AWS Security Best Practices for Effective Threat Detection & Response

AWS Security Best Practices for Effective Threat Detection & Response

• 1.
  AWS Security Monitoring BestPractices for Effective Threat Detection and Response
• 2.
  Introductions Russ Spitler VP ofProduct Strategy
• 3.
  Agenda Review of theAWS “Shared Security” Model Implications on Threat Detection Current state of Security in the Amazon AWS Cloud Effective Security Monitoring in AWS
• 4.
  AWS APPLICATION OPERATING SYSTEM NETWORK HYPERVISOR PHYSICAL AWS: Who’sreally responsible?
• 5.
  AWS APPLICATION OPERATING SYSTEM NETWORK HYPERVISOR PHYSICAL User’s Responsibility Amazon’s Responsibility AWS: Who’sreally responsible?
• 6.
  Plenty of adviceon how to secure your AWS implementation: • Secure the root credentials with a strong password and multi-factor authentication • Use Multi-Factor Authentication for all admin accounts • AWS VPC security • AWS EC2 security: Use roles with minimal permissions to make API calls from within EC2. • Use CloudTrail to track changes made to the environment via API calls. • Make use of intrusion detection and log analysis in your environment • For more complex environments, use SAML to establish a single sign-on (SSO) for your AWS management. AWS: Shared Security Model AWS APPLICATION OPERATING SYSTEM NETWORK HYPERVISOR PHYSICAL
• 7.
  AWS: Shared SecurityModel AWS APPLICATION OPERATING SYSTEM NETWORK HYPERVISOR PHYSICAL So how do you monitor your environment? How do you detect the latest threats? What we do know is if an environment can be compromised, it WILL be compromised.
• 8.
  AWS: What iseffective monitoring?  View user activity  Detect known malicious behavioral patterns  Identify anomalous activity  Audit best practices and secure configuration  Dynamically adapt to a changing environment
• 9.
  AWS APPLICATION OPERATING SYSTEM NETWORK HYPERVISOR PHYSICAL Dynamic environment Restricted Deployment Monitoring ina shared world New Features
• 10.
  In other words… •What services are my users using? • Who terminated my instance? • Do any of my instances have known vulnerabilities? • Has anyone updated my security groups? • Do I have any of my services publicly accessible?
• 11.
  Failure to useSecurity Groups – more than 20,000 databases are publically accessible in one Amazon region alone. (9 Regions total). Failure to manage credentials – unrestricted AWS credentials used in deployments Hackers are stealing compute power with stolen AWS API credentials Hackers are using stolen servers as command and control servers. AWS: The Current State Of Security
• 12.
  • Heavily RestrictedDeployment Environment • New Security Model With New Features • Dynamic Environment Online Retailer- “CloudTrail is a great start, but I need to understand what it is saying.” “I just don’t have visibility into when Amazon’s security features are working.” “The stuff I bought for my other datacenter just doesn’t work here.” “I’m not sure if my developers are exposing the company to more risk.” “It is my impression that this is not Amazon’s fault that these issues exist. Most of the vulnerabilities this year are from misconfigurations or small things where the developers working on applications made mistakes” – Andres Riancho @ BlackHat The Security Problem Opportunity
• 13.
  What is effectivemonitoring in AWS?  Dynamically scalable monitoring  Visibility into the API activity  Assessment of the environment’s configuration AWS APPLICATION OPERATING SYSTEM NETWORK HYPERVISOR PHYSICAL
• 14.
  USM for AMAZON HeavilyRestricted Deployment • Vulnerability Scanning • API Audit Logs Analysis New Security Model • AWS Infrastructure Assessment Dynamic Environment • Log Management • Asset Discovery • CloudTrail Logs Integration Native Cloud Features • Horizontally scalable storage and correlation • Automated Deployment in your environment from AWS
• 15.
  AUTOMATED ASSET DISCOVERY– Manage security the way your infrastructure is managed. Automatically inventory running instances Full visibility into AWS meta-data for forensics analysis Map all security data back to Amazon instance-ID’s for real cloud forensics AMAZON INFRASTRUCTURE ASSESSMENT – Double check use of AWS security primitives and detect changes. Detect insecure configuration of network access controls Remotely assessable service ports. Remotely assessable management ports. VPC subnet Security Group Security GroupSecurity Group Core Features
• 16.
  LOG MANAGEMENT &CORRELATION – Monitor your applications & systems for compliance & security. Monitor your applications to detect behavioral changes Secure storage for compliance S3 & CloudWatch Log integration for ease of management CLOUDTRAIL MONITORING & ALERTING – Notification of environmental changes & abuse. Monitor full API audit log Monitor and alert on critical environment updates Monitor and alert on malicious behavior Core Features
• 17.
  VULNERABILITY ASSESSMENT –Stay ahead of vulnerabilities & understand your exposure. Elastically assess your infrastructure Auto-Notification of new instances Secure, authenticated scans with low-overhead ELASTIC SCALABILITY Horizontally scales as you grow. CloudFormation templates for easy provisioning Priced for elastic environments. Auto-Scaling Group Core Features
• 18.
  Lets See ItIn Action
• 19.
  888.613.6023 ALIENVAULT.COM CONTACT US [email protected] Questions? Download aFree 15-Day Trial http://www.alienvault.com/free-trial Check out our Solution Brief: AlienVault Unified Security Management for AWS http://www.alienvault.com/resource-center/solution- briefs/alienvault-unified-security-management-for-aws Reach out to us • [email protected] • [email protected] • Twitter: @AlienVault