Upload
amazon-web-services
View
814
Download
3
Embed Size (px)
DESCRIPTION
Learn how to increase the effectiveness of your security operations as you move to the cloud. We will discuss how your current incident response, forensic investigations, monitoring, and audit response tactics have to change in the cloud. Pulling from experiences helping clients move to the cloud, industry research, and the school of hard knocks, this talk will help provide practical advice you can apply today.
Citation preview
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Updating Security Operations For The CloudMark Nunnikhoven Vice President, Cloud & Emerging Technologies Trend Micro
26-Mar-2014
Overview
Strategy Tactics
Tactics
Tactics
Auditing
Monitoring
Incident Response
Forensic Investigations
Traditional Responsibility Model
!
Operating System
Application
Account Management*
You
Facilities
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Infrastructure
Shared Responsibility Model
You
Operating System
Application
Account Management*
Security Groups*
Network Configuration*
AWS
Facilities
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Infrastructure
Our story
Hybrid architecture
On-premises Cloud
Full architecture
Payment
Client Data
On-premises
AWS
Payment
Games
Store
Logs
Content
Viewers
Client Data
Full architecture, expansion
AWS
Payment
Games
Store
Logs
Content
Viewers
Client Data
Payment
Client Data
On-premises
Full architecture, AWS services
AWS
Payment
Games
Store
Logs
Content
Viewers
Client Data
Amazon EC2
Amazon EC2
Amazon EC2
Amazon CloudFront
Amazon S3
Amazon EC2Amazon RDS
Payment
Client Data
On-premises
Before After
Structure
Bonus
Auditing
PCI Compliance
Requirements
Encrypting data at rest (3.4.1)
Address new threats & vulnerabilities (6.6)
Log external facing services & defences (10.2, 10.5.4)
Protect systems against malware (5.1)
* PCI has many, many more requirements, this is just a sample
Creating an audit trail, before
Servers
Storage Area Network
On-premises
Firewall
IPS
Central logging
Payment
Client Data
On-premises AWS
Amazon CloudTrail
EC2 instances
Central management
Amazon S3
Amazon CloudFrontAmazon RDS
Creating an audit trail, after
Creating an audit trail, bonus points
You get
Record of changes via AWS CloudTrail
Security control reporting via Deep Security’s API
Why it matters
Regular assurance controls are in place
In action…
Monitoring
Visibility
Requirements
Basic event info (4W+H)
Context of the event
Consistent identity across environments
Timely
Visibility, before
On-premises
FirewallIPS
Central logging SIEM
SwitchSwitchSwitchDirectory Server
AWS
Amazon CloudTrail
EC2 instances
Amazon S3 Bucket
Amazon CloudFrontAmazon RDS
Visibility, after
Central loggingSIEM
Amazon S3
Visibility, bonus points
You get
More work to put together events
Richer context around events
Why it matters
Visibility is key to your security practice
In action…
Incident Response
Under pressure
SANS incident response process
Preparation
Identification
Containment
EradicationRecovery
Lessons Learned
Get ready!
What is it?
Did we get it?
Is it gone?Again?
Get better, fast!
Requirements
Quickly identify affected area
Minimize impact
Recovery quickly
Server
On-premises
Analysis Report
Incident Response, before
Replacement
Improve
AWS
Incident Response, after
Server
Analysis Report
Replacement
Improve
Incident Response, bonus points
You get
Faster return to production
More time for analysis
Why it matters
Every minute of downtime counts
In action…
Server Analysis Report
Analyst
Optimized Response
LogProcessor
Replacement
API Improve
Forensic Investigations
Rinse & Repeat
Perception
Reality
Reality, visualized
Requirements
Repeatable
Account for & prove each step
Not get in the way of recovery
Heavily documented
Forensics, before
Server
On-premises
Logs Analysis Testimony
AWS
Forensics, after
Instance
Logs Analysis Testimony
Forensics, bonus points
You get
Faster analysis & lower costs
Ability to replicate entire environment
Why it matters
Legal requirements
Better defences
In action…
Original
Concurrent Analysis
Examiner
Copy 0
Copy 1
Copy 2
Commands
Keys
Auditing Monitoring IR Forensics
Thank you.
Mark Nunnikhoven [email protected] @marknca