In the presentation, we plan to announce the full version of a new open source tool called "Cloudefigo" and explain how it enables accelerated security lifecycle. We demonstrate how to launch a pre-configured, already patched instance into an encrypted storage environment automatically while evaluating their security and mitigating them automatically if a vulnerability is found. In the live demo, we leverage Amazon Web Services EC2 Cloud-Init scripts and object storage for provisioning automated security configuration, integrating encryption, including secure encryption key repositories for secure server's communication. The result of those techniques is cloud servers that are resilient, automatically configured, with the reduced attack surface.
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
1. From 0 to Secure in 1 Minute
DEFCON 23
Nir Valtman & Moshe Ferber
2. About Us
Nir Valtman Moshe Ferber
CISO Retail in NCR Corporation.
We own a private cloud & offering SaaS
Yes… we do security!
Instructor for Cloud Security (CCSK) –
that’s what I really like doing
Passionate about information security
Involved in numerous startups and initiatives – sometimes with success, sometimes not…
Industry speakers and lecturers – that’s why we are here
I like non-
sweating
sports!
I don’t like
sport!
3. About the talk
Cloud security challenges and benefits
And more specifically, using IaaS automation and orchestration features for increasing the security
Dashboard Billing API
Orchestration
Hypervisor Controller Abstraction
Physical
Servers
Network Storage
6. Anatomy of a cloud hack – the BrowserStack story
Shell shock
vulnerability
on unused
server
Found API
key on
hacked
server
Using API
key opened
a firewall
rule and
launch an
instance
Attached a
backup
volume to
the instance
Found
database
credential
on backup
device
Connected
to DB
SOURCE: https://www.browserstack.com/attack-and-downtime-on-9-November
7. Do we have the right tools?
Source: http://ifail.info/wp-content/uploads/2010/04/street_dentist_thumb.jpg?98bbf9
8. About the talk
Micro-Services Architecture
DEV OPS
Continuous
Delivery
1 hour
10 min
1 min
Architecture &
Deployments is changing
The billing cycle is
reducing
Google slashes
cloud platform
price again
Microsoft will offer
Azure by the minute to
take on Amazon’s cloud
Microsoft follows Google
with by-the-minute cloud
blending
AUTO SCALING
9. About the talkHow to do security when servers alive for 10 minutes?
Patch management
Maintenance
windows
Periodic vulnerability
scanning
Hardening
11. About the talk
Introducing
SOURCE: http://www.cloudefigo.org/
Based on the work made by Rich Mogull from Securosis
https://github.com/securosis
12. Cloudefigo Lifecycle
Server launch1
Server loads
security
configuration
Server encrypts
disk volumes
Server scanned for
vulnerabilities
Server moves to
production
S3
2
3
4
5
15. LAUNCH
Prepare
Cloudinit
Each machine manage its own attributes
Encryption keys
Remediation vs production groups
Management of these attributes require permissions
Permissions during launch > production
Thus, a dynamic IAM role is required
20. UPDATE
OS update
Pre-requisites
CloudInit to install the software packages required
to operate:
Python + pip + wheel
AWS SDK (Boto)
Chef Client + Chef SDK (PyChef)
Download configurations and scripts from S3:
Cloudefigo script
Chef client initialization files
Cloudinit to create and attach a volume for
application files and data.
21. CONTROL
Chef
Registration
Encrypt
The Chef clients register to the Chef Management
server using the initialization files loaded from S3.
Once the client is registered, a policy is loaded and
enforced on the instance.
22. CONTROL
Chef
Registration
Encrypt
Where should you keep your keys?
Cloud Provider On Premise 3rd Party
Protected Snapshots and
backups
Snapshots, backups,
subpoena and
malicious insiders
Snapshots, backups
and cloud provider’s
malicious insiders
Vulnerable Malicious insider
attacks and
subpoena
Key exchange attacks Key exchange attacks
and subpoena
(partial)
23. CONTROL
Chef
Registration
Encrypt
The volume to be encrypted using randomly
generated key.
The key is stored on S3 for later use.
The application database to be installed in the
encrypted volume.
Instance 1
Instance 2
Instance 3
Bucket 2f3g
Bucket 5dw4
Bucket 8H7g
Key ID 5dw4
Key ID 8H7g
Key ID 2f3g
Key 1#Fd3
Key vFS3=
Key Bs$a
27. SCAN
Automatic
Scan
Analyze
The results of the scan are analyzed by the
Cloudefigo script.
Based on scan results – the instance to move to
production or remain in the remediation group.
The lowest security risk severity can be defined.
30. PRODUCTION
Least privileged
role
Manage
For the ongoing operations – a compensating
controls are required.
Cloudefigo management script lists cloud
instances and validates they are managed by Chef
Cloudefigo will set alert when someone will try to
use access keys.
34. TERMINATE
Instance
Encryption
Keys
The instance data still exist in backups/snapshots
or provider storage
Encryption keys to be deleted with instance in
order to make sure the backup data remain
inaccessible (not implemented in this version)
35. Wrapping Up
The new software architecture and applications delivery in cloud
module disrupts traditional correctives controls
We need to adopt new thinking to
automate security
Think how security automation can help you in moving your
infrastructure forward. Faster.