Embed Size (px)
Citation preview
S C O TT WA R D
BUILDING SECURITY BEST PRACTICES WITH AWS AND CROWDSTRIKE
SPEAKER
§ 18+ years at Amazon & Amazon Web Services
§ 13 years building financial systems and global payments integrations
§ 5+ years as a partner solution architect focused on security technology partners
§ Likes…… Cheeseburgers
Principal Solutions Architect
SCOTT WARD
© 2019 CROWDSTRIKE
SECURITY AND OPERATIONAL EXCELLENCEARE OUR TOP PRIORITY
SOFTWARE
PLATFORM, APPLICATIONS, IDENTITY, & ACCESS MANAGEMENT
OPERATING SYSTEM, NETWORK, & FIREWALL CONFIGURATION
CUSTOMER DATA
CUSTOMER
CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE DATAFILE SYSTEM AND/OR DATA
NETWORK TRAFFICPROTECTION (ENCRYPTION, INTEGRITY,
IDENTITY)
HARDWARE/AWS GLOBAL INFRASTRUCTURE
COMPUTE STORAGE DATABASE NETWORKING
REGIONS AVAILABILITY ZONES EDGE LOCATIONS
RESPONSIBILITY FOR SECURITY “IN” THE CLOUD
AWS
RESPONSIBILITY FOR SECURITY “OF” THE CLOUD
SHARED RESPONSIBILITY MODEL
PLATFORM, APPLICATIONS, IDENTITY, & ACCESS MANAGEMENT
OPERATING SYSTEM, NETWORK, & FIREWALL CONFIGURATION
CUSTOMER DATA
CUSTOMER
CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE DATAFILE SYSTEM AND/OR DATA
NETWORK TRAFFICPROTECTION (ENCRYPTION, INTEGRITY,
IDENTITY)
RESPONSIBILITY FOR SECURITY “IN” THE CLOUD
SHARED RESPONSIBILITY MODEL
§ Virtual Servers in the Cloud§ Vertically and Horizontally Scale§ Windows and Linux Operating Systems§ Five instance Classes & 100+ Instance Types
General Purpose
Compute Optimized
Memory Optimized
Accelerated Computing
Storage Optimized
ELASTIC COMPUTE CLOUD (EC2)
You control the operating system§ Patching§ User Access/Permissions§ OS Hardening§ Encryption§ Security Features§ Logging§ Security Products
Security Groups§ Stateful Firewall§ Default Deny for Inbound
You control your network placement§ Define what is private and public
EC2 SECURITY
§ You use CrowdStrike to help protect your EC2 instances
§ EC2 offers benefits around flexibility and elasticity
§ What strategies exist to ensure that your security can keep up with how you are using AWS?
CROWDSTRIKE AND EC2
Current Golden AMI
Running Instance Add Falcon + Other tools or software
New Golden AMI
§ Copy AMI to necessary regions and accounts§ Publish new golden AMI IDs§ Enforce usage through pipelines or configuration checks
sudo /opt/CrowdStrike/falconctl -d -f --aid
PREBAKED AMI
EC2 Instance
IAM Permissions
Bootstrap Code
S3 Bucket
Parameter Store
BOOTSTRAP AT LAUNCH
S3 bucket to store agents
S3 Bucket: falcon-agent-bucket
BOOTSTRAP AT LAUNCH
BOOTSTRAP AT LAUNCH
BOOTSTRAP AT LAUNCHBootstrap Code for S3
LINUX#!/bin/bashaws s3 cp s3://falcon-agent-bucket/rhel/current/falcon-sensor-current.rpm /tmpyum install /tmp/falcon-sensor-current.rpm –y/opt/CrowdStrike/falconctl -s --cid=xxxxxxxxxxxxxxxxxxxservice falcon-sensor start---------------WINDOWS<powershell>Read-S3Object -BucketName falcon-agent-bucket/windows/current -Key WindowsSensor.exe -File c:\WindowsSensor.exe
c:\WindowsSensor.exe /install /quiet /norestart CID=xxxxxxxxxxxxxxxxxxx</powershell>
BOOTSTRAP AT LAUNCHAccess policy for S3
{"Version": "2012-10-17","Statement": [
{"Effect": "Allow","Action": "s3:ListBucket","Resource": "arn:aws:s3:::falcon-agent-bucket"
},{
"Effect": "Allow","Action": "s3:GetObject","Resource": "arn:aws:s3:::falcon-agent-bucket/rhel/current/*”
}]
}
BOOTSTRAP AT LAUNCH
AWS Parameter Store
BOOTSTRAP AT LAUNCH
AWS Parameter Store
BOOTSTRAP AT LAUNCHBootstrap code for parameter store
#!/bin/bashagentloc=`aws ssm get-parameter --name /falcon/alinux/current --query 'Parameter.Value' --region us-west-2|sed 's/"//g’`
cid=`aws ssm get-parameter --name crowdstrike-customer-id --query 'Parameter.Value' --region us-west-2|sed 's/"//g’`
agentfile=`echo $agentloc|awk -F / '{print $4}'`aws s3 cp s3://$agentloc /tmp
yum install /tmp/$agentfile -y/opt/CrowdStrike/falconctl -s --cid=$cidservice falcon-sensor start
BOOTSTRAP AT LAUNCHAccess policy for S3 and SSM
{"Effect": "Allow","Action": "s3:ListBucket","Resource": "arn:aws:s3:::falcon-agent-bucket"
},{
"Effect": "Allow","Action": "s3:GetObject","Resource": "arn:aws:s3:::falcon-agent-bucket/alinux/current/*"
},{
"Effect": "Allow","Action": "ssm:GetParameter","Resource": [
"arn:aws:ssm:us-west-2:526039161745:parameter/falcon/alinux/current","arn:aws:ssm:us-west-2:526039161745:parameter/crowdstrike-customer-id"
]}
Amazon S3
AMI
Launch
AWS Parameter Store
Bootstrap
Bootstrap
Final Instance
BOOTSTRAP AT LAUNCH
AWS Systems Manager
Document
§ Install Software on instances managed by AWS Systems Manager
§ Deploy across a range of instances and operating systems
§ AWS EC2 and outside AWS
Zip File Deploy
USING SYSTEMS MANAGER DISTRIBUTOR
Visibility Lack of AWS Metadata
IMPORTANT CHALLENGES FOR AWS CUSTOMERS
Visibility into EC2 resources across all AWS accounts registered with Falcon Discover
FALCON DISCOVER FOR AWS
§ Availability Zone
§ Instance Type
§ State (Running/Stopped)
§ AMI ID
§ Public IP
§ Private IP
§ Storage Volumes
§ Instance ID
§ Launch Time
§ Security Groups & Rules
§ Tags
§ VPC ID
§ Subnet
§ Region
IMPORTANT AWS METADATA
AWS CloudTrail
You are making
API calls...
On a growing set of AWS
services around the
world..
CloudTrail is continuously
recording API calls
Store/ Archive
Troubleshoot
Monitor & Alarm
HOW FALCON DISCOVER IS LEARNING ABOUT YOUR RESOURCES
AWSCloudFormation
AWSCloudTrail Amazon S3
AmazonSNS
IAMRole
CONNECTING FALCON DISCOVER WITH YOUR AWS ACCOUNT
AWSCloudFormation
CONNECTING FALCON DISCOVER WITHYOUR AWS ACCOUNT
Common AWS Strategy
§ Workload Isolation§ Avoid resource conflicts§ Clear security boundary§ Billing benefits
Falcon Discover Visibility
§ All your Accounts§ All your VPCs§ All Regions
MULTIPLE ACCOUNTS AND MULTIPLE VPCS
AWS AGENT COVERAGE
FILTERING ON MANAGED AND UNMANAGED INSTANCES
FILTERING ON MANAGED AND UNMANAGED INSTANCES
FALCON INSTANCE DETAILS DASHBOARD
FILTERING INTERNET ACCESSIBLESECURITY GROUPS
Security Hub AWS SECURITY HUB
CROWDSTRIKE SECURITY HUB INTEGRATION
TAKING ACTION WITH SECURITY HUB
AWS Security Hub Amazon CloudWatch Events
Amazon GuardDuty
Amazon Inspector
Amazon Macie
3rd Party Providers
!
Target options
THANK YOU
ANY QUESTIONS?© 2019 CROWDSTRIKE
