© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building a defense strategy for your Cloud workloads
Henrik JohanssonPrincipal SA Content PM, AWS Security
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect
Secure architecture flowAttack sources/typesKey items in building cloud securityQ&A
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
All your (code)base are belong to us
Your stuff
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
All your (code)base are belong to us
Your stuff
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
All your (code)base are belong to us
Your stuff
Square of protectionLvl 100
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What are we protecting against?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
External threats
”Hackers”
Script kiddies
State-Sponsored Attackers
HacktivistsTrojans
Researchers?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Internal threats
Disgruntled employees
Financially driven
Oops…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Internal threats
Disgruntled employees
Financial driven
Oops…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What about DDOS?
DDOS Targetedattacks
Reflection andamplification
Layer 4 and 7floods
Slowloris
SSL abuse
HTTP floods
SQL injection
Bots and probes
Applicationexploits
Socialengineering
Reverseengineering
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shared Responsibility Model
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Use it in your defense strategy
https://aws.amazon.com/compliance/shared-responsibility-model/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key items in building a cloud defense strategy(No, this is not a checklist)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet the new security team
Operations Engineering
Application Security Compliance
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Meet the new security team
Operations Engineering
Application Security Compliance
Development
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VISIBILITY
HOW OFTEN DO YOU MAP YOUR NETWORK?
WHAT’S IN YOUR ENVIRONMENT RIGHT NOW?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Remember
There is no server under the table…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security is Visible
Who is accessing the resources?Who took what action?
• When?• From where?• What did they do?• Logs Logs Logs
Understand what is available, and who should get it
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security is Visible
Who is accessing the resources?Who took what action?
• When?• From where?• What did they do?• Logs Logs Logs
Understand what is available, and who should get it
With great visibility comes great possibilities
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example: VPC Flow Logs – See all your traffic• Agentless• Enable per ENI, per subnet, or per VPC• Logged to AWS CloudWatch Logs• Create CloudWatch metrics from log data• Alarm on those metrics
AWSaccount
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or reject
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is happening in your account
{"detail-type": [ "AWS API Call via CloudTrail" ], "detail": {
"eventSource": [ "cloudtrail.amazonaws.com" ],"eventName": [ "StopLogging" ]
}}
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Or your instances
#!/bin/bashINSTANCE_ID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id)REGION=$(wget -q -O - http://169.254.169.254/latest/meta-data/placement/availability-zone|sed's/.\\{1\\}$//')DATE=$(date)aws ec2 --region $REGION create-tags --resources $INSTANCE_ID --tags \"Key=Tainted,Value=$DATE\
{"detail-type": [ "AWS API Call via CloudTrail" ], "detail": {
"eventSource": [ "ec2.amazonaws.com" ],"eventName": [ "CreateTags" ],
"errorCode": [ "Client.UnauthorizedOperation" ]}
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Adapt visibility to situation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Expand visibility
Slack
Email using Amazon SNS
Amazon Chime
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data flow
What is the expected flow of traffic?
Can it take other paths?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example: Edge protection
How do you handle scaled attacks
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of DDoS attacks
State-exhaustion DDoS attacks
Abuse protocols to stress systems like firewalls, IPS, or load balancers (e.g.,
TCP SYN flood)
Volumetric DDoS attacks
Congest networks by flooding them with more traffic than they are able to handle
(e.g., UDP reflection attacks)
Application-layer DDoS attacks
Use well-formed but malicious requests to circumvent mitigation and consume
application resources (e.g., HTTP GET, DNS query floods)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Challenges in mitigating DDoS attacks
Complex set-up Provision bandwidth capacity
Application re-architecture
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DDoS protections built into AWS
ü Protection against most common infrastructure attacks
ü SYN/ACK Floods, UDP Floods, Refection attacks etc.
ü No additional cost
DDoS mitigationsystems
DDoS Attack
Users
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example: Layer control
Control access
Reduce scope
Integrate in threat model
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Groups = stateful firewall
In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Groups = stateful firewall
In English: Hosts in this group are reachable from the Internet on port 80 (HTTP)Default = Deny
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Not just one way – Prevent collateral damage
VPC (BuildABeer-VPC-1)
AmazonRoute 53
CloudFront
security group (BuildABeer-SG-1)
Public subnet
servers
Private subnet
ELBwww.foo.commail.foo.com
security group (BuildABeer-SG-1)Public subnet
Mail servers
Private subnet
ELB
security group (BuildABeer-SG-2)Public subnet
Web servers
Private subnet
ELB
mail.foo.com
www.foo.com
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example: Access control
Who can access?
From where?
How?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Access controlUse existing if possible/suitable
Reduce accessRemember, all access is logged
Easy to temporarily revoke
Don’t forget temporary keys
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automation
Protect against attacks
Protect against bad configuration
Enforce good configuration
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Human vs Machine
Reduce human access [s/access/error/g]
Pace of Innovation…meet Pace of Security Automation
Scalable infrastructure needs scalable security
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Let’s compare
Human Bob Auto Bob
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Let’s compare
Human Bob
Bob needs coffee to do anything
Auto Bob
AutoBob doesn’t like Java in the morning
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Let’s compare
Human Bob
Bob needs coffee to do anything
Bob has a hard time finding the keyboard at 3am
Auto Bob
AutoBob doesn’t like Java in the morning
AutoBob is backed by serverlessinfrastructure 24/7/365
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Let’s compare
Human Bob
Bob needs coffee to do anything
Bob has a hard time finding the keyboard at 3am
Sometimes Bob miss a single unicodeexploit per 10k logs
Auto Bob
AutoBob doesn’t like Java in the morning
AutoBob is backed by serverlessinfrastructure 24/7/365
ML and EMR backs AutoBob on-demand when he needs to churn large logfiles
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Let’s compare
Human Bob
Bob needs coffee to do anything
Bob has a hard time finding the keyboard at 3am
Sometimes Bob miss a single unicodeexploit per 10k logs
Bob doesn’t like missing the same unicodeexploit every day
Auto Bob
AutoBob doesn’t like Java in the morning
AutoBob is backed by serverlessinfrastructure 24/7/365
ML and EMR backs AutoBob on-demand when he needs to churn large logfiles
AutoBob already blocked the source and are now going through logs for other systems
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Let’s compare
Human Bob
Bob needs coffee to do anything
Bob has a hard time finding the keyboard at 3am
Sometimes Bob miss a single unicodeexploit per 10k logs
Bob doesn’t like missing the same unicodeexploit every day
Bob dropped his pager in the pool
Auto Bob
AutoBob doesn’t like Java in the morning
AutoBob is backed by serverlessinfrastructure 24/7/365
ML and EMR backs AutoBob on-demand when he needs to churn large logfiles
AutoBob already blocked the source and are now going through logs for other systems
AutoBob triggers near real-time upon API detection
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automation simplifies component based security
Integrate cloud security in your tools
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloud Defense Tools
Security automation
!=Python | Node | Java | <Insert hip name here>
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managed servicesAmazon CloudWatch EventsAWS LambdaAmazon Kinesis FirehoseAmazon Machine LearningAmazon GuardDutyAmazon Macie
And so many more…
Managed services are there to offload youYour BU’s knows this…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Remediation as defense rocks….but
Failure is always an option...just at lightning speedTest, test, test
GuardRailsEdge casesDon’t nuke yourself
Framework/Remediation strategy
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The anatomy of security automationM
ode
Section ActionsIn
itiat
e React Config Rules / CloudWatch Events / Log Parsing
Trigger Lambda
Learn Lambda / CloudWatch Logs
Exec
utio
n
Priority Action Restart service, delete user, etc.
Forensics Discover: Who/where/when, allowed to execute?
Countermeasure Disable access keys, isolate instance, etc.
Alert Text/Page, email, ticket system
Logging Database, ticket system, encrypt data?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DemoPurpose:
Prevent misconfiguration of Amazon S3 buckets
Functionality:Automatically remove public access to S3 bucket/objectsSupport whitelisting of public bucketsSupport alert/notification to email, Amazon Chime, Slack
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Other examples
CIS AWS BenchmarkRemediate exposed AWS CredentialsEnforce service state (example CloudTrail)Enforce immutable infrastructure (OS config/services <-> cloud controls)Track suspected users near real timeEdge traffic analyticsInstance memory capture (example: Margarita Shotgun @ https://threatresponse.cloud/)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OSS and you
Lots of code out there
Review!
Learn!
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Other OSS projectsSome of the projects out there:• ThreatResponse.cloud https://threatresponse.cloud• Cloud Custodian https://github.com/capitalone/cloud-custodian• Security Monkey https://github.com/Netflix/security_monkey• FIDO https://github.com/Netflix/Fido• CloudSploit https://github.com/cloudsploit• Prowler https://github.com/Alfresco/prowler• StreamAlert https://github.com/airbnb/streamalertAnd many more…
Have a security automation project/repo…let me know!
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS and OSS
http://github.com/awslabs
http://github.com/awslabs/aws-security-automation
https://github.com/awslabs/aws-security-benchmark
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloud defense strategy summary
VisibilityWhat/When/How
Data flowEnforce desired path (Edge -> Layers -> Data)
AutomationDetect/React/Remediate
ToolingFind what works for you and scale!
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Online resources
https://aws.amazon.com/security/https://aws.amazon.com/compliance/https://aws.amazon.com/security/security-resources/https://aws.amazon.com/quickstart/#security
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Remember
Security is a service team, not a blockerSecurity is everyone's job
Allow flexibility and freedombut control the flow and result.