getting started with amazon inspector
TRANSCRIPT
![Page 1: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tom Stickle
April 19, 2016
Getting Started with Amazon Inspector
![Page 2: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/2.jpg)
What to expect from this session
• Why did we build Amazon Inspector?
• What is Amazon Inspector?
• How much does it cost?
• What does it help protect against?
• How does it help me with remediation?
• Where do APN Technology Partners fit?
• What regions are supported?
• What’s next for Amazon Inspector?
![Page 3: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/3.jpg)
DevOps & Cloud
• Like Pretzels & Beer
• Better alignment with customer needs
• Increased ownership by developers
• Continuous feedback & bug discovery
• Configuration & Infrastructure is part of the code
• More frequent code rollouts
• Automation
• Better focus on operational excellence
• Cloud provides infrastructure as code
• Improved availability
• Cost optimization
![Page 4: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/4.jpg)
Continuous Integration / Continuous Deployment
Source Code Running Host
![Page 5: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/5.jpg)
Traditional Security Processes
Asset Owner Security Team
AppSec EngAsset
Scan for Vulnerabilities
![Page 6: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/6.jpg)
• It’s not about DevOps + Security
• Not enough security professionals on the planet to do this
• Security teams need their own automation to keep up with automated
deployments!
• Security as code
• Seamless integration with CI/CD pipelines
• Ability to scan and run test suites in parallel
• Ability to automate remediation
• Consumable by APN technology partners as microservices
• www.devsecops.org
![Page 7: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/7.jpg)
Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground up to support DevSecOps
• Automatable via APIs
• Integrates with CI/CD tools
• On-Demand Pricing model
• Static & Dynamic Rules Packages
• Generates Findings
![Page 8: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/8.jpg)
The Value of Vulnerability Assessments
“[With] any large network, I will tell you that persistence and
focus will get you in, we’ll achieve that exploitation without
the zero days,” he says. “There’s so many more vectors
that are easier, less risky and quite often more productive
than going down that route.” This includes, of course,
known vulnerabilities for which a patch is available but the
owner hasn’t installed it.
- Rob Joyce NSA TAO @ Enigma 2016
![Page 9: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/9.jpg)
![Page 10: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/10.jpg)
Installing the Agents
• Chef, SaltStack, Puppet, Ansible
• AWS CodeDeploy
• EC2 user-data
• EC2 RunCommand
• cfn-init
• AWS OpsWorks
• CloudInit
#!/bin/bash
wget https://s3-us-west-2.amazonaws.com/inspector.agent.us-west-2/latest/install
chmod a+x /home/ec2-user/install
/home/ec2-user/install
$url = "https://s3-us-west-2.amazonaws.com/aws-agent-updates-test/windows/product/AWSAgentInstall.exe"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, "AWSInstall.exe")
& .\AWSInstall.exe /quiet
![Page 11: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/11.jpg)
Supported Agent Operating Systems
• Red Hat Enterprise Linux (7.2 or later)
• CentOS (7.2 or later)
• Ubuntu (14.04 LTS or later)
• Amazon Linux (2015.03 or later)
• Microsoft Windows (2012, 2008 R2) - Preview
![Page 12: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/12.jpg)
![Page 13: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/13.jpg)
![Page 14: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/14.jpg)
Assessments
![Page 15: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/15.jpg)
![Page 16: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/16.jpg)
Pricing
• Free Trial• 250 agent-assessments for first 90 days using the service
• Based on Agent-Assessments• 1 assessment with 10 agents = 10 agent-assessments
• 5 assessments with 2 agents = 10 agent-assessments
• 10 assessments with 1 agent = 10 agent-assessments
• 10 agent-assessments = $3.00
First 250 agent-assessments:
Next 750 agent-assessments:
Next 4000 agent-assessments:
Next 45,000 agent-assessments:
All other agent-assessments:
$0.30
$0.25
$0.15
$0.10
$0.05
![Page 17: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/17.jpg)
Anatomy of an attack
Service
XML Parser
Application
Database
SOAP Encode/Decode
![Page 18: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/18.jpg)
Example Exploit
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM "c:/boot.ini">
]>
<foo>&xxe;</foo>
![Page 19: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/19.jpg)
Web Scale
Service
Stack
Service
Stack
Service
Stack
Service
Stack
Service
Stack
Service
Stack
Service
Stack
NLB
![Page 20: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/20.jpg)
Example Vulnerability
<?xml version="1.0”>
<!DOCTYPE foo SYSTEM http://1.2.3.4/;>
<foo/>
![Page 21: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/21.jpg)
Common Vulnerabilities & Exposures
• Tagged list of publicly known info security issues
• Vulnerabilities
• A mistake in software that can be used to gain unauthorized system access
• Execute commands as another user
• Pose as another entity
• Conduct a denial of service
• Exposures
• A mistake in software that allows access to information that can lead to
unauthorized system access
• Allows an attacker to hide activities
• Enables information-gathering activities
![Page 22: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/22.jpg)
CIS Secure Configuration Benchmarks
Kathleen Patentreger Laurie Hester
Senior Vice President Program Executive
Center for Internet Security
![Page 23: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/23.jpg)
Who is CIS?
• Pioneer in forming global IT communities
• Developer of key best practices for immediate
and effective defenses against cyber attacks
• Industry standard for security best practices
Confidence in the Connected WorldCIS delivers
![Page 24: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/24.jpg)
CIS can help your organization
Our Mission:
• Create and promote best practices in
cybersecurity
• Deliver solutions to prevent and rapidly
respond to cyber incidents
• Build trust in cyberspace
Our Programs:
• MS-ISAC (SLTT support)
• CIS Critical Security Controls
• CIS Security Benchmarks
![Page 25: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/25.jpg)
What is a “Benchmark?”
• Security configuration guide
• Consensus-based development
process
• PDF versions are free via our
website
• 433K+ downloads last year
![Page 26: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/26.jpg)
What’s inside a Benchmark?
What it applies to…
Who helped make it…
How to interpret…
What to do…
Why to do it…
How to do it…
How do you know you did it…
26
![Page 27: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/27.jpg)
Amazon and CIS
•CIS AWS Foundations Benchmark:
• Provides recommendations for the security
of your AWS account
Amazon Inspector:
• CIS Security Software Vendor Membership
and certification service assesses against
the following CIS Benchmark:
Amazon Linux 2014.09-2015.03
Add’l CIS Benchmarks scheduled
![Page 28: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/28.jpg)
CIS Amazon Machine Images (AMIs)
System is configured from launch to be in
conformance with the CIS Benchmark
AMIs currently available include: • Amazon Linux 2014.09* -2015.03
• Debian 8*
• Microsoft Windows Server 2008, 2008 R2,
2012 & 2012 R2
• Red Hat Enterprise Linux 5*, 6 & 7
• SUSE Linux Enterprise Server 11* & 12*
• CentOS Linux 6* & 7
• Ubuntu 12.04* & 14.04 LTS Server
*Access via CIS Membership only, not available in AWS Marketplace
![Page 29: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/29.jpg)
How to access the CIS Amazon Machine Images
(AMIs) in Amazon Elastic Compute Cloud (EC2)
•AWS Marketplace
•CIS Security Benchmarks Membership
Future plans:
•GovCloud - More details to come in May
•Intelligence Community (IC) Marketplace
For more information, visit https://benchmarks.cisecurity.org or contact
us at [email protected].
![Page 30: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/30.jpg)
Amazon Inspector
• Rules Packages
• Common Vulnerabilities & Exposures
• CIS Operating System Security Configuration
Benchmarks
• Security Best Practices
• Runtime Behavior Analysis
![Page 31: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/31.jpg)
Security Best Practices
• Authentication
• Network Security
• Operating System
• Application Security
• Disable root login over SSH
• Password complexity
• Permissions for system directories
• Secure protocols
• Data execution prevention enabled
![Page 32: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/32.jpg)
Runtime Behavior Analysis
• Package analyzes machine behavior during an assessment
• Unused listening ports
• Insecure client protocols
• Root processed with insecure permissions
• Insecure server protocols
• Impacts the severity of static findings
![Page 33: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/33.jpg)
Automating Remediation
• Findings are JSON formatted and taggable
• Name of assessment target & template
• Start time, end time, status
• Name of rule packages
• Name & severity of the finding
• Description & remediation steps
• Lamd-ify your incident response
• Integrate with Jira-like services
• Integrate with Pagerduty-like services
![Page 34: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/34.jpg)
Launch Partners
![Page 35: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/35.jpg)
AWS Partner Network (APN)
• Technology Partner Program
• AWS Marketplace
• AWS Channel Reseller Program
• AWS Managed Service Partners
• AWS Partner Test Drives
![Page 36: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/36.jpg)
Regions Supported
• GA
• US West (Oregon)
• EU (Ireland)
• US East (Virginia)
• Asia Pacific (Tokyo)
• GA + 1 Month
• Asia Pacific (Sydney)
• Asia Pacific (Seoul)
![Page 37: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/37.jpg)
![Page 38: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/38.jpg)
What’s Next for Amazon Inspector?
• Reporting
• AWS API Interception
• Threat Modeling
• Industry Specific Rules Packages
![Page 39: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/39.jpg)
Remember to complete
your evaluations!
![Page 40: Getting Started with Amazon Inspector](https://reader033.vdocuments.mx/reader033/viewer/2022042707/58793ce41a28ab23468b5697/html5/thumbnails/40.jpg)