This document summarizes a presentation about securing data on AWS. It discusses how AWS can provide more security than on-premises environments through automated logging and monitoring, simplified access controls, and built-in encryption. It also outlines how AWS and customers share responsibility for security, with AWS managing the security of the cloud infrastructure and customers defining access and encryption controls for their applications and data. The presentation then demonstrates FireEye's Threat Analytics Platform for providing cloud-based threat detection, investigation, and response capabilities tailored for AWS environments.

1. Securing your Data on AWS

2. Presenters
• Patrick McDowell- Solutions Architect, AWS
• Josh Goldfarb - VP, CTO - Emerging Technologies, FireEye
• Paul Lee - Senior Deployment Engineer – TAP, FireEye

3. $6.53M 56% 70%
Increase in theft of hard
intellectual property
Of consumers indicated
they’d avoid businesses
following a security breach
Average cost of a
data breach
Your Data and IP are your Most Valuable Assets
https://www.csid.com/resources/stats/data-breaches/ http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html
https://www.csid.com/resources/stats/data-breaches/

4. In June 2015, IDC released a report which found that most customers
can be more secure in AWS than their on-premises environment. How?
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication
AWS Can Be More Secure than your Existing
Environment

5. AWS and you share responsibility for security
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications & content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You
Inventory
& Config
Data
Encryption

6. Constantly monitored
The AWS infrastructure is protected by extensive network and security
monitoring systems:
• Network access is monitored by AWS
security managers daily
• AWS CloudTrail lets you monitor
and record all API calls
• Amazon Inspector automatically assesses
applications for vulnerabilities

7. Highly available
The AWS infrastructure footprint protects your data from costly downtime
• 35 Availability Zones in 13 regions for
multi-synchronous geographic redundancy
• Retain control of where your data resides
for compliance with regulatory requirements
• Mitigate the risk of DDoS attacks using
services like AutoScaling, Amazon Route 53

8. Integrated with your existing resources
AWS enables you to improve your security using many of your existing
tools and practices
• Integrate your existing Active Directory
• Use dedicated connections as a secure,
low-latency extension of your data center
• Provide and manage your own encryption
keys if you choose

9. Key AWS certifications and assurance programs

10. Threat Analytics Platform
Overview
Presented by:
Josh Goldfarb, VP, CTO - Emerging Technologies
Paul Lee, Senior Deployment Engineer - TAP
Cloud-based Threat Detection and Incident Investigation

11. What’s at Risk?
of organizations were
breached
Source: Mandiant M-trends Report / Ponemon Cost Of Data Breach Study
Cyber Security’s Maginot line: A Real-World Assessment of the Defense-in-Depth Model
had active command and
control communications
median number of days
before detection
to respond to a breach
of companies learned they
were breached from an
external entity
97%
146 days
3/4 53%
32 days

12. SIEM
 Built for Compliance
– not Security
 ‘Newly found’ “Analytics love is
really old “SIEM hatred” Anton
Chuvakin Jan 2015
 Average 15.2 months fully
implement, Ponemon 2015
 Implementation costs 3-5x
software expenditure, Ponemon
2015, FireEye Customer.
MSSP
 Built for operational efficiency
– not Security
 One size fits all – they don’t
know your environment
 No custom rules
 Onboarding can be complex
and slow
 Present alerts but don’t tell you
how to respond
Traditional Detection Strategies Aren’t Working

13. Capability
Investigation &
response
Proactive
hunting
Adaptive
detection
Compliance
Moving from Compliance to Proactive Security
Cyber security program maturity. Where do you fall?
Time
Security operations center Cyber incident response team Cyber defense center

14. Overwhelmed by
alert noise
–
Alerts lack context
Inability to proactively
hunt for covert,
non-malware
Lack of Visibility Hard to find, train and
retain Security Talent
Investigation tools are
expensive, complex
and don’t easily scale
What’s Holding you Back?
Threat detection Analyst enablement

15. Visibility
 Real-time, enterprise-wide visibility
 Ingest AWS logs including AWS
CloudTrail and VPC flow logs
 Customizable views
 Threat Intel sharing portal
Investigation
 Alerts enriched with supporting data
 Threat intelligence and point-in-time
context about users affected, actions
taken and hosts involved
 Guided Investigation leads you
through industry-leading
investigative strategies
Detection
 Dedicated rules team evolves
detection to respond to new threats
 Continuous application of threat
insight to identify attack and
provide context
 Intel and rules evaluated against
every event
Time to value
 Cloud-based infrastructure
 Simplified deployment and management
 Focus on managing incidents – not
your tools
FireEye’s Threat Analytics Platform
Cloud-based threat detection and investigation

16.  Single interface gives analysts
visibility into both cloud and
datacenter resources
 One tool for hunting, alerting,
investigating, and responding.
 Customizable views ensure
analysts can quickly see what's
most important
 Pivot directly from dashboard into
investigation to detect and
respond to incidents more quickly
 Control what you share and with
whom you share it either openly or
anonymously
 Auto-extract IOC’s from documents
and supports exporting in multiple
standard formats
Unified
Single pane of glass
Dashboards
Customizable views
Sharing
Threat Intel sharing portal
Real-time, Enterprise-wide Visibility

17.  Detects non-malware attacker
methodology as well as malware
family behavior
 Dedicated team of data scientists
and security researchers continually
refine detection ruleset
 Heuristic-based detection
identifies previously unknown
attacker behavior
 Focused on non-malware activity
such as lateral movement &
exfiltration
 Threat intelligence gleaned from
the front lines
 Domains, IP addresses, email
addresses, MD5 hashes
Rules
Codifies 20+ years of security
expertise
Analytics
Detects non-malware based
activity
INDICATORS
Tactical, strategic, and
operational intelligence
Detection that Evolves with Your Attackers

18. Where Does Our Intel Come From?
FireEye Sensors
3,400+ customers
250+ of the Fortune 500
67 countries
Mandiant
1,200+ customers
200+ of the Fortune 500
46 countries with customers
iSight
20 locations worldwide
18 countries
100+ experts
FaaS
7 security operations centers
200+ clients
26+ million hits reviewed in 2015

19.  Alerts enriched with detailed
attacker context
 Point-in-time context regarding
users impacted, actions taken and
hosts involved
 Quickly validate and scope the
incident.
 Easily pivot around indicators of
compromise
 Perform frequency analysis to
spot anomalies
 Scheduled search automates
analysis activities
 Industry-leading investigative
strategies
 Sets of queries, based on different
attack scenarios.
 Scenarios provides pre-populated,
questions and answers to help guide
investigation efforts
Actionable Threat Insight
Create breach storylines to plan
your defense
Agile Investigation
Identify details around
the intrusion
Guided Investigation
Inform and accelerate
investigation efforts
Agile, Guided Investigation

20.  Up and running in hours not
months
 Virtual log collection ensures
minimal onsite configuration
 Fee-based jumpstart support
available if required
 Elastic, cloud-based deployment
model
 Metered by volume of event data
consumed and how long data is
retained for search
 Scale seamlessly during activity
bursts
 Cloud-based subscription model
provides predictable operating
expense
 Includes software, support,
infrastructure, threat intelligence
and codified security expertise
 Eliminates costly professional
services engagements
Quick Time to Value Easily Scalable Predictable Cost
Cloud-based Threat Detection and Incident
Investigation

21. Security for the Cloud, from the Cloud
Detect malicious activity in AWS environments by providing increased
simplicity, accessibility, and actionability to the data and information
provided by Amazon’s cloud.

22. Simplicity
 Move naturally from alerting to
searching to incident response
 Easy onboarding of logs from AWS
services as well as Amazon EC2
instance and application logs
– CloudTrail
– CloudWatch (including VPC Flow Logs)
– Elastic Load Balancing (ELB)
– And more ….

23. Accessibility
 Flexible deployment models to suit virtually any cloud-
based or hybrid-cloud infrastructure
 Provides a “single pane of glass” for monitoring cloud
activity as well as traditional datacenter logs
 Extensive signature sets curated by FireEye in response
to emerging threats
 RESTful API available for integration and automation

24. Flexible Deployment Model
Intelligence Analytics
Rules Event index
Dedicated VCP User interface
Alert Alert
Reports Search
Analyst
CloudTrail
CloudWatch
Cloud
Data center
FireEye CloudDatabase
Security
Network
TAP CB
TAP CB

25. Actionability
 Quickly search through billions of events with
sub-second response
 Deliver rich insight into threat actor profiles to
provide context to threats targeting your
organization
 Alerting and incident response (IR) workflow
 Prebuilt rule packs and custom rule
capabilities

26. Customer Use Case – Problem Statement
Customer decided to make a
substantial investment in AWS but
lacked the tooling to effectively
monitor both their cloud
infrastructure as well as their
traditional datacenters.
Existing security tools, while
adequate for their legacy systems,
were not well suited for the
elastic nature of the cloud.
Customer needed a solution that
was able to provide the visibility to
monitor both environments and
give analysts the tools necessary
to build an effective cyber
defense center.

27. Customer Use Case – Solution
FireEye implemented the Threat
Analytics Platform (TAP) to provide
enterprise-wide visibility across
both the cloud and legacy
environments.
TAP’s scalable ingestion and cloud-
based back end eliminated many
traditional hurdles such as host-
based agents and licensing counts.
TAP’s rapid search and real-time
alerting provided analysts the ability
to move from compromised
instances to compromised accounts
and track attackers’ activities.
1 2 3

28.  Designed by incident responders
on the front-lines of the world’s
largest breaches
 Sub-second search across billions
of events
 Inline integration with strategic
threat intel for attack and attacker
context
 Integrated case management
Built by practitioners for
practitioners
 Immediate time-to-value with
minimal onsite configuration
 Reduced management &
tuning costs
 Scale seamlessly during
activity bursts
 Discovered 25 of the last 40
zero days
 Intelligence-informed detection
leverages FireEye threat insight
 Detection rules codify Incident
response front-line expertise
 Heuristic-based detection to
identify anomalous activity
Intelligence & expertise to
detect the unknown
Why FireEye?
Simplified deployment and
management

29. Live Demo
Copyright © 2016, FireEye, Inc. All rights reserved.
For more information, visit:
www.fireeye.com/go/tap

30. Q & A
Copyright © 2016, FireEye, Inc. All rights reserved.
For more information, visit:
www.fireeye.com/go/tap