Automated Detection and Remediation in AWS

Transcript

1. Automated Detection and Remediation in AWS

2. Page 2 Context l Initial focus on our oldest AWS

   accounts - Very large - Many tenants - Biggest tenant is Digital Delivery Centre - Some tenants are inexperienced with AWS l Automated Infrastructure, so extendable to other accounts

3. Page 3 Other Tools l Open Source - Netflix Security

   Monkey - Awslabs aws-security-benchmark l Commercial - CloudConformity - CloudTrail + SIEM

4. Page 4 Why Build Our Own? l Customise to our

   specific environment l Auto-remediation l AWS services do the heavy lifting l Pipeline • - Separate Security Pipeline - biggest piece of work - Also needed for account baselining

5. Page 5 Approach l Serverless – minimal operational effort l

   Config Rules vs CloudWatch Events Cloudwatch Events Config Rule Cost Centralised Reporting Changes vs State Response Speed

6. Page 6 Detective Controls l Security Group inbound rules -

   eg./ ports open to 0.0.0.0/0 except 80 or 443 l CloudTrail changes to trail l Network ACL changes l S3 buckets being made public l Internet Gateway changes l Route Table changes l Customer Gateway changes l Config changes to resource tracking l Log Analysis for PII

7. Page 7 First Steps to Auto-Remediation l Iterative approach l

   Begin with Unauthorized ports open to unapproved IP range l Discovery of open ports l Talk to responsible teams - Any legitimate use cases? - Education - Consulting help l Whack-a-mole l Biggest causes - Packer used for AMI generation - ElasticBeanstalk

8. Page 8 Auto-Remediation l Delete inbound rule l If rule

   covers multiple ports split it l Raise Service Now ticket to inform responsible team l Deployed to DEV, TEST before PROD

9. Page 9 Next Steps l More detective controls l Other

   ports (Risk Based Approach) - All ports except 80 & 443 - All ports – CloudFront l Ports open to too many IPs l Ports open to unapproved public IPs

10. Page 10 Components All Accounts • CloudWatch Events • IAM

    Roles Detective Control Account • CloudWatch Events • Lambda and related SNS Topic • DynamoDB • S3 buckets • CloudWatch Logs

11. Page 11 DEMO

12. Page 12 AWS Account Detective Control Account Amazon CloudWatch resources

    AWS CloudTrail event (event-based) Amazon CloudWatch event (event-based) Resource Topic Event Analyser Amazon DynamoDB Auto Remediator Topic Auto Remediator role Alert Generator Topic Alert Generator SIEM Remediation DLQ Lambda DLQ Topic Ticket PII Lambda event (time-based) SIEM

13. Page 13 Benefits of CloudWatch Events • We decide which

    Event we want to receive • Analyse the API Call instead of the outcome • AWS API Call via CloudTrail contains following: • API Call result • API Call Request Parameters • Error Code and Error Message • Api Caller • API Caller IP Address

14. Page 14 Cost Break Down 70.4K 1575 GB-S

15. Page 15 Things to Consider • Request Parameters Based on

    API Documentation. • Make use of “Dead Letter Queue” Concept. • Focus on Lambda Run Time and Context Reuse • Build a sustainable, serverless, secured Deployment pipeline

16. Page 16 Thank you.