This document summarizes a presentation about securing data on AWS. It discusses how AWS can provide more security than on-premises environments through automated logging and monitoring, simplified access controls, and built-in encryption. It also outlines how AWS and customers share responsibility for security, with AWS managing the security of the cloud infrastructure and customers defining access and encryption controls for their applications and data. The presentation then demonstrates FireEye's Threat Analytics Platform for providing cloud-based threat detection, investigation, and response capabilities tailored for AWS environments.
2. Presenters
• Patrick McDowell- Solutions Architect, AWS
• Josh Goldfarb - VP, CTO - Emerging Technologies, FireEye
• Paul Lee - Senior Deployment Engineer – TAP, FireEye
3. $6.53M 56% 70%
Increase in theft of hard
intellectual property
Of consumers indicated
they’d avoid businesses
following a security breach
Average cost of a
data breach
Your Data and IP are your Most Valuable Assets
https://www.csid.com/resources/stats/data-breaches/ http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html
https://www.csid.com/resources/stats/data-breaches/
4. In June 2015, IDC released a report which found that most customers
can be more secure in AWS than their on-premises environment. How?
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication
AWS Can Be More Secure than your Existing
Environment
5. AWS and you share responsibility for security
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications & content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You
Inventory
& Config
Data
Encryption
6. Constantly monitored
The AWS infrastructure is protected by extensive network and security
monitoring systems:
• Network access is monitored by AWS
security managers daily
• AWS CloudTrail lets you monitor
and record all API calls
• Amazon Inspector automatically assesses
applications for vulnerabilities
7. Highly available
The AWS infrastructure footprint protects your data from costly downtime
• 35 Availability Zones in 13 regions for
multi-synchronous geographic redundancy
• Retain control of where your data resides
for compliance with regulatory requirements
• Mitigate the risk of DDoS attacks using
services like AutoScaling, Amazon Route 53
8. Integrated with your existing resources
AWS enables you to improve your security using many of your existing
tools and practices
• Integrate your existing Active Directory
• Use dedicated connections as a secure,
low-latency extension of your data center
• Provide and manage your own encryption
keys if you choose
10. Threat Analytics Platform
Overview
Presented by:
Josh Goldfarb, VP, CTO - Emerging Technologies
Paul Lee, Senior Deployment Engineer - TAP
Cloud-based Threat Detection and Incident Investigation
11. What’s at Risk?
of organizations were
breached
Source: Mandiant M-trends Report / Ponemon Cost Of Data Breach Study
Cyber Security’s Maginot line: A Real-World Assessment of the Defense-in-Depth Model
had active command and
control communications
median number of days
before detection
to respond to a breach
of companies learned they
were breached from an
external entity
97%
146 days
3/4 53%
32 days
12. SIEM
Built for Compliance
– not Security
‘Newly found’ “Analytics love is
really old “SIEM hatred” Anton
Chuvakin Jan 2015
Average 15.2 months fully
implement, Ponemon 2015
Implementation costs 3-5x
software expenditure, Ponemon
2015, FireEye Customer.
MSSP
Built for operational efficiency
– not Security
One size fits all – they don’t
know your environment
No custom rules
Onboarding can be complex
and slow
Present alerts but don’t tell you
how to respond
Traditional Detection Strategies Aren’t Working
14. Overwhelmed by
alert noise
–
Alerts lack context
Inability to proactively
hunt for covert,
non-malware
Lack of Visibility Hard to find, train and
retain Security Talent
Investigation tools are
expensive, complex
and don’t easily scale
What’s Holding you Back?
Threat detection Analyst enablement
15. Visibility
Real-time, enterprise-wide visibility
Ingest AWS logs including AWS
CloudTrail and VPC flow logs
Customizable views
Threat Intel sharing portal
Investigation
Alerts enriched with supporting data
Threat intelligence and point-in-time
context about users affected, actions
taken and hosts involved
Guided Investigation leads you
through industry-leading
investigative strategies
Detection
Dedicated rules team evolves
detection to respond to new threats
Continuous application of threat
insight to identify attack and
provide context
Intel and rules evaluated against
every event
Time to value
Cloud-based infrastructure
Simplified deployment and management
Focus on managing incidents – not
your tools
FireEye’s Threat Analytics Platform
Cloud-based threat detection and investigation
16. Single interface gives analysts
visibility into both cloud and
datacenter resources
One tool for hunting, alerting,
investigating, and responding.
Customizable views ensure
analysts can quickly see what's
most important
Pivot directly from dashboard into
investigation to detect and
respond to incidents more quickly
Control what you share and with
whom you share it either openly or
anonymously
Auto-extract IOC’s from documents
and supports exporting in multiple
standard formats
Unified
Single pane of glass
Dashboards
Customizable views
Sharing
Threat Intel sharing portal
Real-time, Enterprise-wide Visibility
17. Detects non-malware attacker
methodology as well as malware
family behavior
Dedicated team of data scientists
and security researchers continually
refine detection ruleset
Heuristic-based detection
identifies previously unknown
attacker behavior
Focused on non-malware activity
such as lateral movement &
exfiltration
Threat intelligence gleaned from
the front lines
Domains, IP addresses, email
addresses, MD5 hashes
Rules
Codifies 20+ years of security
expertise
Analytics
Detects non-malware based
activity
INDICATORS
Tactical, strategic, and
operational intelligence
Detection that Evolves with Your Attackers
18. Where Does Our Intel Come From?
FireEye Sensors
3,400+ customers
250+ of the Fortune 500
67 countries
Mandiant
1,200+ customers
200+ of the Fortune 500
46 countries with customers
iSight
20 locations worldwide
18 countries
100+ experts
FaaS
7 security operations centers
200+ clients
26+ million hits reviewed in 2015
19. Alerts enriched with detailed
attacker context
Point-in-time context regarding
users impacted, actions taken and
hosts involved
Quickly validate and scope the
incident.
Easily pivot around indicators of
compromise
Perform frequency analysis to
spot anomalies
Scheduled search automates
analysis activities
Industry-leading investigative
strategies
Sets of queries, based on different
attack scenarios.
Scenarios provides pre-populated,
questions and answers to help guide
investigation efforts
Actionable Threat Insight
Create breach storylines to plan
your defense
Agile Investigation
Identify details around
the intrusion
Guided Investigation
Inform and accelerate
investigation efforts
Agile, Guided Investigation
20. Up and running in hours not
months
Virtual log collection ensures
minimal onsite configuration
Fee-based jumpstart support
available if required
Elastic, cloud-based deployment
model
Metered by volume of event data
consumed and how long data is
retained for search
Scale seamlessly during activity
bursts
Cloud-based subscription model
provides predictable operating
expense
Includes software, support,
infrastructure, threat intelligence
and codified security expertise
Eliminates costly professional
services engagements
Quick Time to Value Easily Scalable Predictable Cost
Cloud-based Threat Detection and Incident
Investigation
21. Security for the Cloud, from the Cloud
Detect malicious activity in AWS environments by providing increased
simplicity, accessibility, and actionability to the data and information
provided by Amazon’s cloud.
22. Simplicity
Move naturally from alerting to
searching to incident response
Easy onboarding of logs from AWS
services as well as Amazon EC2
instance and application logs
– CloudTrail
– CloudWatch (including VPC Flow Logs)
– Elastic Load Balancing (ELB)
– And more ….
23. Accessibility
Flexible deployment models to suit virtually any cloud-
based or hybrid-cloud infrastructure
Provides a “single pane of glass” for monitoring cloud
activity as well as traditional datacenter logs
Extensive signature sets curated by FireEye in response
to emerging threats
RESTful API available for integration and automation
24. Flexible Deployment Model
Intelligence Analytics
Rules Event index
Dedicated VCP User interface
Alert Alert
Reports Search
Analyst
CloudTrail
CloudWatch
Cloud
Data center
FireEye CloudDatabase
Security
Network
TAP CB
TAP CB
25. Actionability
Quickly search through billions of events with
sub-second response
Deliver rich insight into threat actor profiles to
provide context to threats targeting your
organization
Alerting and incident response (IR) workflow
Prebuilt rule packs and custom rule
capabilities
26. Customer Use Case – Problem Statement
Customer decided to make a
substantial investment in AWS but
lacked the tooling to effectively
monitor both their cloud
infrastructure as well as their
traditional datacenters.
Existing security tools, while
adequate for their legacy systems,
were not well suited for the
elastic nature of the cloud.
Customer needed a solution that
was able to provide the visibility to
monitor both environments and
give analysts the tools necessary
to build an effective cyber
defense center.
27. Customer Use Case – Solution
FireEye implemented the Threat
Analytics Platform (TAP) to provide
enterprise-wide visibility across
both the cloud and legacy
environments.
TAP’s scalable ingestion and cloud-
based back end eliminated many
traditional hurdles such as host-
based agents and licensing counts.
TAP’s rapid search and real-time
alerting provided analysts the ability
to move from compromised
instances to compromised accounts
and track attackers’ activities.
1 2 3
28. Designed by incident responders
on the front-lines of the world’s
largest breaches
Sub-second search across billions
of events
Inline integration with strategic
threat intel for attack and attacker
context
Integrated case management
Built by practitioners for
practitioners
Immediate time-to-value with
minimal onsite configuration
Reduced management &
tuning costs
Scale seamlessly during
activity bursts
Discovered 25 of the last 40
zero days
Intelligence-informed detection
leverages FireEye threat insight
Detection rules codify Incident
response front-line expertise
Heuristic-based detection to
identify anomalous activity
Intelligence & expertise to
detect the unknown
Why FireEye?
Simplified deployment and
management