CMI-F03 Cloud Security Strategy - Adapt to Changes with ... · PDF fileCloud Security Strategy - Adapt to Changes with Security Automation - ... Elastic Load Balancing. Load Balancer

SESSION ID:SESSION ID:

#RSAC

Hayato Kiriyama

Cloud Security Strategy- Adapt to Changes with Security Automation -

CMI-F03

Security Solutions ArchitectAmazon Web Services Japan K.K.@hkiriyam1

#RSAC

Agenda

11

New Normal of Security Architecture

Security Best-Mix to Adapt to Changes

Security Automation as a New Solution

#RSAC

Agenda

12




#RSAC

https://www.youtube.com/watch?v=D5-ifl7KJ00

#RSAC

Cloud has become the New Normal.

Companies of every size are deploying new applications to the cloud by default.

Andy Jassy, Chief Executive Officer, Amazon Web ServicesAWS re:Invent 2015

https://www.youtube.com/watch?v=D5-ifl7KJ00

#RSAC

http://www.youtube.com/watch?v=nsStpwFYcPc&t=28m40s

#RSAC

The only rational response to risk is to be proactive in how we engage with changes.

If you are not disrupting your own markets, someone else will disrupt them for you.

Eric Tucker, IT Chief Technology Officer, GE Global ResearchAWS Summit Tokyo 2016

http://www.youtube.com/watch?v=nsStpwFYcPc&t=28m40s

#RSAC

IT in the Cloud Era

17

ElectricPower

Computing

Private Electric Generator Electric Utility Provider

On-premise Servers

Ownership Utilization

Cloud Service Provider

#RSAC

IT Capacity (On-premise)

18

Rapid Growth or M&A

Lack of Capacity= Opportunity Loss

Surplus CapacitySurplus Capacity

Unpredictable Peak

#RSAC

IT Capacity (Cloud)

19

Rapid Growth or M&A Unpredictable Peak

Freedom from Surplus and Lack of Capacity

Freedom from Surplus Capacity

Freedom from Capacity Sizing

#RSAC

The Value of Cloud

20

Improvement

Innovation Can do what we couldn’t do

Easier, Faster, Cheaper

#RSAC

The Value of Cloud

21

Improvement


Disruption Bring the old value to naught“Normal” to “New Normal”

Easier, Faster, Cheaper

#RSAC

“Normal” Security Issues

22

Are current security measures effective?

How much should we invest in security?

Is ROI optimized?

#RSAC

Can We Calculate Security ROI?

23

Return

Investment

Protected amount of money applied by security measures

Pure cost of security measures

#RSAC

Can We Calculate Security ROI? NO!

24

Return

Investment

Direct CostIncident Response ExpensesExisting Customers Lost

Measurable

Indirect CostBusiness Opportunity LostProspective Customers Lost

Unmeasurable

IT Investment Facility Investment Training

What is the percentage of Security?

#RSAC

Security is becoming a fabric item.It’s woven through every major

technical decision.

Security Investment Can Not Be Unraveled

https://www.youtube.com/watch?v=zUVCNitSlmA

Mark McLaughlinPresident & CEO, Palo Alto Networks

Ignite 2015

#RSAC

Start with Risk (Risk-based Approach)

26

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

NIST SP800-53Security and Privacy Controls for Federal Information Systems and Organizations

“Select the appropriate security controls in accordance with the required security levels.”

“Tailor security control baselines to achieve the needed level of protection in accordance with organizational assessments of risk.”

#RSAC

Security Risk Formula

27

Threats Vulnerabilities InformationalAssets

• Malware• Targeted Attack• DDoS Attack

• Security Hole• Misconfiguration• Psychological

• Corporate Confidential• Personal Information• Intellectual Property

#RSAC

Risks keep changing

28

• Social Event• Corporate News• Corporate Reputation

• Asset Investment• Organization Growth• Hiring & Deployment

• Business Growth• M&A/IPO• Company Split-up

Threats Vulnerabilities InformationalAssets

#RSAC

Adapt Security Level to Risk Changes

29

Changing Security Risk

#RSAC

Adapt Security Level to Risk Changes

30

Changing Security Risk

Optimal Security Level

#RSAC

From ROI to Adaptiveness

31

“Normal” “New Normal”

What we look at Return On Investment (ROI) Adaptiveness to changes

What it looks like

0 1 2 3 4Changing Security Risk

Adapted Security LevelIncreased Security Level

#RSAC

Agenda

32




#RSAC

Categories by Adaptiveness

33

Fixed Security

Corporate Security

Situational Security

Data CenterServer

Network

EncryptionVulnerbility Mngt.

Access Control

Threat Intelligence

Incident responseAdaptiveness

High

Middle

Low

Category Usecases

FacilityStorage

Hypervisor

Log ManagementData Protection

FW/IPS/IDS

Correlation

ForensicsEDR UEBA

#RSAC

[REF] Electric Power Best Mix

34

Electric Power

Demand

0 6 12 18 24(H)

nuclear electric power

thermal electric power

pumped-storage hydroelectric power

#RSAC

Security Best Mix

35

Secu

rity

Leve

l

Fixed Security

Adaptiveness Cost

Corporate Security

High

Middle

Low

High

Middle

Low

Situational Security

#RSAC

Security Best Mix in the Cloud Era

36

Economies of Scaleby Cloud Service Provider(Cost)

Compliance as CodeDevSecOpsBased on regulatory compliance(Reusability/Repeatability)

Security Automation(Adaptability)

Secu

rity

Leve

l

Fixed Security(Security of the cloud)

Corporate Security(Security in the cloud)

Situational Security(Security by the cloud)

Power Source (Driver)

#RSAC

Security Best Mix in the Cloud Era

37

Economies of Scaleby Cloud Service Provider(Cost)

Compliance as CodeDevSecOpsBased on regulatory compliance(Reusability/Repeatability)

Security Automation(Adaptability) What and How?

Secu

rity

Leve

l

Fixed Security(Security of the cloud)

Corporate Security(Security in the cloud)

Situational Security(Security by the cloud)

Power Source (Driver)

#RSAC

Minimize the Gap to Adapt

38

2. Early Detection1. Granular ResponseSe

curit

y Le

vel

TimeChanging Security Risk

Adapted Security Level

#RSAC


39

2. Early Detection1. Granular Response

• Many Small Services• Independently Deployable• Loosely Coupled

MicroservicesArchitecture

#RSAC


40



• Massive Security Logs• Threat Intelligence• Event Driven / API Call


Data ManagementInfrastructure

#RSAC


41




Cloud Makes It Easier and Possible

Data ManagementInfrastructure

• Massive Security Logs• Threat Intelligence• Event Driven / API Call

#RSAC

Agenda

42




#RSAC

Gartner’s Adaptive Security Architecture

Harden and Isolate Systems

Divert Attackers

Prevent Incidents

Detect Incidents

Confirm and Prioritize

Contain IncidentsInvestigate / Forensics

Design / Model Changes

Remediate / Make Changes

Baseline Systems

Predict Attacks

Proactive Exposure Assessment

ContinuousMonitoring

andAnalytics

Predict Prevent

DetectRespond

#RSAC

AWS Service Mapping

44

AWSConfig

Amazon Inspector

3rd PartyData Feed

AWSLambda

Amazon EBS

AmazonSNS

AWSCloudFormation

Amazon VPC flow logs

3rd Party SIEM

NACL SG

AWS WAF

3rd Party IDS

Amazon CloudFront

AWSCloudTrail

Amazon CloudWatch

Predict Prevent

DetectRespondAuto Scaling

#RSAC

Auto Scaling

Use Case: Mitigate External Attacks

45

AWSConfig

Amazon Inspector

Amazon EBS

AWSCloudFormation


3rd Party SIEM

NACL SG

3rd Party IDS

AWSCloudTrail

Predict Prevent

DetectRespond

Amazon CloudWatch

3rd PartyData Feed

AWS WAFAmazon

CloudFront

AWSLambda

AmazonSNS

#RSAC

AWS WAFWeb Application

Firewall

Attacker

User

Amazon CloudFrontContent Delivery

Network

Elastic Load Balancing

Load Balancer

Amazon EC2Web servers

Amazon RDSDatabase

Automatic Update on WAF rule with IP Black List

AWS WAF Security Automationshttps://aws.amazon.com/jp/answers/security/aws-waf-security-automations/

#RSAC

Amazon CloudWatchResource Monitoring


Firewall

Attacker

AWSLambda

Function as a Service

User

①Execute hourly


Network


Load Balancer


Amazon RDSDatabase

AWS WAF Security Automationshttps://aws.amazon.com/jp/answers/security/aws-waf-security-automations/


#RSAC



Firewall

Attacker

AWSLambda


User

①Execute hourly


Network


Load Balancer


Amazon RDSDatabase

3rd partyReputation ListAWS WAF Security Automations

https://aws.amazon.com/jp/answers/security/aws-waf-security-automations/

②Check for malicious IP addresses


#RSAC



Firewall

Attacker

AWSLambda


User

①Execute hourly

③Add to an AWS WAF block list


Network


Load Balancer


Amazon RDSDatabase





#RSAC



Firewall

Attacker

AWSLambda


User

①Execute hourly

③Add to an AWS WAF block list

④Block the traffic from malicious IP addresses


Network


Load Balancer


Amazon RDSDatabase





#RSAC

EC2 InstancesAvailability Zone 1b

Availability Zone 1a

Auto

Sca

ling

Grou

p

Contain and Notify an Incident by Scale-out


Network


Load Balancer

#RSAC



Auto

Sca

ling

Grou

p①Massive traffic



Network


Load Balancer

#RSAC



Auto

Sca

ling

Grou

p①Massive traffic

②Automatic traffic distribution by scale-out



Network


Load Balancer

#RSAC



Auto

Sca

ling

Grou

p①Massive traffic


AmazonSNS

Notification Service

③Notify the scaling event



Network


Load Balancer

#RSAC



Auto

Sca

ling

Grou

p①Massive traffic


AmazonSNS


③Notify the scaling event

④Call an arbitrary function



NetworkAWS

LambdaFunction as a Service


Load Balancer

#RSAC

Use Case: Assess Risks to Manage Internal Endpoints

56

AWSConfig

Auto Scaling

AWS WAFAmazon

CloudFront

3rd PartyData Feed

AWSCloudFormation 3rd Party SIEM

3rd Party IDS

Predict Prevent

DetectRespond

Amazon CloudWatch

Amazon Inspector

NACL SG


Amazon EBS

AWSCloudTrail

AWSLambda

AmazonSNS

#RSAC

EC2 InstanceEndpoint

Amazon InspectorSecurity Assessment

Amazon EBSBlock Storage

Security GroupStateful Firewall

Network ACLStateless Firewall

Automate Quarantine and Backup

AWSLambda


#RSAC







①Run a security assessment

AWSLambda


#RSAC








AWSLambda


②Vulnerability scan to endpoint

#RSAC









③Notify the scan results

AmazonSNS


AWSLambda


#RSAC









③Notify the scan results④Quarantine the endpoint by firewalls

AmazonSNS


AWSLambda


AWSLambda


#RSAC










snapshot

⑤Copy a disk image for backup

AmazonSNS


AWSLambda


AWSLambda


#RSAC






AWSCloudTrail

Operation Log Service





snapshot

⑤Copy a disk image for backup

⑥Record the backup log

AmazonSNS


AWSLambda


AWSLambda


#RSAC

The Value of Cloud Security

64

Improvement


Disruption Bring the old value to naught“ROI” to “Adaptiveness to changes”

granular response through the microservices

Earlier detection on data management infrastructureEasier, Faster, Cheaper

#RSAC

Summary

65

Be adaptive to the changes of security risksBest-mix security by its adaptivenessCloud makes it easy and possible with

Security Automation

#RSAC

“Apply”

66

Apply cloud technology to improve readiness and responsiveness. (e.g. AWS provides automated security)

Mix different types of security in adaptiveness to attain the necessary security level. Recommend to use:

security of cloud for fixed securitysecurity in cloud for corporate securitysecurity by cloud for situational security

#RSAC

Thank you!

Documents

CMI-F03 Cloud Security Strategy - Adapt to Changes with ... · PDF fileCloud Security Strategy - Adapt to Changes with Security Automation - ... Elastic Load Balancing. Load Balancer