Advanced Security Automation Made Simple Mark Nunnikhoven Vice - - PowerPoint PPT Presentation

Advanced Security Automation Made Simple

Mark Nunnikhoven

Vice President, Cloud Research at Trend Micro @marknca

Make sure that systems work as intended

The goal of cybersecurity

• nly as intended

…and only as intended Make sure that systems work as intended

The goal of cybersecurity

Data Application OS Virtualization Infrastructure Physical

On-premises


(Traditional)

Data Application OS Virtualization Infrastructure Physical

Infrastructure

(IaaS)

Data Application OS Virtualization Infrastructure Physical

Container

(PaaS)

Data Application OS Virtualization Infrastructure Physical

Abstract

(SaaS)

The Shared Responsibility Model

AWS’ responsibility Your responsibility

Service configuration

Security Development Operations

Solving Problems
 For Customers

Operational Excellence Reliability Performance Efficiency Security Cost Optimization

The Well-Architected Framework

Automate

Restrict Permissions

Grant only those privileges which are essential to perform the intended function

The principle of least privilege

User Permission Role Aurora S3 Bucket Notebook MQ

• 1. In an isolated test environment, apply a FullAccess

policy or the permissions you believe are required

• 2. Complete the desired tasks
• 3. Compare against CloudTrail logs to verify actual

permissions used

• 4. Use new policy to enforce the principle of least privilege
• 5. Repeat as code changes

The steps

Many approaches…

CloudTrail Console

Many approaches…

Policy CloudTrail Console Lambda

Many approaches…

Slack GitHub Policy CloudTrail S3 Bucket Athena Console Lambda Lambda CloudWatch Event

Monitor S3 Exposure

Do not make that which is secure, insecure

The principle of the face palm

{

Amazon S3 AWS IAM Amazon Macie AWS Trusted Advisor AWS Well-Architected Tool

Service Warnings

S3 Bucket * ACL CloudWatch Event Lambda

Track Production Logins

Systems, not users access production systems

The DevOps principle

Instance CloudWatch
 Logs User Lambda Slack

• 1. Push critical system and application

events to CloudWatch Logs

• 2. Subscribe to various log filters via AWS

Lambda

• 3. Run security playbook automatically

The steps

Forensic Isolation

If something unknown is happening, quarantine until you figure it out

The Crichton principle

Instance SNS Topic User Lambda

• 1. Security controls on instance alert on issue
• 2. Lambda triggered by alert
• 3. Change security group to make system inaccessible
• 4. Open security incident
• 5. Create forensic instance to analyze infected instance
• 6. …

The steps

What’s Next?

• 1. Custom application logs to AWS Config (via rules) for centre

compliance log

• 2. Correlate auto-scaling alerts with backend data to detect possible

DDoS attacks

• 3. Detect unauthorized drift from applications & infrastructure

CloudFormation templates

• 4. Streamline the incident response process, including restoring

production to full capacity

• 5. Automatically find & mitigate vulnerabilities before deployment

Sample ideas

Don’t over complicate security

1.Start manually 2.Determine risk tolerance 3.Lambda all the things

Simple steps to automated success

Use two lanes

Trigger Result

Use two lanes

Trigger Result CloudWatch Event Lambda CloudTrail Lambda Slow lane Fast lane

• nly as intended

…and only as intended Make sure that systems work as intended

The goal of cybersecurity

markn.ca/2019/aws-reinvent

Thank you!

Mark Nunnikhoven

Vice President, Cloud Research at Trend Micro

@marknca

markn.ca/2019/aws-reinvent

Please complete the session survey in the mobile app

40