![Terminology Disclaimer
import re
re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]uggeds[Dd]ev)[Oo]ps')
=
Security Automation](https://image.slidesharecdn.com/automatingsecurityincloudworkoadswithdevsecops-2017-170817223909/85/Automating-Security-in-Cloud-Workloads-with-DevSecOps-3-320.jpg)
![Terminology Disclaimer
import re
re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]uggeds[Dd]ev)[Oo]ps')
=
Security Automation
At Scale](https://image.slidesharecdn.com/automatingsecurityincloudworkoadswithdevsecops-2017-170817223909/85/Automating-Security-in-Cloud-Workloads-with-DevSecOps-4-320.jpg)
![Or maybe just this
{"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14",
"1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3",
"3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]}](https://image.slidesharecdn.com/automatingsecurityincloudworkoadswithdevsecops-2017-170817223909/85/Automating-Security-in-Cloud-Workloads-with-DevSecOps-40-320.jpg)
![Or maybe just this
{"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14",
"1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3",
"3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]}
Control output based on consumer of data and post processing of result](https://image.slidesharecdn.com/automatingsecurityincloudworkoadswithdevsecops-2017-170817223909/85/Automating-Security-in-Cloud-Workloads-with-DevSecOps-41-320.jpg)
![OSS Code to learn from
git-secrets - Prevents you from committing passwords and other sensitive information to a git repository.
aws-security-benchmark - Benchmark scripts mapped against trusted security frameworks.
aws-config-rules - [Node, Python, Java] Repository of sample Custom Rules for AWS Config
Netflix/security_monkey - Monitors policy changes and alerts on insecure configurations in an AWS
account.
Netflix/edda - Edda is a Service to track changes in your cloud deployments.
ThreatResponse - Open Source Security Suite for hardening and responding in AWS.
CloudSploit – Capturing things like open security groups, misconfigured VPCs and more.
Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure
infrastructure.
Capitalone/cloud-custodian - Rules engine for AWS fleet management.](https://image.slidesharecdn.com/automatingsecurityincloudworkoadswithdevsecops-2017-170817223909/85/Automating-Security-in-Cloud-Workloads-with-DevSecOps-45-320.jpg)
Automating Security in Cloud Workloads with DevSecOps
- 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Andrew Baird, Enterprise Solutions Architect, AWS August 17th, 2017 Automating Security in Cloud Workloads with DevSecOps
- 2. What to expect from the session Why security automation Who, security team in a DevSecOps world Where do you want security automation When – Pre, post and everything in between What can you do, practical examples How – Tools and partners
- 3. Terminology Disclaimer import re re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]uggeds[Dd]ev)[Oo]ps') = Security Automation
- 4. Terminology Disclaimer import re re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]uggeds[Dd]ev)[Oo]ps') = Security Automation At Scale
- 5. Why?
- 6. Why - Goals of DevSecOps Pace of Innovation…meet Pace of Security Automation Scalable infrastructure needs scalable security Risk/rating based actions Automatic Incident Response Remediation
- 7. Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable Don’t worry…we still need humans
- 8. Who?
- 9. Purpose Security is a service team, not a blocker Security is everyone's job Allow flexibility and freedom but control the flow and result.
- 10. Meet the new security team Operations Engineering Application Security Compliance
- 11. Meet the new security team Operations Engineering Application Security Compliance Development
- 13. Continuous Integration / Continuous Deployment 1. Security of the CI/CD Pipeline • Access roles • Hardening build servers/nodes 2. Security in the CI/CD Pipeline • Artifact validation • Static code analysis
- 14. CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/masterDev Get / Pull Code Images Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Artifact Repo Deployment templates for infrastructure Generate
- 15. Version Control CI Server Package Builder Promote Process Block creds From gitDev Get / Pull Code Images Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send Build Report to Security Stop everything if audit/validation failed Deployment templates for infrastructure Scan hook
- 16. What about my other stuff?
- 17. © 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3. Cloud scale Security Infrastructure as code • Base requirement! • Split ownership • Pre-deploy validation Elastic security automation • API driven • Autoscaling groups – hooks • Execution layer scales with targets Run time security • Tag based targeting • Rip-n-replace • Continuous pentesting Immutable infrastructure • Validation and enforcement • Integrate with managed services … aka all the other stuff people are really talking about
- 18. When
- 20. When – Control and Validate Pre-event - When possible • Store infrastructure in code repository • Validate each push (git hooks) • Use managed microservices as execution engine • Scan cloud infrastructure templates for unwanted/risk valued configurations • Validate Container definitions • Validate system code early on • Find unwanted libraries etc. • Force infrastructure changes through templates • Block if needed/unsure
- 21. When – Control and Validate Post-event - Always • Follow-up on sensitive API’s • IAM, Security Groups/Firewall, Encryption keys, Logging, etc. • Alert/Inform • Use source of truth • Locked to execution function (Read Only) • Validate source • Human or Machine/CICD • Decide on remediation
- 22. When – Control and Validate Triggers – Event based: • Per change • API based • Event logs • Per day • Per framework • Overall infrastructure, components and resources • One component multiple frameworks
- 23. What Give me some examples
- 24. Give me some examples Security validation in a elastic infrastructure • Implement -> Validate -> Decide • Terminate upon failure Automatic Incident Response Remediation • Autoheal Cloudtrail logging • Disable offenders Integrate host-based action with cloud-based control • Immutable infrastructure – Auto isolate instances
- 25. Example – Auto isolation Modify • /etc/pam.d/sshd Execute script upon logon • session optional pam_exec.so /path/trigger.sh Trigger AWS event as marker using IAM roles for EC2 #!/bin/bash INSTANCE_ID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) REGION=$(wget -q -O - http://169.254.169.254/latest/meta-data/placement/availability-zone|sed 's/.{1}$//')DATE=$(date) aws ec2 --region $REGION create-tags --resources $INSTANCE_ID --tags "Key=Tainted,Value=$DATE” Execute Lambda function using CloudWatch Events on marker detection • Remove from load balancer/scaling groups (will auto-heal) • Block in/outgoing traffic using security groups and ACL
- 26. Example – Auto isolation Don’t forget safeguards! • How many instances can I isolate before failure • If isolated > x: wake_human() • Remember, x could be 0
- 27. Example logging Detect • Cloud logging disabled Priority • Enable logging Forensics • Have this happened before Countermeasures • If num_disabled > x: # x could be zero based on type and user disable_user() • Safeguard: Should I temporary disable user? Who is the user? Alert!
- 28. How
- 29. Partners - Security subcategories NETWORK SECURITY SECURITY INTELLIGENCE IDENTITY & ACCESS MANAGEMENT SERVER / ENDPOINT Provides customers with uncompromised protection against all types of threats, reduces security complexity and lowers total cost of ownership. With Sumo Logic, you can collect, compress, and securely transfer all of your log data regardless of volume, type, or location Easy, fast and secure way to search, analyze and visualize massive data streams OneLogin, the innovator in Identity and Access Management-as-a- Service (IDaaS) Dome9 automates AWS security groups and adds an extra layer of protection against hackers Proactive security from a single agent designed for AWS Okta is an integrated identity and mobility management service Protection of data, digital identities, payments, and transactions from the edge to the core DATA SECURITY Other popular solutions: Fortinet Other popular solutions: Bitium, ClearLogin, Ping Identity Other popular solutions: HyTrust, CTERA Quickly create a hybrid architecture that extends your existing data center into AWS via encrypted tunnels Get hourly proactive protection for your AWS workloads with Trend Micro Deep Security SECURITY ORCHESTRATION Cloud-native infrastructure security solution providing full coverage of all AWS accounts, services and regions Other popular solutions: Tenable, Qualys Other popular solutions: Symantec, Unisys APPLICATION SECURITY Many AWS-hosted applications choose Barracuda, an AWS Preferred Security Competency Partner, due to its continuous monitoring and policy tuning by world-class security experts Imperva SecureSphere WAF for AWS extends all of the security and management capabilities of the world's most-trusted web application firewall to Amazon Web Services environments Other popular solutions: Fortinet AWS Confidential Other popular solutions: Check Point, Fortinet, Alert Logic
- 30. SaaS Subscriptions Dozens of SaaS applications addressing multiple use cases
- 31. AWS Marketplace Discover, Procure, Deploy, and Manage Software In the Cloud • 3,600+ software listings • 51 SaaS paid SaaS Products • Over 1,100 participating ISVs • Deployed in 14 AWS Regions • 100,000+ active customers • Over 300M of deployed EC2 instances per month • That’s 400K per hour • Curated Products • Integrated to AWS Billing
- 32. Two ways to subscribe to SaaS products PAY-AS-YOU-GO SUBSCRIPTIONS (MARKETPLACE METERING SERVICE) • Buyers can easily find and subscribe to SaaS products in Marketplace. As they use the software, Seller sends metering records summarizing usage to AWS. • AWS adds to the Buyer’s monthly bill, based on metered data sent by Seller. • Launched November, 2016 PRE-PAID SUBSCRIPTIONS (CONTRACTS) • Buyers can purchase monthly, yearly, or multi-year subscriptions that automatically renew through a shopping-cart experience. User provisioning and account setup continues within the seller’s application. • Payment occurs up front. Buyers can increase the size of contracts at any time, adding to their existing renewal date at the pro-rated cost. • Launching in April, 2017
- 33. AWS Tooling Execution • Lambda Tracking • AWS Config Rules • Amazon CloudWatch Events • AWS Step Functions • AWS CloudTrail • AWS Inspector Track/Log • Amazon CloudWatch Logs • Amazon DynamoDB Alert • SNS Third party Open Source
- 34. Cool…so I just fix things?? Well…yes...but...
- 35. Risks Failure is always an option, now at script speed We forgot to tell you… No proper alerting, logging or follow-up on automated events You got scripts…they got scripts How do you minimize risk of failed remediation functions?
- 36. What else can I do
- 37. Benchmarking infrastructure Map your infrastructure against control frameworks Single run for single account health check AWS Config / Config Rules for compliance tracking Example: OSS validation for CIS AWS Foundation Framework • https://github.com/awslabs/aws-security-benchmark
- 38. Report this way…
- 39. Or this…
- 40. Or maybe just this {"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14", "1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]}
- 41. Or maybe just this {"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14", "1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]} Control output based on consumer of data and post processing of result
- 42. At the end of the rainbow… What are we trying to accomplish?
- 43. Goals Minimize relying on humans for active security events • Automation doesn’t sleep, eat or need coffee in the morning Prevent bad configurations before they are implemented Autocorrect/remediate violations where possible Daily/instant benchmark validation of infrastructure • Validate against industry frameworks • Extend to remediation
- 44. Your next step Look through your infrastructure security runbook • What can you automate? • How can you validate?
- 45. OSS Code to learn from git-secrets - Prevents you from committing passwords and other sensitive information to a git repository. aws-security-benchmark - Benchmark scripts mapped against trusted security frameworks. aws-config-rules - [Node, Python, Java] Repository of sample Custom Rules for AWS Config Netflix/security_monkey - Monitors policy changes and alerts on insecure configurations in an AWS account. Netflix/edda - Edda is a Service to track changes in your cloud deployments. ThreatResponse - Open Source Security Suite for hardening and responding in AWS. CloudSploit – Capturing things like open security groups, misconfigured VPCs and more. Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure. Capitalone/cloud-custodian - Rules engine for AWS fleet management.