When serious vulnerabilities like Shellshock or Heartbleed are found, you know you should respond quickly. But when you’re juggling many priorities, and are more comfortable developing apps than security policies, emergency updates may fall to the bottom of the list. Is there a better way to protect your workloads, without a lot of work? In AWS, you approach everything in your infrastructure as an API. If you take the same approach to security, you can automate protection for zero-day vulnerabilities, without impacting agility or architecture flexibility. In this session, we’ll show you how to use AWS security groups, virtual private networks, and security capabilities like intrusion detection and prevention to defend what you put in the cloud. We will use the recent Shellshock vulnerability as a real-world threat scenario and walk you through how to combine AWS features and workload-aware security controls to prevent hackers from exploiting similar zero-day threats. Learn simple, easy to deploy security tools and techniques to protect workloads – that don't require a PhD in cyber security.

1. Defending your workloads against
the next zero-day vulnerability
Justin Foster
@justin_foster
Trend Micro - Director of Product Management | Cloud & Data Center Security

2. The Story
More at aws.trendmicro.com
2012 re:Invent
SPR203 : Cloud Security is a Shared Responsibility
http://bit.ly/2012-spr203
2013 re:Invent
SEC208: How to Meet Strict Security & Compliance Requirements in the Cloud
http://bit.ly/2013-sec208
SEC307: How Trend Micro Build their Enterprise Security Offering on AWS
http://bit.ly/2013-sec307
2014 re:Invent
SEC313: Updating Security Operations for the Cloud
http://bit.ly/2014-sec313
SEC314: Customer Perspectives on Implementing Security Controls with AWS
http://bit.ly/2014-sec314

3. Traditional Responsibility Model
You
Physical
Infrastructure
Network
Virtualization
Operating System
Applications
Data
Service Configuration
More at aws.amazon.com/security

4. Shared Responsibility Model
AWS
Physical
Infrastructure
Network
Virtualization
You
Operating System
Applications
Data
Service Configuration
More at aws.amazon.com/security

5. Shared Responsibility Model
AWS
Physical
Infrastructure
Network
Virtualization
You
Operating System
Applications
Data
Service Configuration
More at aws.amazon.com/security

6. PCI DSS Level 1
SOC 1/ISAE 3402
SOC 2
SOC 3
ISO 9001
IRAP (.au)
FIPS 140-2
CJIS
CSA
FERPA
HIPAA
FedRAMP (SM)
DoD CSM 1-2, 3-5
DIACAP
ISO 27001
MTCS 3
ITAR
MPAA
G-Cloud
Section 508/VPAT
FISMA
Shared Responsibility Model
More at aws.amazon.com/compliance/

7. Shared Responsibility Model
AWS
Physical
Infrastructure
Network
Virtualization
You
Operating System
Applications
Data
Service Configuration
More at aws.amazon.com/security

8. Vulnerability Respond Repair

9. Vulnerability
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

10. by Andreas Lindh (@addelindh)

11. bash is a common command line interpreter

12. a:() { b; } | attack
10 | 10 vulnerability. Widespread & easy to exploit

14. 1989
Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline

15. 1989
By Norlando Pobre

16. By Gavin Stewart
1989

17. By VersusLiveQuizShow
1989

18. "MicroTAC" by Redrum0486 at English Wikipedia
1989

19. Time Since Last Event Event Action Action Timeline
1989-08-05 8:32 Added to codebase
27 days, 10:20:00 Released to public
9141 days, 21:18:35 Initial report React Clock starts
1 day, 22:19:13 More details React
2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25
5 days, 9:16:35 Limited disclosure :: CVE-2014-6271 React
2 days, 4:37:25 More details React
3:44:00 More details React
0:27:51 Public disclosure React
0:36:30 More details React

20. Important Shellshock Events
Time Since Last Event Event Action Action Timeline
1989-08-05 8:32 Added to codebase
27 days, 10:20:00 Released to public
9141 days, 21:18:35 Initial report React Clock starts
2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25
3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00
3:15:00 Official patch :: CVE-2014-7186, CVE-2014-7187 Patch 4 days, 17:30:00
1 day, 11:55:00 Official patch :: CVE-2014-6277 Patch 1 day, 11:55:00
2 days, 20:24:00 Official patch :: CVE-2014-6278 Patch 2 days, 20:24:00

21. 24h
48h
72h
Attack Source IP – CVE-2014-6271, 7169, 6277, 6278
Disclosure

22. 24h
48h
72h
Attack Source IP – CVE-2014-6271, 7169, 6277, 6278
Disclosure

23. 24h
48h
72h
Disclosure
Attack Source IP – CVE-2014-6271, 7169, 6277, 6278

24. Respond
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Day 1

25. aws.amazon.com/architecture : Web application hosting

26. aws.amazon.com/architecture : Web application hosting

27. TCP : 443TCP : 443 TCP : 4433TCP : 4433
Primary workflow for our deployment

28. IAM Roles

29. AWS IaM Review

30. Security groups

31. AWS Security Group Review

32. Network segmentation

33. AWS Network Review

34. AWS VPC Checklist
Review
IAM roles
Security groups
Network segmentation
Network access control lists (NACL)
More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf

35. TCP : 443TCP : 443 TCP : 4433TCP : 4433
Primary workflow for our deployment

36. HTTPSTPS
Intrusion prevention can look at each packet and then take action depending on what it finds

37. aws.amazon.com/architecture : Web application hosting

38. Intrusion Prevention in Action

39. Review
All instances covered
Workload appropriate rules
Centrally managed
Security controls must scale out automatically with the deployment

40. Repair
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Day 2

41. aws.amazon.com/architecture : Web application hosting

42. All instances deployment from task-specific AMI
TCP : 443TCP : 443 TCP : 4433TCP : 4433

43. Workflow should be completely automated
Instantiate DestroyConfigure
AMI Creation Workflow
Bake Instantiate Test

44. AMI Creation

45. aws.amazon.com/architecture : Web application hosting

46. Instances tend to drift from the known good state, monitoring key files & processes is important
AMI Instance
AlertIntegrity Monitoring

47. Integrity Monitoring

48. Keys
Respond
Review configuration
Apply intrusion prevention
Repair
Patch vulnerability in new AMI
Leverage integrity monitoring

49. Keys
Visibility Security Time

50. Build With Confidence

51. aws.trendmicro.com
NEW YORK