Using Security to Build with Confidence in AWS - Trend Micro
-
Upload
amazon-web-services -
Category
Technology
-
view
286 -
download
0
Transcript of Using Security to Build with Confidence in AWS - Trend Micro
Using Security To Build With Confidence In AWS Sasha Pavlovic Director, Cloud and Datacenter Security | APAC
The Story
More at aws.trendmicro.com
2012 re:Invent SPR203 : Cloud Security is a Shared Responsibility http://bit.ly/2012-spr203
2013 re:Invent SEC208: How to Meet Strict Security & Compliance Requirements in the Cloud http://bit.ly/2013-sec208
SEC307: How Trend Micro Build their Enterprise Security Offering on AWS http://bit.ly/2013-sec307
2014 re:Invent SEC313: Updating Security Operations for the Cloud http://bit.ly/2014-sec313
SEC314: Customer Perspectives on Implementing Security Controls with AWS http://bit.ly/2014-sec314
Shared Responsibility Model
AWS
Physical
Infrastructure
Network
Virtualisation
You
Operating System
Applications
Data
Service Configuration
More at aws.amazon.com/security
Shared Responsibility Model
AWS
Physical
Infrastructure
Network
Virtualisation
You
Operating System
Applications
Data
Service Configuration
More at aws.amazon.com/security
Vulnerability Respond Repair
Vulnerability
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
by Andreas Lindh (@addelindh)
bash is a common command line interpreter
a:() { b; } | attack
10 | 10 vulnerability. Widespread & easy to exploit
Shellshock Impact
1989 Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline
"MicroTAC" by Redrum0486 at English Wikipedia
12.3oz
Time Since Last Event Event Action Action Timeline
1989-‐08-‐05 8:32 Added to codebase
27 days, 10:20:00 Released to public
9141 days, 21:18:35 Ini?al report React Clock starts
1 day, 22:19:13 More details React
2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25
5 days, 9:16:35 Limited disclosure :: CVE-‐2014-‐6271 React
2 days, 4:37:25 More details React
3:44:00 More details React
0:27:51 Public disclosure React
0:36:30 More details React
0:34:39 Public disclosure :: CVE-‐2014-‐7169 React
1:19:16 More details React
15:15:44 More details React
4:45:26 More details React
3:03:34 More details React
11:34:00 Mi?ga?on :: CVE-‐2014-‐7169 React
4:58:00 More details React
3:34:51 More details React
3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00
1:09:00 More details React
2:07:00 Mi?ga?on :: CVE-‐2014-‐7169 React
2:27:00 More details React
23:50:00 More details React
17:46:00 More details React
7:24:00 More details React
2 days, 7:21:00 Public disclosure :: CVE-‐2014-‐6277 & CVE-‐2014-‐6278 React
0:11:00 More details React
3:15:00 Official patch :: CVE-‐2014-‐7186, CVE-‐2014-‐7187 Patch 4 days, 17:30:00
1 day, 11:55:00 Official patch :: CVE-‐2014-‐6277 Patch 1 day, 11:55:00
2 days, 20:24:00 Official patch :: CVE-‐2014-‐6278 Patch 2 days, 20:24:00
Important Shellshock Events Time Since Last Event Event Action Action Timeline
1989-‐08-‐05 8:32 Added to codebase
27 days, 10:20:00 Released to public
9141 days, 21:18:35 Ini?al report React Clock starts
2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25
3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00
3:15:00 Official patch :: CVE-‐2014-‐7186, CVE-‐2014-‐7187 Patch 4 days, 17:30:00
1 day, 11:55:00 Official patch :: CVE-‐2014-‐6277 Patch 1 day, 11:55:00
2 days, 20:24:00 Official patch :: CVE-‐2014-‐6278 Patch 2 days, 20:24:00
Respond
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Day 1
aws.amazon.com/architecture : Web application hosting
aws.amazon.com/architecture : Web application hosting
TCP : 443 TCP : 443 TCP : 4433 TCP : 4433
Primary workflow for our deployment
AWS VPC Review
AWS VPC Checklist
Review
IAM roles
Security groups
Network segmentation
Network access control lists (NACL)
More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf
TCP : 443 TCP : 443 TCP : 4433 TCP : 4433
Primary workflow for our deployment
HTTPS HTTPS HTTPS SQLi SSH
Intrusion prevention can look at each packet and then take action depending on what it finds
aws.amazon.com/architecture : Web application hosting
Intrusion Prevention in Action
Review
All instances covered
Workload appropriate rules
Centrally managed
Security controls must scale out automatically with the deployment
Repair
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Day 2
aws.amazon.com/architecture : Web application hosting
All instances deployment from task-specific AMI
TCP : 443 TCP : 443 TCP : 4433 TCP : 4433
Workflow should be completely automated
Instantiate Destroy Configure
AMI Creation Workflow
Bake Instantiate Test
AMI Creation
aws.amazon.com/architecture : Web application hosting
Instances tend to drift from the known good state, monitoring key files & processes is important
AMI Instance
Alert Integrity Monitoring
Integrity Monitoring
Keys
Respond
Review configuration
Apply intrusion prevention Repair
Patch vulnerability in new AMI
Leverage integrity monitoring
Keys
Automation
Safe. Easy. Fast.™
MatchMove Wallet’s Cloud journey
Presented by: Paul Hidalgo Cloud Architect, MatchMove Pay Pte Ltd
Safe. Easy. Fast.™
• Founded in 2009
• Investors are Vickers Group, Credit Saison and GMO
• 6 Countries in ASEAN
• PAAS / Gaming Company
Issuer of American Express and MasterCard across Asia
www.mmvpay.com
Secure Payment
Accepted Everywhere
Good for small/micro-transactions
No Age Limit No Minimum Income
No Risks of overspending
Loyalty Deals
Remittance
View Card 3 minute Sign Up Easy Top-Up Transactions
Notifications Easy Menu Promotions AML/Compliance (KYC)
B2B Model
Safe. Easy. Fast.™
Promo
• First 50 Signups from this event will get $5 worth of top-up Free.
• You can use this to pay your AWS Bills! No Bill Shock!
Safe. Easy. Fast.™
How ?
• Sign up on this URL:
• matchmove.cards/paul5
Safe. Easy. Fast.™
Our Journey
Safe. Easy. Fast.™
Our challenge
• Industry Credibility
• Scalability
• World Class Security
• Cost
• Delivery Speed
Safe. Easy. Fast.™
Our Plan
• All-‐Cloud
• PCI-‐DSS
• Automated Security
• Modular
Safe. Easy. Fast.™
Our ecosystem
MatchMove Network
Banks
Regulatory and Compliance
Payment Providers
Processor
Safe. Easy. Fast.™
Cloud design
AWS cloud / VPC
Internet instances
Safe. Easy. Fast.™
What we Needed • Our instances needs to
get the latest updates without going online
• Anti-Malware Patching
• New Configurations
• New Threats
• Centralized Security Logging
Safe. Easy. Fast.™
Our implementation
VPC
Internet Web Servers
Private Subnet Public Subnet
Deep Security Manager
Safe. Easy. Fast.™
Compliance
• 33/202 • PCI-DSS 3.0 Requirements
Safe. Easy. Fast.™
Not Just AV/IPS/Malware
• Source Code Monitoring
• Configuration File Monitoring
• Log Checks
Safe. Easy. Fast.™
Not Just AV/IPS/Malware
• Logins
• Web 500 Errors
• Memory Issues
Safe. Easy. Fast.™
Automated Testing
• Weekly Scans even we are not on audit period
Safe. Easy. Fast.™
Shared Security
Infrastructure Level!
DDOS & DDOS Security Groups (Firewall) CPU Usage Memory Cloud Logs
MatchMove Trend Micro AWS
OS And Application Level!
Malware File Integrity Server Hardening VPN and Encryp?on Vulnerabili?es
MatchMove Trend Micro AWS
Safe. Easy. Fast.™
Shared Security
User Access Controls and Security!
Access Responsibility 2FA Secure Passwords User Data Encryp?on
MatchMove End User Partner
Monitoring and Alerts!Vigilante 24/7 Monitoring Cloud / Intrusion Alerts
MatchMove Trend Micro AWS Partner
Safe. Easy. Fast.™
Instant-on Security
Web Server
Web Servers
Elastic Load Balancing
Web Servers
Web Servers
Deep Security Manager
Safe. Easy. Fast.™
Continuous Security
Testing
DSM
MySQL
Production
DSM
MySQL
Policies Rules Rollouts
Safe. Easy. Fast.™
Real Life ddos Analysis Detection
Location
Safe. Easy. Fast.™
lessons • We saved money and time
because instead of hiring a security team
• We didn’t know attacks happen THAT frequently even on our test environments
Safe. Easy. Fast.™
lessons • Building a secure cloud
infrastructure can be challenging to begin with but it all works out in the end
• Cloudformation / Opsworks / Beanstalk is your friend
• Better know Account Limits (ie LB) so you can better plan ahead
Safe. Easy. Fast.™
aws.trendmicro.com
Singapore