security operations in the cloud … · • automated provisioning—the more automated the...
TRANSCRIPT
©2019 SANSTM Institute | www.sans.org Sponsored by:
Security Operations in the Cloud Monthly Webinar Series
©2019 SANSTM Institute | www.sans.org Sponsored by:
Sponsored by
How to Secure App Pipelines in AWS
©2019 SANSTM Institute | www.sans.org Sponsored by:
Today’s Speakers
• Dave Shackleford, SANS Analyst
• David Aiken, AWS Marketplace, Solutions Architect
3
©2019 SANSTM Institute | www.sans.org Sponsored by:
• We are seeing nothing less than an evolutionary shift in how security infrastructure is moving to software-defined models that improve speed and scale.
• Much like other areas of security, the responsibility for application security varies widely depending on the cloud model in place.
• We’ll delve into the changing nature of application development and security as organizations are building and deploying applications for the cloud.
Introduction
4
©2019 SANSTM Institute | www.sans.org Sponsored by:
• The software development life cycle (SDLC) has moved to a methodology that prioritizes collaboration and more frequent (yet smaller) updates.
• To shift toward a more collaborative culture, security teams need to integrate with the developers responsible for promoting code.
• Security teams need to determine which tools they have in operations that can integrate into the application pipeline.
How the SDLC Is Changing
5
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Many organizations are adopting Continuous Integration (CI) and Continuous Delivery (CD) for their cloud application pipelines.
– CD is usually exhibited through small, incremental and frequent code pushes (often to stage or test), but does not usually manifest as large production code releases.
• CD means you actually deliver code to production in an automated pipeline.
The Modern CI/CD Pipeline
6
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Automated provisioning—The more automated the provisioning of resources and assets, the more rapidly the SDLC and operations model can operate.
• No-downtime deployments—Because cloud services are based on service-oriented costing models, downtime is less acceptable.
• Monitoring—Constant monitoring and vigilance of code and operations help to streamline and improve quality immensely.
• Rapid testing and updates—The sooner code flaws can be detected, the less impact they’ll have in a working production environment. Rapid and almost constant testing needs to occur for this to happen.
• Automated builds and testing—More automation in the testing and QA processes will help to speed things up and improve delivery times.
The Modern CI/CD Pipeline (cont.)
7
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Application development teams
• Cloud architecture and engineering teams
• Security architecture and operations teams
• IT in infrastructure teams (server engineering, database management and more)
• Compliance and legal teams (where appropriate)
• Business unit management (where appropriate)
Role Assignments
8
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Make sure that your security team discusses:– Standard and planned coding and release cycles—If the team
plans on doing CI, how will the code be centrally stored and managed?
– Tools in use for development, testing and deployment—Automated testing suites are ideal, but security teams need to understand the tools the development team plans to use.
– How security can best integrate with the teams—Ideally, security teams will have some understanding of development practices, and will know how to write test scripts and infrastructure-as-code templates where applicable.
– Expected standards and behaviors—If there are no standards to adhere to, what will the team seek to enforce?
Prep: Discussions
9
©2019 SANSTM Institute | www.sans.org Sponsored by:
• When integrating into a cloud-focused application development model, security teams need to focus on:– Code security—How is code being scanned for vulnerabilities?– Code repositories—How is code being checked in and checked
out, and by whom?– Automation tools—What tools are in use to automate builds,
deployments, etc.? How can security integrate with these?– Orchestration platforms—How are orchestration tools being
used to coordinate and automate infrastructure and cloud components?
– Gateways and network connectivity—How can we ensure secure connectivity to the cloud for deployments?
Security in the CI/CD World
10
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Risk assessment and analysis practices should be updated to continually review:– Cloud provider security controls, capabilities and
compliance status
– Internal development and orchestration tools and platforms
– Operations management and monitoring tools
– Security tools and controls both on premises and in the cloud
Risk Assessment
11
©2019 SANSTM Institute | www.sans.org Sponsored by:
Security for the CI/CD Pipeline
12
Code/Develop
Build
Package
Test
Deploy/Upgrade
Operate
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Are check-in and check-out procedures defined?
• Do solid role-based access controls exist?
• Cloud providers often have options available for code storage and management that includes authentication with strong identity management and robust logging/tracking.
Code/Develop
13
©2019 SANSTM Institute | www.sans.org Sponsored by:
• This stage should include:
– Validated code
– Approved build architecture and controls
– Automated build testing for compiled code
• AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests and produces software packages that are ready to deploy.
Build
14
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Some traditional vulnerability scanning vendors have adapted their products to work within cloud provider environments.
• Another option is to rely on host-based agents that can scan their respective virtual machines continually.
• Tools like Trend Micro Deep Security can help to automate application protection and package validation for workloads, too.
Package
15
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Keys for security teams during the testing phase are:
– Security testing should be as seamless as possible (avoid interfering with QA if you can help it).
– Define test cases and tools.
– Define acceptable outcomes that meet policy.
– Automate tools and teach developers/QA engineers to run them.
Test
16
©2019 SANSTM Institute | www.sans.org Sponsored by:
• In this phase, security teams are focused on:
– Documentation—Note any bugs that are outstanding; document plans to fix and when.
– Communication—Coordinate with development and operations teams to instantiate any controls needed for remediation or “stop gaps.”
– Life cycle—Ensure an approved policy for bug remediation is in place and monitored for future release cycles.
Deploy/Upgrade
17
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Define security use cases for production operations by answering the following questions:
– What events should trigger alerts?
– What events should trigger automated remediation?
– What event severities should be in place?
– What controls are needed to properly secure the environment?
Operations
18
©2019 SANSTM Institute | www.sans.org Sponsored by:
• A critical aspect of managing security in a cloud environment is to carefully limit and control the accounts and privileges assigned to resources.
• In addition to privilege management in configuration definitions, application development teams need to ensure no sensitive material like encryption keys or credentials are stored in definition files, on systems that are exposed or in code that could be exposed.
Secrets Management
19
©2019 SANSTM Institute | www.sans.org Sponsored by:
• APIs are integral to building a robust and automated development pipeline.
• The security posture of APIs should be documented by providers, and all APIs should be strongly controlled through IAM policies.
• Use of APIs should be carefully monitored, too, with full logging to AWS CloudTrail and other logging engines.
API Security
20
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Strong privilege management is a necessity in fast-moving application pipelines.
– Integration with secrets management tools and a granular IAM policy engine like AWS Identity and Access Management (IAM) is crucial.
• A fragmented privilege management and IAM implementation strategy can lead to poor operational oversight of users, groups and permissions.
Privilege Management and IAM
21
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Containers are rapidly becoming a common means of quickly deploying application workloads in both internal and cloud environments.
• Look for:
– Secure repositories for container images, such as Amazon Elastic Container Registry (ECR)
– Orchestration tools that can be used for managing container deployments securely, such as Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS)
Containers and Container Management/Orchestration
22
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Serverless security should involve:
– Static code review (Numerous third-party providers can integrate into serverless environments like AWS Lambda to scan the code.)
– Privilege and permission control over all serverless applications with IAM
– Complete logging of all serverless application updates and execution using tools like AWS CloudTrail
Serverless Applications and Security
23
©2019 SANSTM Institute | www.sans.org Sponsored by:
• For modern application pipelines, there are a plethora of tools available to help automate strong security controls through the entire development and deployment process.
• A strong governance structure is critical to ensure all stakeholders are involved and on board with the new tools and processes needed.
• Security operations teams will need to help define standards for code and images, as well as build strong protective and detective controls in the cloud environment.
Summary
24
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Enabling application pipeline
protection in AWS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS services that enforce application pipeline security
Identify Protect Detect Respond Recover
Amazon
Macie
Investigate
AutomateAWS Lambda
Snapshot Archive
AWS WAF
Amazon
InspectorAWS Security
Hub
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Improve app security with automated assessments
Instances
Install the AWS agent
on EC2 instances
Run an assessment for
assessment target
according to
assessment template
Review findings and
remediate issues
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Protect your web apps from exploits
• Create custom rules and deploy
new rules within minutes, letting
you respond quickly to changing
traffic patterns
• Trend Micro offers pre-configured,
managed rules to provide an extra
layer of protection
CloudFront access
log S3 bucket
Web servers
Allowed users
based on default
behavior
Bad requests
counted or
blocked based
on rule and
conditionWeb ACL
Rules:
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How are AWS customers leveraging Trend Micro?
Continuous
Integration and
Delivery (CI/CD)
Deep Security for
application
containers
Accelerate DevOps
with security
automation
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloudticity gains continuous DevOps protectionUsing Trend Micro Deep Security protection
Benefits:
• Automates compliance with
critical healthcare regulations
• Simplifies security
management with
automated protection and
policies
• Detects malware and
vulnerabilities earlier in the
application pipeline before
they enter the code base
• Helps drive 70% of the
annual revenue growth
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Verizon Media protects complex environments Utilizing Tenable.io for vulnerability analysis and monitoring
Benefits:
• Can scale upward of 1 million
instances of EC2 across
1,000+ accounts that need
continuous discovery and
assessment
• Able to secure a wide variety
of environments across many
media properties with a
single platform
Tenable AWS
Account
(012615275169)
Org Account N
Org Account 1
AWS Orgs Root
Account
Tenable.io - AWS Cloud Customer - AWS Cloud
ListAccounts()
Trust
Trust
Trust
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GreenSky integrates security for faster TTMLeveraging Contrast Assess from Contrast Security
Benefits:
• Successfully migrated from
on-premises to AWS
• Freed up 10 hours a week for
2-3 people on the security
team
• Developers can see their
results almost immediately
• Vulnerabilities are found
much earlier
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why AWS Marketplace?
Flexible consumption
and contract models
Quick and
easy deploymentHelpful humans
to support you
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How can you get started?
Find
A breadth of security
solutions:
Buy
Free trial
Pay-as-you-go
Hourly | Monthly | Annual |
Multi-Year
Bring Your Own License (BYOL)
Seller Private Offers
Channel Partner Private Offers
Through flexible
pricing options:
Deploy
SaaS
Amazon Machine Image (AMI)
CloudFormation Template
Amazon Elastic Container Services (ECS)
With multiple
deployment options:
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Webinar summary
New tools? Pick vendors that know AWS and offer bleeding-edge capabilities.
Current tools? Check out AWS Marketplace for assurance that what you know
works in AWS.
AWS Services can help optimize your security program.
Leveraging integrations and APIs are integral to securing development pipeline.
©2019 SANSTM Institute | www.sans.org Sponsored by:
Please use GoToWebinar’s Questions tool to submit questions to our panel.
Send to “Organizers” and tell us if it’s for a specific panelist.
Q&A
36
©2019 SANSTM Institute | www.sans.org Sponsored by:
And to our attendees, thank you for joining us today!
Acknowledgments
Thanks to our sponsor:
To our special guest: David Aiken
37