2.
Why is security traditionally so hard?® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Why is security traditionally so hard? Lack of visibility Low degree of automation
3.
Slide769® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Move fast Stay secure Before… OR
4.
Slide770® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Move fast Stay secure Now… OR AND
6.
AWS Security Services® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Security Services
7.
Layered Security Services® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Protect Detect Respond Automate Investigate Recover Identify AWS Systems Manager AWS Config AWS Lambda Amazon CloudWatch Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS IoT Device Defender AWS Key Management Service AWS Identity and Access Management (IAM) AWS Single Sign-On Snapshot Archive AWS CloudTrail Amazon CloudWatch Amazon VPC AWS WAF AWS Shield AWS Secrets Manager AWS Firewall Manager Detect Protect
8.
Layered Security Services® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Foundational Security Services Consumed & integrated workload by workload “Once” applies to all workloads. Our mental model for security services: Two types AWS Systems Manager AWS Config Amazon CloudWatch AWS Key Management Service AWS Identity and Access Management (IAM) AWS Single Sign-On Amazon VPC AWS Secrets Manager AWS CloudTrail
9.
Layered Security Services® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS WAF AWS Shield AWS Firewall Manager Perimeter Protection External Security Services
11.
Slide778® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. How does Amazon GuardDuty work? Easy One-Click Activation without Architectural or Performance Impact
12.
Slide779® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. No Agents, No Sensors, No Network Appliances How does Amazon GuardDuty work?
13.
Slide780® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Instant On Provides Findings in Minutes How does Amazon GuardDuty work?
14.
Slide781® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. How does Amazon GuardDuty work? VPC flow logs DNS Logs CloudTrail Events Findings Data Sources Threat Detection Types Threat intelligence Anomaly Detection (ML) Bitcoin Mining Instance Compromise Account Compromise Total of 47 detections AWS Security Hub SIEM Respond Amazon GuardDuty HIGH MEDIUM LOW
15.
Slide782® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Automate with integrated services CloudWatch Event Lambda GuardDuty Finding Automated threat remediation Amazon GuardDuty Amazon CloudWatch AWS Lambda Lambda function Event (time- base)
16.
Slide783® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.
17.
Slide784® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS WAF AWS Shield AWS Firewall Manager Perimeter Protection External Security Services Service: AWS Account, EC2, IAM Threat Detection (Threat Intelligence) Anomaly Detection (ML)
18.
Slide786® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.
20.
Amazon Inspector® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Amazon Inspector Automated security assessment service to help improve the security and compliance of applications deployed on AWS
21.
Network Reachability Assessments® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Network Reachability Assessments Agentless network assessments Find externally accessible EC2 instances (internet, VPN, peering). (ex. SSH open to internet) Enhanced - with agent (optional) Using Agent, customer will get information about software listening on the ports. Amazon Inspector
22.
How to use Amazon Inspector?® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. How to use Amazon Inspector? Configure assessment Run assessment Findings Remediation Inspector Partners •SIEM •Reporting •Ticketing Vulnerability; Resource affected; Recommendation Take Action 1-Click
23.
Automate use of findings® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Automate use of findings Findings Vulnerability; Resource affected; Recommendation EC2 Run Command Amazon Simple Notification Service AWS Lambda Run comman d
24.
Network Reachability – key features® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Network Reachability – key features Avoid complexity and impact of scanners Actionable insights •Validate and fix your AWS Networking configuration Shows all open paths (Internet, VPN, etc.)
25.
Network Reachability Findings® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Network Reachability Findings Amazon Inspector findings show: WHERE is a port is reachable from? •Internet via IGW (including instances behind ELB/ALB) •VPN or DX via VGW •Peered VPC HOW is this allowed? •Security Group •VPC: Subnet, NACL, IGW, etc. Which process is listening on port [With optional agent] •Process name & process id •Binary / executable Amazon Inspector
26.
How does it work?® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. How does it work? Amazon Inspector analyzes AWS network configuration to find what is reachable? List of resources analyzed: •Security Groups •VPCs •Network interfaces •Subnets •Network ACLs •Route tables •Elastic load balancers •Application load balancers •Internet gateways •Virtual private gateways •Direct Connect •VPC peering connections
27.
EC2 Host assessment® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. EC2 Host assessment Using an Agent installed on EC2, Amazon Inspector can assess: •Vulnerabilities in software (CVE) •Host hardening guidelines (CIS Benchmark) •AWS Security best practices. Amazon Inspector
28.
Layered Security Services® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield Services: EC2, IAM Vulnerability Management Packet-less port scan Services: AWS Account, EC2, IAM Threat Detection (Threat Intelligence) Anomaly Detection (ML) AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
44.
Slide817® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. •There are two tiers of AWS Shield: •AWS Shield Standard •AWS Shield Advanced AWS Shield A Managed DDoS Protection Service AWS Shield
45.
Slide818® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Shield Advanced - DDoS Attack threats and Trends: Network / Transport Layer DDoS
46.
DDoS Threats and Trends® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. DDoS Threats and Trends AWS Shield detects and mitigates 1,000’s of DDoS Attacks Daily Source: AWS Global Threat Dashboard (Available for AWS Shield Advanced customers)
47.
AWS Shield Standard® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Shield Standard Built-in DDoS Protection for Everyone DDoS Expertise
48.
AWS Shield Standard & Advanced® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Shield Standard & Advanced Built-in DDoS Protection for Everyone Enhanced Protection 24x7 access to DDoS Response Team (DRT) CloudWatch Metrics Attack Diagnostics Global threat environment dashboard DDoS Expertise Visibility & Compliance Economic Benefits AWS WAF at no additional cost for protected resources AWS Firewall Manager at no additional cost Cost Protection for scaling
49.
Layered Security Services® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield Services: EC2, ALB (EIP), API GW CloudFront, Route53, ELB. Managed DDoS Protection Compliance Single Pane of glass Services: AWS Account, EC2, IAM Threat Detection (Threat Intelligence) Services: S3, IAM Discover, Classify, and Secure Content User Behavior Analytics Anomaly Detection (ML) Services: EC2, IAM Vulnerability Management Packet-less port scan AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
51.
Protecting Your Applications Using AWS WAF® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Protecting Your Applications Using AWS WAF Application Vulnerabilities Bots & Scrapers HTTP Flood
52.
AWS Web Application Firewall (WAF):Popular deployment modes® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Web Application Firewall (WAF): Popular deployment modes 1.Custom Rules 3. Security Automation 2. Managed Rules Or use any combination of the above …
53.
Slide826® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.
54.
Slide827® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.
55.
AWS Web Application Firewall (WAF):Deploy in 3 easy steps® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Web Application Firewall (WAF): Deploy in 3 easy steps Click and subscribe Associate rules in AWS WAF Find rules on AWS WAF console or AWS marketplace
56.
Slide829® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.
57.
Slide830® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.
59.
Layered Security Services® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield Services: EC2, ALB (EIP), API GW CloudFront, Route53, ELB. Managed DDoS Protection Services: ALB, API GW, CloudFront. Protect your web applications from common web exploits Compliance Single Pane of glass Service: AWS Account, EC2, IAM Threat Detection (Threat Intelligence) Service: S3, IAM Discover, Classify, and Secure Content User Behavior Analytics Anomaly Detection (ML) Service: EC2, IAM Vulnerability Management Packet-less port scan AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
61.
Slide834® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Firewall Manager Key Benefits Simplified Management of WAF Rules Integrated with AWS Organizations Centrally managed global rules, and Account-specific rules Ensure Compliance to WAF Rules Ensure entire Organization adheres to mandatory set of rules Apply protection even when new Accounts or resources are created Central Visibility Across Organization Central visibility of WAF threats across Organization Compliance Dashboard for audit firewall status An organization’s InfoSec team learns and operates WAF instead of each Account owner
62.
Slide835® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. AWS Firewall Manager Key Benefits Enable Rapid Response to Internet Attacks at scale Security administrator have a single console to receive real-time threats, and respond within minutes Quickly apply CVE Patches across all applications in your Organization, or block malicious IP addresses detected by GuardDuty across entire Organization
63.
Automate with integrated services® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Automate with integrated services CloudWatch Event Lambda GuardDuty Finding Automated threat remediation Amazon GuardDuty Amazon CloudWatch AWS Lambda Lambda function Event (time- base) AWS FW Manager AWS Firewall Manager AWS WAF
64.
Typical Use Cases® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Typical Use Cases •Deploy OWASP rules for PCI compliance •PCI DSS 3.0 Requirement 6 suggests customers deploy a WAF, with rules like OWASP top 10 •Subscribe to Managed Rules from AWS Marketplace •Ensure the OWASP rule is applied across all PCI-tagged resources AWS Firewall Manager AWS WAF
65.
Layered Security Services® 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved. Layered Security Services Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Shield Services: EC2, ALB (EIP), API GW CloudFront, Route53, ELB. Managed DDoS Protection Services: ALB, API GW, CloudFront. Protect your web applications from common web exploits Services: AWS WAF Enable Rapid Response to Internet Attacks Compliance Single Pane of glass Service: AWS Account, EC2, IAM Threat Detection (Threat Intelligence) Service: S3, IAM Discover, Classify, and Secure Content User Behavior Analytics Anomaly Detection (ML) Service: EC2, IAM Vulnerability Management Packet-less port scan AWS WAF AWS Firewall Manager Perimeter Protection External Security Services
AWS Layered Security Solutions -17 September - 15:00
Thank you for your comment.