Using Security To Build With Confidence In AWS Sasha Pavlovic Director, Cloud and Datacenter Security | APAC

The Story

More at aws.trendmicro.com

2012 re:Invent SPR203 : Cloud Security is a Shared Responsibility http://bit.ly/2012-spr203

2013 re:Invent SEC208: How to Meet Strict Security & Compliance Requirements in the Cloud http://bit.ly/2013-sec208

SEC307: How Trend Micro Build their Enterprise Security Offering on AWS http://bit.ly/2013-sec307

2014 re:Invent SEC313: Updating Security Operations for the Cloud http://bit.ly/2014-sec313

SEC314: Customer Perspectives on Implementing Security Controls with AWS http://bit.ly/2014-sec314

Shared Responsibility Model

AWS

Physical

Infrastructure

Network

Virtualisation

You

Operating System

Applications

Data

Service Configuration

More at aws.amazon.com/security

Shared Responsibility Model

AWS

Physical

Infrastructure

Network

Virtualisation

You

Operating System

Applications

Data

Service Configuration

More at aws.amazon.com/security

Vulnerability Respond Repair

Vulnerability

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

by Andreas Lindh (@addelindh)

bash is a common command line interpreter

a:() { b; } | attack

10 | 10 vulnerability. Widespread & easy to exploit

Shellshock Impact

1989 Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline

"MicroTAC" by Redrum0486 at English Wikipedia

12.3oz

Time Since Last Event Event Action Action Timeline

1989-­‐08-­‐05  8:32   Added  to  codebase  

27  days,  10:20:00   Released  to  public  

9141  days,  21:18:35   Ini?al  report   React   Clock  starts  

1  day,  22:19:13   More  details   React  

2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

5  days,  9:16:35   Limited  disclosure  ::  CVE-­‐2014-­‐6271   React  

2  days,  4:37:25   More  details   React  

3:44:00   More  details   React  

0:27:51   Public  disclosure   React  

0:36:30   More  details   React  

0:34:39   Public  disclosure  ::  CVE-­‐2014-­‐7169   React  

1:19:16   More  details   React  

15:15:44   More  details   React  

4:45:26   More  details   React  

3:03:34   More  details   React  

11:34:00   Mi?ga?on  ::  CVE-­‐2014-­‐7169   React  

4:58:00   More  details   React  

3:34:51   More  details   React  

3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00

1:09:00   More  details   React  

2:07:00   Mi?ga?on  ::  CVE-­‐2014-­‐7169   React  

2:27:00   More  details   React  

23:50:00   More  details   React  

17:46:00   More  details   React  

7:24:00   More  details   React  

2  days,  7:21:00   Public  disclosure  ::  CVE-­‐2014-­‐6277  &  CVE-­‐2014-­‐6278   React  

0:11:00   More  details   React  

3:15:00 Official  patch  ::  CVE-­‐2014-­‐7186,  CVE-­‐2014-­‐7187   Patch   4  days,  17:30:00  

1 day, 11:55:00 Official  patch  ::  CVE-­‐2014-­‐6277   Patch   1  day,  11:55:00  

2  days,  20:24:00   Official  patch  ::  CVE-­‐2014-­‐6278   Patch   2  days,  20:24:00  

Important Shellshock Events Time Since Last Event Event Action Action Timeline

1989-­‐08-­‐05  8:32   Added  to  codebase  

27  days,  10:20:00   Released  to  public  

9141  days,  21:18:35   Ini?al  report   React   Clock  starts  

2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00

3:15:00 Official  patch  ::  CVE-­‐2014-­‐7186,  CVE-­‐2014-­‐7187   Patch   4  days,  17:30:00  

1 day, 11:55:00 Official  patch  ::  CVE-­‐2014-­‐6277   Patch   1  day,  11:55:00  

2  days,  20:24:00   Official  patch  ::  CVE-­‐2014-­‐6278   Patch   2  days,  20:24:00  

Respond

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

Day 1

aws.amazon.com/architecture : Web application hosting

aws.amazon.com/architecture : Web application hosting

TCP : 443 TCP : 443 TCP : 4433 TCP : 4433

Primary workflow for our deployment

AWS VPC Review

AWS VPC Checklist

Review

IAM roles

Security groups

Network segmentation

Network access control lists (NACL)

More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf

TCP : 443 TCP : 443 TCP : 4433 TCP : 4433

Primary workflow for our deployment

HTTPS HTTPS HTTPS SQLi SSH

Intrusion prevention can look at each packet and then take action depending on what it finds

aws.amazon.com/architecture : Web application hosting

Intrusion Prevention in Action

Review

All instances covered

Workload appropriate rules

Centrally managed

Security controls must scale out automatically with the deployment

Repair

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

Day 2

aws.amazon.com/architecture : Web application hosting

All instances deployment from task-specific AMI

TCP : 443 TCP : 443 TCP : 4433 TCP : 4433

Workflow should be completely automated

Instantiate Destroy Configure

AMI Creation Workflow

Bake Instantiate Test

AMI Creation

aws.amazon.com/architecture : Web application hosting

Instances tend to drift from the known good state, monitoring key files & processes is important

AMI Instance

Alert Integrity Monitoring

Integrity Monitoring

Keys

Respond

Review configuration

Apply intrusion prevention Repair

Patch vulnerability in new AMI

Leverage integrity monitoring

Keys

Automation

Safe. Easy. Fast.™

MatchMove Wallet’s Cloud journey

Presented by: Paul Hidalgo Cloud Architect, MatchMove Pay Pte Ltd

Safe. Easy. Fast.™

•  Founded  in  2009  

•  Investors  are  Vickers  Group,  Credit  Saison  and  GMO  

•  6  Countries  in  ASEAN  

•  PAAS  /  Gaming  Company  

Issuer of American Express and MasterCard across Asia

www.mmvpay.com

Secure Payment

Accepted Everywhere

Good for small/micro-transactions

No Age Limit No Minimum Income

No Risks of overspending

Loyalty Deals

Remittance

View Card 3 minute Sign Up Easy Top-Up Transactions

Notifications Easy Menu Promotions AML/Compliance (KYC)

B2B Model

Safe. Easy. Fast.™

Promo

•  First 50 Signups from this event will get $5 worth of top-up Free.

•  You can use this to pay your AWS Bills! No Bill Shock!

Safe. Easy. Fast.™

How ?

•  Sign up on this URL:

•  matchmove.cards/paul5

Safe. Easy. Fast.™

Our Journey

Safe. Easy. Fast.™

Our challenge

•  Industry  Credibility  

•  Scalability  

•  World  Class  Security  

•  Cost  

•  Delivery  Speed  

Safe. Easy. Fast.™

Our Plan

•  All-­‐Cloud  

•  PCI-­‐DSS    

•  Automated  Security  

•  Modular    

Safe. Easy. Fast.™

Our ecosystem

MatchMove Network

Banks

Regulatory and Compliance

Payment Providers

Processor

Safe. Easy. Fast.™

Cloud design

AWS cloud / VPC

Internet instances

Safe. Easy. Fast.™

What we Needed •  Our instances needs to

get the latest updates without going online

•  Anti-Malware Patching

•  New Configurations

•  New Threats

•  Centralized Security Logging

Safe. Easy. Fast.™

Our implementation

VPC

Internet Web Servers

Private Subnet Public Subnet

Deep Security Manager

Safe. Easy. Fast.™

Compliance

• 33/202 •  PCI-DSS 3.0 Requirements

Safe. Easy. Fast.™

Not Just AV/IPS/Malware

•  Source Code Monitoring

•  Configuration File Monitoring

•  Log Checks

Safe. Easy. Fast.™

Not Just AV/IPS/Malware

•  Logins

•  Web 500 Errors

•  Memory Issues

Safe. Easy. Fast.™

Automated Testing

•  Weekly Scans even we are not on audit period

Safe. Easy. Fast.™

Shared Security

Infrastructure Level!

DDOS  &  DDOS  Security  Groups  (Firewall)  CPU  Usage  Memory  Cloud  Logs  

MatchMove  Trend  Micro  AWS    

OS And Application Level!

Malware  File  Integrity  Server  Hardening  VPN  and  Encryp?on  Vulnerabili?es    

MatchMove  Trend  Micro  AWS    

Safe. Easy. Fast.™

Shared Security

User Access Controls and Security!

Access  Responsibility  2FA  Secure  Passwords  User  Data  Encryp?on  

MatchMove  End  User  Partner  

Monitoring and Alerts!Vigilante  24/7  Monitoring  Cloud  /  Intrusion  Alerts    

MatchMove  Trend  Micro  AWS  Partner  

Safe. Easy. Fast.™

Instant-on Security

Web Server

Web Servers

Elastic Load Balancing

Web Servers

Web Servers

Deep Security Manager

Safe. Easy. Fast.™

Continuous Security

Testing

DSM

MySQL

Production

DSM

MySQL

Policies Rules Rollouts

Safe. Easy. Fast.™

Real Life ddos Analysis Detection

Location

Safe. Easy. Fast.™

lessons •  We saved money and time

because instead of hiring a security team

•  We didn’t know attacks happen THAT frequently even on our test environments

Safe. Easy. Fast.™

lessons •  Building a secure cloud

infrastructure can be challenging to begin with but it all works out in the end

•  Cloudformation / Opsworks / Beanstalk is your friend

•  Better know Account Limits (ie LB) so you can better plan ahead

Safe. Easy. Fast.™

aws.trendmicro.com

Singapore