AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Healing Security (SAC402)
-
Upload
amazon-web-services -
Category
Technology
-
view
68 -
download
4
Transcript of AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Healing Security (SAC402)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Evident.io: John Martinez / Tim Prendergast
Ellie Mae: Anthony Johnson
November 30, 2016
SAC402
The AWS Hero’s Journeyto Achieving Autonomous, Self-Healing
Security
What to expect from the session
• Evident.io and programmatic security
• The journey to
security automation maturity
• CIS AWS foundations benchmark
• AWS security by design
• Evident.io custom signatures
• Exploiting the bots
• Taking stock of your environment
• The Ellie Mae journey
Anthony Johnson @ Ellie Mae
• Cloud Computing and Security
expert
• Works at Ellie Mae
• Previously at Nokia
• Extensive automation
experience
Introductions
John Martinez @ Evident.io
• I’ve worked “in the cloud” since
2010
• At Evident.io since early 2014
• Background in Unix wizardry
and all things related
• I love making latte art (or at
least trying!)
The Ellie Mae story
Evident.io and programmatic
security
Evident.io ESP and programmatic security
• Evident.io ESP is a new-generation security platform
designed in the cloud for the cloud
• All security data is derived from the AWS service APIs
and AWS CloudTrail
• Performs continuous security monitoring
• Provides continuous compliance testing and reporting
• Covers all AWS services
Evident.io ESP and programmatic security
API for
programmatic
access to both
control plane and
data plane
Evident.io ESP and programmatic security
Output integrations
for doing interesting
things with report
data
Amazon
SNSSlack
Jira Hip Chat Pager Duty
Webhook
Service Now
Evident.io ESP and programmatic security
Example API use case
• Automatically add new
AWS accounts to
Evident.io
https://github.com/EvidentSecurity/esp_sdk
Evident.io ESP and programmatic security
Example integration
use case:
Analyze ESP data in
Sumo Logic
http://docs.evident.io/#sumo
The journey to
security automation maturity
Security automation maturity
Proactive
CI/CD toolchain
AWS CloudFormation
templates
Code analysis and
review
Pre/post deploy
testing
Continuous
Infrastructure testing
and alerting
Application logging
Auto Scaling
HISA/NIDS
FIM
Config management
Self-healing
Auto-remediation via
AWS Lambda
Automatic rollback to
known good state
Automatic failover to
other regions
Security automation maturity
Proactive
CI/CD toolchain
AWS CloudFormation
templates
Code analysis and
review
Pre/post deploy
testing
Continuous
Infrastructure testing
and alerting
Application logging
Auto Scaling
HISA/NIDS
FIM
Config management
Self-healing
Auto-remediation via
AWS Lambda
Automatic rollback to
known good state
Automatic failover to
other regions
Most of us are here
Ellie Mae’s automation story
CIS AWS foundations
benchmark
CIS AWS Foundations Benchmark
• CIS AWS Foundations Benchmark is a great place to
start for automated infrastructure testing and alerting
• Benchmark is the result of months of hard work by AWS,
CIS, Evident.io, and a lot of other dedicated contributors
• Use the benchmark as a base set of controls to test and
use to enforce security of your AWS accounts
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
CIS AWS Foundations Benchmark
Evident.io ESP
provides continuous
testing of CIS AWS
Foundations
Benchmark controls and
helps prevent security
“drift”
Included in all Evident.io ESP accounts
How Ellie Mae does compliance
AWS security by design
AWS security by design
• The AWS recommended approach to proactive security
in AWS
• Provides a practical approach to creating your security
controls matrix and enforcing those controls
• Heavy on the proactive automation via AWS
CloudFormation
https://aws.amazon.com/compliance/security-by-design/
AWS security by design
Avoid security
automation pitfalls
AWS security by design
Avoid security
automation pitfalls
Evident.io’s custom signatures
to the rescue
Custom signatures
• Evident.io’s platform includes checks of many different
AWS services, but you can extend with your own custom
signatures
• Check services on included
• Create conditional tests that make sense for your
environment
• Refine our built-in signatures
• If you can write it in the AWS Ruby SDK, it should work
Custom signatures
Example use cases:
• Enforcing tagging standards
• Checking corporate egress IP spaces in EC2 security
groups
• Enforcing ELB SSL ciphers
• Even useful for general operational automation
Open-source custom signatures repo:
https://github.com/EvidentSecurity/custom_signatures
Custom signatures
Example:
Checking for EC2
AMIs that are shared
publicly
How Ellie Mae is using
Evident.io for success
Exploiting the bots
Exploiting the bots
• Take advantage of AWS’ serverless compute
service, Lambda, to self-heal your environment
• Immediately react to changes in your
environment
• Auto-remediation of AWS resources by revoking
change or rolling back to a known good state
Exploiting the bots
Example:
Auto-remediating global
SSH port on an EC2
security group
https://github.com/EvidentSecurity/aws-
lambda/blob/master/autoremediate/autoremediate-EC2-002.py
Exploiting the bots
+
Evident.io
feeds the
bots
Exploiting the bots
Other areas to exploit:
• Automatic rollback
• Failover to other regions
• Automatic creation of quarantined environments
for forensic testing
Ellie Mae’s bots rising
Taking stock of your
environment
How would you rate yourself?
A great journey in the making:
Ellie Mae
Come see us at Evident.io booth #404!
https://www.linkedin.com/in/antho
ny-johnson-566b356
@johnmartinez
https://www.linkedin.com/in/johnm
artinez
https://github.com/EvidentSecurity/reinvent2016
Thank you!
Remember to complete
your evaluations!
Related sessions