Crichton principle If something unknown is happening, quarantine until you figure it out
SNS Topic Instance User Lambda
The steps 1. Security controls on instance alert on issue 2. Lambda triggered by alert 3. Change security group to make system inaccessible 4. Open security incident 5. Create forensic instance to analyze infected instance 6. …
What’s Next?
Sample ideas 1. Custom application logs to AWS Config (via rules) for centre compliance log 2. Correlate auto-scaling alerts with backend data to detect possible DDoS attacks 3. Detect unauthorized drift from applications & infrastructure CloudFormation templates 4. Streamline the incident response process, including restoring production to full capacity 5. Automatically find & mitigate vulnerabilities before deployment
Don’t over complicate security
Simple steps to automated success 1. Start manually 2. Determine risk tolerance 3. Lambda all the things
Use two lanes Trigger Result
Use two lanes CloudWatch Lambda Event Fast lane Slow lane Trigger Result Lambda CloudTrail
The goal of cybersecurity Make sure that systems work as intended …and only as intended only as intended
markn.ca/2019/aws-reinvent
Thank you! Mark Nunnikhoven Vice President, Cloud Research at Trend Micro @marknca markn.ca/2019/aws-reinvent
Please complete the session survey in the mobile app 40
Recommend
More recommend