In this SlideShare, we’ll share the AWS Security Best Practices for securing AWS environments, as well as some of the trends our research has shown with regard to attacks on those environments. We'll also introduce the key capabilities needed for a modern threat detection & incident response program customized for AWS, and other AWS Security Best Practices including:
-Asset Discovery - creating an inventory of running instances
-Vulnerability Assessment - conducting scans to assess exposure to attack, and prioritize risks
-Change Management - detect changes in your AWS environment and insecure network access control configurations
-S3 & ELB Access Log Monitoring - Monitor access logs of hosted content and data directed at your instance
-CloudTrail Monitoring and Alerting - Monitor the CloudTrail service for abnormal behavior
-Windows Event Monitoring - Analyze system level behavior to detect advanced threats
With more IT environments moving data and applications to AWS, the motivation for hackers to target AWS environments is also increasing. We believe these AWS Security Best Practices will be a valuable addition to every security practitioner’s playbook.
We'll finish up with a demo of NEW AlienVault USM for AWS, which delivers all of the above capabilities, plus log management & event correlation to help you detect threats quickly and comply with regulatory requirements.
3. Agenda
Review of the AWS “Shared Security” Model
Implications on Threat Detection
Current state of Security in the Amazon AWS Cloud
Effective Security Monitoring in AWS
6. Plenty of advice on how to secure your AWS implementation:
• Secure the root credentials with a strong password and multi-factor
authentication
• Use Multi-Factor Authentication for all admin accounts
• AWS VPC security
• AWS EC2 security: Use roles with minimal permissions to make API
calls from within EC2.
• Use CloudTrail to track changes made to the environment via API
calls.
• Make use of intrusion detection and log analysis in your environment
• For more complex environments, use SAML to establish a single
sign-on (SSO) for your AWS management.
AWS: Shared Security Model
AWS
APPLICATION
OPERATING SYSTEM
NETWORK
HYPERVISOR
PHYSICAL
7. AWS: Shared Security Model
AWS
APPLICATION
OPERATING SYSTEM
NETWORK
HYPERVISOR
PHYSICAL
So how do you monitor your environment?
How do you detect the latest threats?
What we do know is if an environment can be
compromised, it WILL be compromised.
8. AWS: What is effective monitoring?
View user activity
Detect known malicious behavioral patterns
Identify anomalous activity
Audit best practices and secure configuration
Dynamically adapt to a changing environment
10. In other words…
• What services are my users using?
• Who terminated my instance?
• Do any of my instances have known vulnerabilities?
• Has anyone updated my security groups?
• Do I have any of my services publicly accessible?
11. Failure to use Security Groups – more
than 20,000 databases are publically
accessible in one Amazon region alone.
(9 Regions total).
Failure to manage credentials –
unrestricted AWS credentials used in
deployments
Hackers are stealing compute power
with stolen AWS API credentials
Hackers are using stolen servers as
command and control servers.
AWS: The Current State Of Security
12. • Heavily Restricted Deployment Environment
• New Security Model With New Features
• Dynamic Environment
Online Retailer- “CloudTrail is a great start, but I need to understand what it is saying.”
“I just don’t have visibility into when Amazon’s security features are working.”
“The stuff I bought for my other datacenter just doesn’t work here.”
“I’m not sure if my developers are exposing the company to more risk.”
“It is my impression that this is not Amazon’s fault that these issues exist. Most of the
vulnerabilities this year are from misconfigurations or small things where the
developers working on applications made mistakes” – Andres Riancho @ BlackHat
The Security Problem Opportunity
13. What is effective monitoring in AWS?
Dynamically scalable monitoring
Visibility into the API activity
Assessment of the environment’s
configuration
AWS
APPLICATION
OPERATING SYSTEM
NETWORK
HYPERVISOR
PHYSICAL
14. USM for AMAZON
Heavily Restricted Deployment
• Vulnerability Scanning
• API Audit Logs Analysis
New Security Model
• AWS Infrastructure Assessment
Dynamic Environment
• Log Management
• Asset Discovery
• CloudTrail Logs Integration
Native Cloud Features
• Horizontally scalable storage and correlation
• Automated Deployment in your environment from AWS
15. AUTOMATED ASSET DISCOVERY – Manage security the way
your infrastructure is managed.
Automatically inventory running instances
Full visibility into AWS meta-data for forensics analysis
Map all security data back to Amazon instance-ID’s for real
cloud forensics
AMAZON INFRASTRUCTURE ASSESSMENT – Double check
use of AWS security primitives and detect changes.
Detect insecure configuration of network access controls
Remotely assessable service ports.
Remotely assessable management ports.
VPC subnet
Security Group
Security GroupSecurity Group
Core Features
16. LOG MANAGEMENT & CORRELATION – Monitor your
applications & systems for compliance & security.
Monitor your applications to detect behavioral changes
Secure storage for compliance
S3 & CloudWatch Log integration for ease of management
CLOUDTRAIL MONITORING & ALERTING – Notification
of environmental changes & abuse.
Monitor full API audit log
Monitor and alert on critical environment updates
Monitor and alert on malicious behavior
Core Features
17. VULNERABILITY ASSESSMENT – Stay ahead of
vulnerabilities & understand your exposure.
Elastically assess your infrastructure
Auto-Notification of new instances
Secure, authenticated scans with low-overhead
ELASTIC SCALABILITY
Horizontally scales as you grow.
CloudFormation templates for easy provisioning
Priced for elastic environments.
Auto-Scaling Group
Core Features
19. 888.613.6023
ALIENVAULT.COM
CONTACT US
HELLO@ALIENVAULT.COM
Questions?
Download a Free 15-Day Trial
http://www.alienvault.com/free-trial
Check out our Solution Brief:
AlienVault Unified Security Management for AWS
http://www.alienvault.com/resource-center/solution-
briefs/alienvault-unified-security-management-for-aws
Reach out to us
• rgeorgian@alienvault.com
• Hello@alienvault.com
• Twitter: @AlienVault
Notas do Editor
So how do you monitor your environment? How do you detect the latest threats? What we do know is if an environment can be compromised, it WILL be compromised.
So how do you monitor your environment? How do you detect the latest threats? What we do know is if an environment can be compromised, it WILL be compromised.