AWS Security Monitoring

Best Practices for Effective Threat Detection and Response

Introductions

Russ SpitlerVP of Product Strategy

Agenda

Review of the AWS “Shared Security” Model

Implications on Threat Detection

Current state of Security in the Amazon AWS Cloud

Effective Security Monitoring in AWS

AW

S

APPLICATION

OPERATING SYSTEM

NETWORK

HYPERVISOR

PHYSICAL

AWS: Who’s really responsible?

AW

S

APPLICATION

OPERATING SYSTEM

NETWORK

HYPERVISOR

PHYSICAL

User’s

Responsibility

Amazon’s

Responsibility

AWS: Who’s really responsible?

Plenty of advice on how to secure your AWS implementation:

• Secure the root credentials with a strong password and multi-factor

authentication

• Use Multi-Factor Authentication for all admin accounts

• AWS VPC security

• AWS EC2 security: Use roles with minimal permissions to make API

calls from within EC2.

• Use CloudTrail to track changes made to the environment via API

calls.

• Make use of intrusion detection and log analysis in your environment

• For more complex environments, use SAML to establish a single

sign-on (SSO) for your AWS management.

AWS: Shared Security Model

AW

S

APPLICATION

OPERATING SYSTEM

NETWORK

HYPERVISOR

PHYSICAL

AWS: Shared Security Model

AW

S

APPLICATION

OPERATING SYSTEM

NETWORK

HYPERVISOR

PHYSICAL

So how do you monitor your environment?

How do you detect the latest threats?

What we do know is if an environment can be

compromised, it WILL be compromised.

AWS: What is effective monitoring?

View user activity

Detect known malicious behavioral patterns

Identify anomalous activity

Audit best practices and secure configuration

Dynamically adapt to a changing environment

AW

S

APPLICATION

OPERATING SYSTEM

NETWORK

HYPERVISOR

PHYSICAL

Dynamic

environment

Restricted

Deployment

Monitoring in a shared world

New Features

In other words…

• What services are my users using?

• Who terminated my instance?

• Do any of my instances have known vulnerabilities?

• Has anyone updated my security groups?

• Do I have any of my services publicly accessible?

Failure to use Security Groups – more

than 20,000 databases are publically

accessible in one Amazon region alone.

(9 Regions total).

Failure to manage credentials –

unrestricted AWS credentials used in

deployments

Hackers are stealing compute power

with stolen AWS API credentials

Hackers are using stolen servers as

command and control servers.

AWS: The Current State Of Security

• Heavily Restricted Deployment Environment

• New Security Model With New Features

• Dynamic Environment

Online Retailer- “CloudTrail is a great start, but I need to understand what it is saying.”

“I just don’t have visibility into when Amazon’s security features are working.”

“The stuff I bought for my other datacenter just doesn’t work here.”

“I’m not sure if my developers are exposing the company to more risk.”

“It is my impression that this is not Amazon’s fault that these issues exist. Most of the

vulnerabilities this year are from misconfigurations or small things where the

developers working on applications made mistakes” – Andres Riancho @ BlackHat

The Security Problem Opportunity

What is effective monitoring in AWS?

Dynamically scalable monitoring

Visibility into the API activity

Assessment of the environment’s

configuration

AW

S

APPLICATION

OPERATING SYSTEM

NETWORK

HYPERVISOR

PHYSICAL

USM for AMAZON

Heavily Restricted Deployment

• Vulnerability Scanning

• API Audit Logs Analysis

New Security Model

• AWS Infrastructure Assessment

Dynamic Environment

• Log Management

• Asset Discovery

• CloudTrail Logs Integration

Native Cloud Features

• Horizontally scalable storage and correlation

• Automated Deployment in your environment from AWS

AUTOMATED ASSET DISCOVERY – Manage security the way your infrastructure is managed.

Automatically inventory running instances

Full visibility into AWS meta-data for forensics analysis

Map all security data back to Amazon instance-ID’s for real cloud forensics

AMAZON INFRASTRUCTURE ASSESSMENT – Double check use of AWS security primitives and detect changes.

Detect insecure configuration of network access controls

Remotely assessable service ports.

Remotely assessable management ports.

VPC subnet

Security Group

Security GroupSecurity Group

Core Features

LOG MANAGEMENT & CORRELATION – Monitor your applications & systems for compliance & security.

Monitor your applications to detect behavioral changes

Secure storage for compliance

S3 & CloudWatch Log integration for ease of management

CLOUDTRAIL MONITORING & ALERTING – Notification of environmental changes & abuse.

Monitor full API audit log

Monitor and alert on critical environment updates

Monitor and alert on malicious behavior

Core Features

VULNERABILITY ASSESSMENT – Stay ahead of vulnerabilities & understand your exposure.

Elastically assess your infrastructure

Auto-Notification of new instances

Secure, authenticated scans with low-overhead

ELASTIC SCALABILITYHorizontally scales as you grow.

CloudFormation templates for easy provisioning

Priced for elastic environments. Auto-Scaling Group

Core Features

Lets See It In Action

888.613.6023

ALIENVAULT.COM

CONTACT US

HELLO@ALIENVAULT.COM

Questions?

Download a Free 15-Day Trial

http://www.alienvault.com/free-trial

Check out our Solution Brief:

AlienVault Unified Security Management for AWS

http://www.alienvault.com/resource-center/solution-

briefs/alienvault-unified-security-management-for-aws

Reach out to us

• rgeorgian@alienvault.com

• Hello@alienvault.com

• Twitter: @AlienVault