CloudBuilders AWS Security Incident Response

Transcript

1. AWS Security Incident Response (SIR) John Martinez March 10, 2015

2. ©2015 evident.io I confidential I evident.io Agenda ▪ About John

   ▪ About Evident.io ▪ Security incident checklist ­ What you are responsible for in AWS ­ What AWS will be looking for from you ▪ Top 10 Security Best Practices ▪ How Evident.io Can Help 2

3. ©2015 evident.io I confidential I evident.io About John I’m a

   long-time UNIX/Linux geek that cut his teeth in the cloud at an entertainment company in Los Gatos. I’ve worked on another large-scale cloud implementation at a large software company in downtown San Jose. I now work for the best security start-up in the world and love to help our customers get and stay secure. 2/9/15 3

4. ©2015 evident.io I confidential I evident.io About Evident.io Evident.io was

   forged from decades of information security experience by a team that is hyper-focused on the security challenges facing cloud businesses. We are the experts in Cloud Security, so you don't have to be. 2/9/15 4

5. ©2015 evident.io I confidential I evident.io Security Incident 1. What

   is it? 2. How do you find out? 3. What did you do to prepare? 5

6. ©2015 evident.io I confidential I evident.io Security Incident 1. You

   get a call, what do you do? Evaluate the situation Stop the bleeding Secure the site/isolate the damage Start the breathing Get the business running again Protect the wound Investigate root cause Treat for Shock Make it better (so it does not happen again) 6

7. ©2015 evident.io I confidential I evident.io Security Incident Checklists -

   You 1. What you are responsible to AWS Have both a plan and tools (and have tested them) Sleuthkit, Autopsy, SIFT AMI, Etc Define what and when it happened and/or Define what and when is was not happening Initial triage of the problem The more detail you can collect, the better Scale up - Scale out - Isolate the issue Logs, logs, logs - Review CloudTrail Logs, S3 Logs, ELB Logs, Host Logs Snapshot/DD effected resources Open a support case with AWS early Update Often 7

8. ©2015 evident.io I confidential I evident.io Security Incident Checklists -

   AWS 1. What will AWS do with you Communicate via Support Ticket Can provide you guidance on: Scaling up Scaling out Isolating the issue May shift traffic to help Can provide you forensic image For analysis in AWS 8

9. ©2015 evident.io I confidential I evident.io http://blog.evident.io 9

10. ©2015 evident.io I confidential I evident.io Top 10 AWS Practices

    to Implement 1. Disable root API access key and secret key 2. Enable MFA tokens everywhere 3. Reduce number of IAM users with Admin rights 4. Use Roles for EC2 5. Least privilege: limit what IAM entities can do with strong/ explicit policies 6. Rotate all the keys regularly 7. Use IAM roles with STS AssumeRole where possible 8. Use AutoScaling to dampen DDoS effects 9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it 10. Watch world-readable/listable S3 bucket policies 10

11. ©2015 evident.io I confidential I evident.io Contact me [email protected] •

    @johnmartinez 11

12. Autodesk  Careers Cloud  Services:  autodesk.com/360-­‐cloud LinkedIn:  linkedin.com/company/autodesk Twitter:  @autodeskers Facebook:

     facebook.com/autodeskcareers Autodesk.com/careers

13. ©2015 evident.io I confidential I evident.io Connect February 9, 2015

    13 evident.io 11501 Dublin Blvd #200 Dublin, CA 94568 c. 855.933.1337 [email protected] http://evident.io
14. None