#ALSummit: Alert Logic & AWS - AWS Security Services
0 likesâą719 views
The document provides an overview of AWS security services, including network security primitives such as security groups and network access control lists (NACLs). It emphasizes the importance of continuous monitoring and vulnerability management through tools like Amazon Inspector and AWS WAF. Additionally, it discusses AWS Config rules for configuration changes and compliance, highlighting integration with remediation tasks and other platforms like Jira.
![The easy (Vulnerabilities) matter
"[With] any large network, I will tell you that
persistence and focus will get you in, we'll achieve that
exploitation without the zero days," he says. "There's
so many more vectors that are easier, less risky and
quite often more productive that going down that
route." This includes, of course, known vulnerabilities
for which a patch is available but the owner hasn't
installed it.
- Rob Joyce NSA TAO @ Enigma 2016](https://image.slidesharecdn.com/patryansecurity-presentation-al-cssawspr-final2-160613201416/85/ALSummit-Alert-Logic-AWS-AWS-Security-Services-6-320.jpg)
#ALSummit: Alert Logic & AWS - AWS Security Services
- 1. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved AWS Security Services Deep Dive â Extended with Alert Logic Patrick McDowell â Partner Solutions Architect, AWS Ryan Holland - Cloud Platform Solution Director, Alert Logic
- 2. AWS Network Security Primitives
- 3. Network Access Control âą Security Groups provide Stateful firewalls around each Amazon EC2 Instance âą NACLs provide stateless firewalls around subnets âą VPC Flow Logs provide traffic visibility âą No Broadcast, VIPs, Layer 2, or Network Taps
- 5. More tools to move fast and stay safe âą Amazon Inspector âą AWS WAF âą AWS Config Rules
- 6. The easy (Vulnerabilities) matter "[With] any large network, I will tell you that persistence and focus will get you in, we'll achieve that exploitation without the zero days," he says. "There's so many more vectors that are easier, less risky and quite often more productive that going down that route." This includes, of course, known vulnerabilities for which a patch is available but the owner hasn't installed it. - Rob Joyce NSA TAO @ Enigma 2016
- 7. Amazon Inspector Features Configuration Scanning Engine Activity Monitoring Built-in Content Library Automatable via API Fully Auditable
- 8. Amazon Inspector Rule Sets CVE Security Best Practices Run Time Behavior Analysis CIS Operating System Security Configuration Benchmarks
- 9. Amazon Inspector and Alert Logic âą Amazon Inspector makes it easy to do the right thing BEFORE your app goes into production âą Pairs point-in-time, host-based scans with continous, whitelisted network scans âą Layering AWS Inspector Assessments, Alert Logic Cloud Insight and Cloud Defender provides full spectrum security visibility and response
- 10. AWS WAF (Web Application Firewall)
- 11. AWS WAF Features Web Filtering CloudFront Integration Centralized Rule Management Real-Time Visibility API Automation
- 12. AWS WAF Benefits Increased Protection Against Web Attacks Ease of Deployment and Maintenance Security Embedded in Development Process
- 13. AWS WAF in Action AWS Management ConsoleAdmins Developers AWS API Web App in CloudFront Define rules Deploy protection AWS WAF
- 14. AWS Config Rules
- 15. AWS Config & Config Rules AWS Config Amazon Config Rules ïŒ Record configuration changes continuously ïŒ Time-series view of resource changes ïŒ Archive & Compare ïŒ Enforce best practices ïŒ Automatically roll-back unwanted changes ïŒ Trigger additional workflow
- 16. AWS Config Rules Benefits Continuous monitoring for unexpected changes Shared Compliance across your organization Simplified management of configuration changes
- 17. AWS Config Rules Features Flexible Rules evaluated continuously and retroactively Dashboard and Reports for Common Goals Customizable Remediation API Automation
- 18. Advanced Compliance with Config Rules âą Open Source Rules â https://github.com/awslabs/aws-config-rules âą Enforce encryption on all volumes âą Ensure CloudTrail is enabled globally for bucket X âą Confirm that no users have MFA disabled âą Create a rule that no security group can permit 0.0.0.0/0 âą No Root Access Keys or logins without MFA âą All Instances Must be in VPC-ID X
- 19. AWS Config Rules and Alert Logic âą Lambda function used to add Config Rules violations to Cloud Insight platform as remediation tasks. âą Tight integration with JIRA to allow automatic ticket routing to asset owner and validation when tickets are closed.
- 20. Questions?
Editor's Notes
- #7: Why we built Inspector What uses cases does it cover Makes it easy to do the very basics, which gives you a lot Easier Barrier to entry AL CI = Builds on top of basic primitives we offer
- #8: Checks both OS + Apps
- #9: CVE â Most Common Targets Security Best Practices â From AWS AppSec, e.g. SSH allows root logins Run Time Bheavior Analysis â Long Running Analysis, can affect the severity of the findings CIS â Industry Standard guide to hardening your OS, biggest customer ask we had
- #10: Emphasize dev-test AL is for prod AL also has IDS, no concept of IDS on AWS natively
- #13: Can Programmatically add rules from logs you mined # of 400 errors -> Bad Bot and you can automatically ingest those Bad Ips Sources from other Systems (E.g. FinServ) Make the âRulesâ Part of your âInfrastructure as Codeâ
- #14: AWS WAF can protect the edge, AL can do it at the origin ->Provides intelligence and complex rules/logic that our WAF does not come out of the box with ->Auto-Scales to meet your needs
- #16: Config: . It allows you to get an inventory of all resources in AWS, discover new and deleted resources, record those changes continuously, and get notified when configurations change. Author custom rules using AWS Lambda
- #17: Puts Guard Rails into place across the Enterprise/Production If something falls out of compliance, automatically, rolls back to compliance standards set You can not do this on premises.
- #18: Lambda Functions are the custom rules that get triggered Triggers are Time or Resource Based. Invoked automatically for continuous assessment (single pane of glass) Use dashboard for visualizing compliance and identifying offending changes
- #20: For the AWS Config Rules service we have created a custom Lambda function that allows Cloud Insight to ingest violations of rules that have been created and we present these as remediation tasks along side other remediations for a particular asset in AWS. One key part of how these remediations are presented is that the AWS metadata and other information we collect from the environment is used to help provide the best means for remediating a violation, for example if multiple instances are launched without a required tag or using encrypted volumes and they are all part of the same AutoScaling group by understanding the environment and maintaining a continuously updated asset model we direct the remediation to update that ASLC/G rather than the individual instances since in that case simply applying a fix to the instances will not fix the root of the issue. Also as I touched on previously our API and integrations with tools such as JIRA allows violations from Config Rules as well as any other remediations to be directed automatically to the owner of the instance through a ticket in JIRA and the plugin is bi-directional meaning that when the owner marks the ticket as closed we will go and validate that the remediation has actually been completed and if needed re-open the ticket. this automation means that your security teams donât need to spend time tracking down who owns a particular instance and to perform manual validation of the fix once the tickets are marked complete.