© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

Updating Security Operations For The CloudMark Nunnikhoven Vice President, Cloud & Emerging Technologies Trend Micro

26-Mar-2014

Overview

Strategy Tactics

Tactics

Tactics

Auditing

Monitoring

Incident Response

Forensic Investigations

Traditional Responsibility Model

!

Operating System

Application

Account Management*

You

Facilities

Physical Security

Physical Infrastructure

Network Infrastructure

Virtualization Infrastructure

Shared Responsibility Model

You

Operating System

Application

Account Management*

Security Groups*

Network Configuration*

AWS

Facilities

Physical Security

Physical Infrastructure

Network Infrastructure

Virtualization Infrastructure

Our story

Hybrid architecture

On-premises Cloud

Full architecture

Payment

Client Data

On-premises

AWS

Payment

Games

Store

Logs

Content

Viewers

Client Data

Full architecture, expansion

AWS

Payment

Games

Store

Logs

Content

Viewers

Client Data

Payment

Client Data

On-premises

Full architecture, AWS services

AWS

Payment

Games

Store

Logs

Content

Viewers

Client Data

Amazon EC2

Amazon EC2

Amazon EC2

Amazon CloudFront

Amazon S3

Amazon EC2Amazon RDS

Payment

Client Data

On-premises

Before After

Structure

Bonus

Auditing

PCI Compliance

Requirements

Encrypting data at rest (3.4.1)

Address new threats & vulnerabilities (6.6)

Log external facing services & defences (10.2, 10.5.4)

Protect systems against malware (5.1)

* PCI has many, many more requirements, this is just a sample

Creating an audit trail, before

Servers

Storage Area Network

On-premises

Firewall

IPS

Central logging

Payment

Client Data

On-premises AWS

Amazon CloudTrail

EC2 instances

Central management

Amazon S3

Amazon CloudFrontAmazon RDS

Creating an audit trail, after

Creating an audit trail, bonus points

You get

Record of changes via AWS CloudTrail

Security control reporting via Deep Security’s API

Why it matters

Regular assurance controls are in place

In action…

Monitoring

Visibility

Requirements

Basic event info (4W+H)

Context of the event

Consistent identity across environments

Timely

Visibility, before

On-premises

FirewallIPS

Central logging SIEM

SwitchSwitchSwitchDirectory Server

AWS

Amazon CloudTrail

EC2 instances

Amazon S3 Bucket

Amazon CloudFrontAmazon RDS

Visibility, after

Central loggingSIEM

Amazon S3

Visibility, bonus points

You get

More work to put together events

Richer context around events

Why it matters

Visibility is key to your security practice

In action…

Incident Response

Under pressure

SANS incident response process

Preparation

Identification

Containment

EradicationRecovery

Lessons Learned

Get ready!

What is it?

Did we get it?

Is it gone?Again?

Get better, fast!

Requirements

Quickly identify affected area

Minimize impact

Recovery quickly

Server

On-premises

Analysis Report

Incident Response, before

Replacement

Improve

AWS

Incident Response, after

Server

Analysis Report

Replacement

Improve

Incident Response, bonus points

You get

Faster return to production

More time for analysis

Why it matters

Every minute of downtime counts

In action…

Server Analysis Report

Analyst

Optimized Response

LogProcessor

Replacement

API Improve

Forensic Investigations

Rinse & Repeat

Perception

Reality

Reality, visualized

Requirements

Repeatable

Account for & prove each step

Not get in the way of recovery

Heavily documented

Forensics, before

Server

On-premises

Logs Analysis Testimony

AWS

Forensics, after

Instance

Logs Analysis Testimony

Forensics, bonus points

You get

Faster analysis & lower costs

Ability to replicate entire environment

Why it matters

Legal requirements

Better defences

In action…

Original

Concurrent Analysis

Examiner

Copy 0

Copy 1

Copy 2

Commands

Keys

Auditing Monitoring IR Forensics

Thank you.

Mark Nunnikhoven mark_nunnikhoven@trendmicro.com @marknca