Ryan Holland (Cloud Platform Solutions Director, Alert Logic)'s presentation on securing your AWS environment at the NYC Alert Logic Cloud Security Summit on June 14, 2016.
2. Attacks Happen at Multiple Layers of the Application Stack
THE IMPACT
• Every layer of the
application stack is
under attack
• Attacks are multi-stage
using multiple threat
vectors
• Web applications are
#1 vector in the cloud
• Security must be
cloud-native, cover
every layer of
application stack, and
identify attacks at
every stage.
SQL
Injection
Identify &
Recon
Comman
d &
Control
Worm
Outbreak
Extract &
Exfiltrate
Malware
Brute
Force
Identify &
Recon
3. Relative Threats - Cloud vs On Premise
Source: Alert Logic Cloud Security Report, 2015
4. Global Threats - Time to Exposure
• Attacks against Microsoft DS
accounted for over 51% of
the overall attack vectors
• Database services have been
a consistent target
• 14% of the malware loaded
on the Honeypots was
considered undetectable by
AV
5. Attackers Are Focused on Your Network, Hosts, and Apps
• Secure coding and best practices
• Software and virtual patching
• Configuration management
• Access management
• Application level attack monitoring
• Access management
• Patch management
• Configuration hardening
• Security monitoring
• Log analysis
• Network threat detection
• Security monitoring
• Logical network segmentation
• Perimeter security services
• External DDoS, spoofing, and scanning prevented
• Hardened hypervisor
• System image library
• Root access for customer
PROVIDES
• Configuration
best practices
8. Securing Your AWS Account
• Lock down the root account
• Delete any root API keys
• Enable Hardware MFA for the root account – define an auditable process for requesting the key
• Follow least privilege for IAM Users and Roles
• Avoid using “Admin” prebuilt policies unless absolutely necessary
• Leverage CloudTrail Logs and IAM Access Advisor to help tune policies
• Restrict SSH/RDP access for instances with IAM Roles
• Enable a strong password policy and MFA requirement for IAM users
• If users must have an API key ensure they are frequently rotated as well
• Enable CloudTrail and AWS Config
• Leverage the features to enable CloudTrail in all regions
• Use Config Rules to identify out of policy changes
• Not a one time activity – Continuously monitor for changes
10. Monitor Activity and Identify Insecure Configurations
• Inventory the services and regions you are using
• What regions do you have VPCs and instances?
• Which resources are accessible from the Internet?
• Leverage CloudTrail to identify new VPCs or service usage
• Define a consistent Tagging and Naming strategy for resources
• Ensure the AWS Service you’re using remain securely configured
• Disable non-secure ciphers on Elastic Load Balancers
• Remove S3 bucket permissions that allow global write or read
• Identify security groups or network ACLs that allow unrestricted access to sensitive ports
• Identify and remediate vulnerabilities in AMIs
• Patch your AMIs not your instances
• Maintain a list of trusted AMIs, restrict users from launching non-trusted images
• Scan instances frequently to identify new vulnerabilities
11. Implement Network and Log Visibility
• Capture log data from instances in real time
• Once an instance has been terminated you are unable to gather logs from it
• Collect and maintain instances metadata with the logos.
• Implement network intrusion detection
• Analyze network traffic for all instance traffic and not just VPC ingress and egress
• Look for Deny events in VPC Flow Logs to instances
• Implement a Web Application Firewall
• Inspection at layer 7 is required to identify application specific attacks
• Ideally leverage positive and negative enforcement
12. How Cloud Defender Works in AWS
AWS Service Log Collection Web and Network Security Events,
Application & server logs
Continuous Vulnerability Scanning
Configuration Assessments, and Environment
Visibility
AWS SERVICES INSTANCES & APPLICATIONS
Analytics Platform Threat Intel & Context Expert Analysis
Threat Detection with Remediation Tactics
YOUR TEAM
Vulnerability &
Configuration
Issues
And if we then take those stages we can see how they map to different parts of an application stack, from infrastructure, systems and applications. When we look at attacks in cloud environments while many of them focus on the application layer you do still need to have defenses in the other layers.
And on the topic of the types of threats one really interesting report that our Threat intelegence teams create every year is the Cloud Security Report, which looks at the types of threats we are seeing across both in our premise data centers and cloud environements. This data in this report is real-world data that’s collected and represents over 1Billion events and over 800,000 security incidents over a 12 month period. Whats interesting is you can see in the data that advisaries are adapting the types of attacks based on the environments and are especially focusing on Application attacks for cloud customers. You can get the full report at alertlogic.com/csr which gives much deeper into the data
One additional method we use to gather attack data is from our global honeynet network, its how quickly we begin to see attacks once a new honeynet node is activated. When we look at the tyype of attacks Microsfot Directory Services, database and administrative ports for SSH/RDP are consistant targets.
Highest volume of attacks occurred in Europe
Attacks against Microsoft DS accounted for over 51% of the overall attack vectors
Database services have been a consistent target
14% of the malware loaded on the Honeypots was considered undetectable by AV
Underscores the importance of a defense in depth strategy for the need to secure your enterprise and cloud infrastructure
Likely most everyone by now has at least heard of the shared responsibilty model, so I will cover this somewhat briefly. Under the SSR for infrastructure sevices like EC2 AWS is repsonsible to secure all of the infrastructure, networks and hosts all the way up to the hypervisor – which in a way is huge benefit to using AWS because for on-premise environments you would need to be responsible for these tasks this model allows you to leverage their expertise and focus on the part that you are repsonsible for.
The data showing attacks focusing on applications and remote access through ssh and rdp shows us that attackers are wise to the fact they are not likely to be successful in attacking componets that AWS is securing and are focusing on areas where the customers are responsible.
Attackers are wising up to the fact that businesses are not aware of the extent of their responsibilities – some of which may be beyond their existing capabilities
They are focusing their attention on the areas that fall to the customer to address, in particular the web application layer where we have see a large increase in the number of targeted attacks
**insert banner with Cloud Security report stats**
To helpsecure your AWS environement there are three tenents that we will focuson
Applications are often visualized as a stack and stacks like houses require a solid foundation otherwise bad things happen. So the first thing we’ll look at is shoring up the foundation which
Cloud Defender is doing two things: First it will scan you AWS services looking for any configuration issues. At the same time it scans your instances and applications looking for known vulnerabilities. That information gets passed back to your team in the form of prioritized remediation actions so you take focus on the issues that will have the biggest positive impact with regards to your risk.
While that is happening Cloud Defender is also collecting logs from your servers, apps, and AWS services, as well as network, web app events. This information is fed into an analytics platform. This platform analyzes the data, eliminating irrelevant events, and then, by applying threat intelligence and context generates actionable security events. These events are then vetted by a team of security experts, who have access to both the raw data that generated the event as well as a library of threat research that enables them to provide you with the context you need to understand the threat.
You are then contacted about the incident and provided remediation recommendations. This helps you focus on eliminating the issues without having to become an expert in any one specific threat vector.
Cloud Defender is always on, always working for you.