UPLOAD

    85

    AWS Layered Security Solutions -17 September - 15:00

    Published: October 13, 2019

    AWS Loft Istanbul 2019 AWS Layered Security Solutions - 17 September - 15:00

    Comments

    AWS Layered Security Solutions -17 September - 15:00

    • 1. AWS Layered Security Services Derek Yuill Senior Solutions Architect AWS Layered Security Services
    • 2. Why is security traditionally so hard? ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Why is security traditionally so hard? Lack of visibility Low degree of automation
    • 3. Slide769 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Move fast Stay secure Before… OR
    • 4. Slide770 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Move fast Stay secure Now… OR AND
    • 5. Slide771 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Layered Security Services
    • 6. AWS Security Services ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Security Services
    • 7. Layered Security Services ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Protect Detect Respond Automate Investigate Recover Identify AWS Systems Manager AWS Config AWS Lambda Amazon CloudWatch Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS IoT Device Defender AWS Key Management Service AWS Identity and Access Management (IAM) AWS Single Sign-On Snapshot Archive AWS CloudTrail Amazon CloudWatch Amazon VPC AWS WAF AWS Shield AWS Secrets Manager AWS Firewall Manager Detect Protect
    • 8. Layered Security Services ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Foundational Security Services Consumed & integrated workload by workload “Once” applies to all workloads. Our mental model for security services: Two types AWS Systems Manager AWS Config Amazon CloudWatch AWS Key Management Service AWS Identity and Access Management (IAM) AWS Single Sign-On Amazon VPC AWS Secrets Manager AWS CloudTrail
    • 9. Layered Security Services ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS WAF AWS Shield AWS Firewall Manager Perimeter Protection External Security Services
    • 10. Slide776 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Guard Duty External Security Services
    • 11. Slide778 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. How does Amazon GuardDuty work? Easy One-Click Activation without Architectural or Performance Impact
    • 12. Slide779 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. No Agents, No Sensors, No Network Appliances How does Amazon GuardDuty work?
    • 13. Slide780 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Instant On Provides Findings in Minutes How does Amazon GuardDuty work?
    • 14. Slide781 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. How does Amazon GuardDuty work? VPC flow logs DNS Logs CloudTrail Events Findings Data Sources Threat Detection Types Threat intelligence Anomaly Detection (ML) Bitcoin Mining Instance Compromise Account Compromise Total of 47 detections AWS Security Hub SIEM Respond Amazon GuardDuty HIGH MEDIUM LOW
    • 15. Slide782 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Automate with integrated services CloudWatch Event Lambda GuardDuty Finding Automated threat remediation Amazon GuardDuty Amazon CloudWatch AWS Lambda Lambda function Event (time- base)
    • 16. Slide783 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.
    • 17. Slide784 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS WAF AWS Shield AWS Firewall Manager Perimeter Protection External Security Services Service: AWS Account, EC2, IAM Threat Detection (Threat Intelligence) Anomaly Detection (ML)
    • 18. Slide786 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.
    • 19. Slide785 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Inspector External Security Services
    • 20. Amazon Inspector ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Amazon Inspector Automated security assessment service to help improve the security and compliance of applications deployed on AWS
    • 21. Network Reachability Assessments ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Network Reachability Assessments Agentless network assessments Find externally accessible EC2 instances (internet, VPN, peering). (ex. SSH open to internet) Enhanced - with agent (optional) Using Agent, customer will get information about software listening on the ports. Amazon Inspector
    • 22. How to use Amazon Inspector? ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. How to use Amazon Inspector? Configure assessment Run assessment Findings Remediation Inspector Partners •SIEM •Reporting •Ticketing Vulnerability; Resource affected; Recommendation Take Action 1-Click
    • 23. Automate use of findings ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Automate use of findings Findings Vulnerability; Resource affected; Recommendation EC2 Run Command Amazon Simple Notification Service AWS Lambda Run comman d
    • 24. Network Reachability – key features ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Network Reachability – key features Avoid complexity and impact of scanners Actionable insights •Validate and fix your AWS Networking configuration Shows all open paths (Internet, VPN, etc.)
    • 25. Network Reachability Findings ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Network Reachability Findings Amazon Inspector findings show: WHERE is a port is reachable from? •Internet via IGW (including instances behind ELB/ALB) •VPN or DX via VGW •Peered VPC HOW is this allowed? •Security Group •VPC: Subnet, NACL, IGW, etc. Which process is listening on port [With optional agent] •Process name & process id •Binary / executable Amazon Inspector
    • 26. How does it work? ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. How does it work? Amazon Inspector analyzes AWS network configuration to find what is reachable? List of resources analyzed: •Security Groups •VPCs •Network interfaces •Subnets •Network ACLs •Route tables •Elastic load balancers •Application load balancers •Internet gateways •Virtual private gateways •Direct Connect •VPC peering connections
    • 27. EC2 Host assessment ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. EC2 Host assessment Using an Agent installed on EC2, Amazon Inspector can assess: •Vulnerabilities in software (CVE) •Host hardening guidelines (CIS Benchmark) •AWS Security best practices. Amazon Inspector
    • 28. Layered Security Services ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield Services: EC2, IAM Vulnerability Management Packet-less port scan Services: AWS Account, EC2, IAM Threat Detection (Threat Intelligence) Anomaly Detection (ML) AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
    • 29. Slide799 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Macie External Security Services
    • 30. How does Amazon Macie work? ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. How does Amazon Macie work?
    • 31. How does Amazon Macie work? ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. How does Amazon Macie work?
    • 32. Layered Security Services ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield Services: AWS Account, EC2, IAM Threat Detection (Threat Intelligence) Services: S3, IAM Discover, Classify, and Secure Content User Behavior Analytics Anomaly Detection (ML) Services: EC2, IAM Vulnerability Management Packet-less port scan AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
    • 33. Slide804 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Hub External Security Services
    • 34. Slide805 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. How does AWS Security Hub work?
    • 35. Getting Started - AWS Security Hub work? ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Getting Started - AWS Security Hub work?
    • 36. AWS Security Hub – Partner Integrations ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Security Hub – Partner Integrations
    • 37. AWS Security Hub – Partner Integrations ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Security Hub – Partner Integrations
    • 38. AWS Security Hub – Insights ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Security Hub – Insights
    • 39. AWS Security Hub – Compliance Checks (CIS)  ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Security Hub – Compliance Checks (CIS)
    • 40. Layered Security Services ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield Compliance Single Pane of glass Services: AWS Account, EC2, IAM Threat Detection (Threat Intelligence) Services: S3, IAM Discover, Classify, and Secure Content User Behavior Analytics Anomaly Detection (ML) Services: EC2, IAM Vulnerability Management Packet-less port scan AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
    • 41. Slide812 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Perimeter Protection
    • 42. Slide814 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.
    • 43. Slide815 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Shield Advanced Perimeter Protection
    • 44. Slide817 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. •There are two tiers of AWS Shield: •AWS Shield Standard •AWS Shield Advanced AWS Shield A Managed DDoS Protection Service AWS Shield
    • 45. Slide818 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Shield Advanced - DDoS Attack threats and Trends: Network / Transport Layer DDoS
    • 46. DDoS Threats and Trends ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. DDoS Threats and Trends AWS Shield detects and mitigates 1,000’s of DDoS Attacks Daily Source: AWS Global Threat Dashboard (Available for AWS Shield Advanced customers)
    • 47. AWS Shield Standard ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Shield Standard Built-in DDoS Protection for Everyone DDoS Expertise
    • 48. AWS Shield Standard & Advanced ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Shield Standard & Advanced Built-in DDoS Protection for Everyone Enhanced Protection 24x7 access to DDoS Response Team (DRT) CloudWatch Metrics Attack Diagnostics Global threat environment dashboard DDoS Expertise Visibility & Compliance Economic Benefits AWS WAF at no additional cost for protected resources AWS Firewall Manager at no additional cost Cost Protection for scaling
    • 49. Layered Security Services ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield Services: EC2, ALB (EIP), API GW CloudFront, Route53, ELB. Managed DDoS Protection Compliance Single Pane of glass Services: AWS Account, EC2, IAM Threat Detection (Threat Intelligence) Services: S3, IAM Discover, Classify, and Secure Content User Behavior Analytics Anomaly Detection (ML) Services: EC2, IAM Vulnerability Management Packet-less port scan AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
    • 50. Slide823 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Web Application Firewall Perimeter Protection
    • 51. Protecting Your Applications Using AWS WAF ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Protecting Your Applications Using AWS WAF Application Vulnerabilities Bots & Scrapers HTTP Flood
    • 52. AWS Web Application Firewall (WAF):Popular deployment modes ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Web Application Firewall (WAF): Popular deployment modes 1.Custom Rules 3. Security Automation 2. Managed Rules Or use any combination of the above …
    • 53. Slide826 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.
    • 54. Slide827 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.
    • 55. AWS Web Application Firewall (WAF):Deploy in 3 easy steps ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Web Application Firewall (WAF): Deploy in 3 easy steps Click and subscribe Associate rules in AWS WAF Find rules on AWS WAF console or AWS marketplace
    • 56. Slide829 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.
    • 57. Slide830 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.
    • 58. Automatic block of suspicious hostsusing Amazon GuardDuty and AWS WAF. ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Automatic block of suspicious hosts using Amazon GuardDuty and AWS WAF.
    • 59. Layered Security Services ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield Services: EC2, ALB (EIP), API GW CloudFront, Route53, ELB. Managed DDoS Protection Services: ALB, API GW, CloudFront. Protect your web applications from common web exploits Compliance Single Pane of glass Service: AWS Account, EC2, IAM Threat Detection (Threat Intelligence) Service: S3, IAM Discover, Classify, and Secure Content User Behavior Analytics Anomaly Detection (ML) Service: EC2, IAM Vulnerability Management Packet-less port scan AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
    • 60. Slide833 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Firewall Manager Perimeter Protection
    • 61. Slide834 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Firewall Manager Key Benefits Simplified Management of WAF Rules Integrated with AWS Organizations Centrally managed global rules, and Account-specific rules Ensure Compliance to WAF Rules Ensure entire Organization adheres to mandatory set of rules Apply protection even when new Accounts or resources are created Central Visibility Across Organization Central visibility of WAF threats across Organization Compliance Dashboard for audit firewall status An organization’s InfoSec team learns and operates WAF instead of each Account owner
    • 62. Slide835 ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Firewall Manager Key Benefits Enable Rapid Response to Internet Attacks at scale Security administrator have a single console to receive real-time threats, and respond within minutes Quickly apply CVE Patches across all applications in your Organization, or block malicious IP addresses detected by GuardDuty across entire Organization
    • 63. Automate with integrated services ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Automate with integrated services CloudWatch Event Lambda GuardDuty Finding Automated threat remediation Amazon GuardDuty Amazon CloudWatch AWS Lambda Lambda function Event (time- base) AWS FW Manager AWS Firewall Manager AWS WAF
    • 64. Typical Use Cases ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Typical Use Cases •Deploy OWASP rules for PCI compliance •PCI DSS 3.0 Requirement 6 suggests customers deploy a WAF, with rules like OWASP top 10 •Subscribe to Managed Rules from AWS Marketplace •Ensure the OWASP rule is applied across all PCI-tagged resources AWS Firewall Manager AWS WAF
    • 65. Layered Security Services ® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield Services: EC2, ALB (EIP), API GW CloudFront, Route53, ELB. Managed DDoS Protection Services: ALB, API GW, CloudFront. Protect your web applications from common web exploits Services: AWS WAF Enable Rapid Response to Internet Attacks Compliance Single Pane of glass Service: AWS Account, EC2, IAM Threat Detection (Threat Intelligence) Service: S3, IAM Discover, Classify, and Secure Content User Behavior Analytics Anomaly Detection (ML) Service: EC2, IAM Vulnerability Management Packet-less port scan AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
    • 66. Slide702 Thank you!